Veritas Media Server Encryption Option…

So the biggest problem with Veritas, is that their client-side encryption option, which is the standard deployment, negates the use of Veritas Bare-Metal-Restore (BMR).

For those who aren’t Veritas geeks like me, BMR is the handy-dandy application that allows you to rebuild a server from scratch using only a floppy (or bootable CD) with little or no input.  All of the particulars of a server are captured when it is backed up.  Drivers, hardware, IP settings, hostname, etc.  You then build a BMR boot disk for that server.  When it crashes and you have to replace it, you boot from the boot disk and it takes all the settings and builds a new server from the last backup from absolute scratch.

I’ve seen it work, it’s a miracle in the making.

However, if you’re using the Veritas client-side encryption, the key is managed by the client server.  And for some reason, this key is not included in the BMR boot disk that is generated by the BMR boot server.  This means that while it can start to rebuild the environment, it can’t restore the last backup because it can’t unencrypt it.

I’ve been looking at options, such as Decru’s Data-Fort inline FC encryption engine, as well as some of the options from Neoscale.

Both would have done the job nicely, however the prices quoted made selling these options up the river to those with the three-letter-initials painfull.

Now I find that Veritas has a recently released MSOE, or Media-Server-Encryption-Option.   Since the encryption is done at the media server, the BMR incompatibility is done away with, and lo and behold, everything works as advertised.  The only real down-side I think I can come up with is the increase in host-overhead on the media server, which means I may have to increase the number of media servers in the environment, which of course makes Veritas more expensive.

I’ve not gotten the quote on this, but I’m assuming it’s going to be less than the almost $50K some of the other options have come to.  I’ll let you know.


Skip to comment form

    • on April 18, 2007 at 1:59 am
    • Reply

    Something you might be interested in – the next release of modules from Cisco for the 9500 MDS directors includes an 18FC + 4GbE module, with a 10 Gbps hardware encrypter. This will allow FC data to be encrypted and decrypted on the fly as it’s being written to or read from a tape or storage array.

    Functionally similar to a Decru Datafort but it’ll be usable through any of the Cisco’s ports, rather than the max 10 ports on a Decru. Hopefully, it’ll also be a bit cheaper.

  1. i’ve thought about that – however I couldn’t convince my upper management that a 95xx series was the way to go on the latest upgrade, and instead we only bought another pair of 48 port 9216a’s.

    Kind of throws that inline encryption option out the window.

  2. LOL – I’ve been going through the install documentation for the MSEO – let’s just say it’s not a simple install. Lots of XML editing.

    • on October 14, 2008 at 10:37 am
    • Reply

    hey: have you done some benchmarking around MSEO – please advise if you noticed an increase CPU utilization rates and backup and restore times.

    There is very limited information available in this regard


  3. Nah – didn’t get a chance to do any performance numbers, the company I worked for who bought it failed to get it implement it before they folded.

    In fact – the funny part is, they failed to break the seal on the packaging before they folded.

Leave a Reply

Your email address will not be published.