Encryption? Hardware or Software?

I’m investigating Encryption options and have come to the conclusion that there are simply too many options to be had and that I should just go to sleep and try and pick it up tomorrow.


Right now we’re using the Veritas Encryption licence, which of course runs as a part of the NetBackup client and encrypts data before it’s sent out over the network.  The server then takes the encrypted data and writes it directly to the backup image.  (In our case, disk)

I’m looking at the type of in-line encryption engines to go between the media server and the tape libraries, since the primary purpose of encrypting the data is to protect the off-site tapes.

Decru (www.decru.com) is a Network Appliance company.  They makes one that is highly regarded, that is supposed to work at near line-speed.

I’m looking for a little dialog on pluses and minuses of both. 

I’ve always been so focused on the SAN, that I don’t get to play with the network end of things. 

 I’ve used/implemented the Cisco encryption engines for RDF/Ethernet with moderate success replciating from New Orleans to Philidelphia.  (A DR implementation that was put to a highly successful test three short months later)  But the issue is, that I’ve always been the one who has had to deal with what someone else bought, and have never been involved in the purchase decision.


Skip to comment form

    • on September 13, 2006 at 8:09 am
    • Reply

    May want to look at Neoscale.. they have an in-line tape encryption device that seems to work pretty well. Basically its a box with target ports and initiator ports — you plug them all into the SAN, zone your media server to the target ports, and zone the initiator ports to your tape devices. Then you can enable/disable encryption with Netbackup policies.

    They also have a disk encryption device, which sits physically in-line between the array target port and the fabric. You enable/disable encryption at the LUN level.

    There is little to no performance impact for either the tape or disk encryption units. Both of those devices are for data at rest encryption though.. no encryption in transit.

    That’s about the extent of my knowledge with the Neoscale stuff.. 😉

    • Jesse on September 13, 2006 at 11:05 am
    • Reply

    I think we’re most concerned about the tape encryption. Being a financial institution, sending data off-site, even to a storage vault, gives people shivers. Especiallly with all the media coverage agencies have gotten in the past few months.

    Thanks for the input. I’ll post our decision when the time comes. 🙂

    • on September 13, 2006 at 1:27 pm
    • Reply

    I tend to agree with scummins about the NeoScale devices, I havent really seen one in action but I have friends who have implemented them with great success, and from my own research, they seem to be the best thing out there as far as an inline device. You can order as many smart cards as you want, and send one of those off-site as well, in case of a total disaster.

    IBM and Sun (StorageTek) both have high-end drives that can perform the encryption on the drive, I dont know too much about it, but I do know that the T10000 drive from Sun can really perform also (160MB/s) I believe.

    PS.. Did scummins serve in Baghdad recently?

  1. Definatley good information –

    I’ve always been a proponent of hardware over software for sheer performance. Just as you don’t ever want to use software mirroring of disk devices if you can avoid it.

    • on September 13, 2006 at 4:12 pm
    • Reply

    I do work in the Federal space, but I’ve never actually been enlisted, and I’ve never been to Iraq…

    Must be thinking of someone else 😉

Leave a Reply

Your email address will not be published.