I want to enable encryption on all of my backup tapes. I more-or-less know how to do this technically, but the procedural and human elements of implementing this are tricky.
I use HP LTO4 drives with bacula, which doesn't have any key-management features. In fact, its support for hardware encryption is to call an external script which sets the key on the drive before reading and writing.
My questions:
- How should I keep track of which tapes have encryption? I already have a few hundred tapes without encryption. Even if I take the time to rewrite them all with encryption, there will be months of overlap where some have it and some don't. How will bacula know whether to set the key before reading a given tape? Is the drive smart enough to read unencrypted tapes even when a key is set?
- If the key is ever compromised, we'll have to change it and we'll have the same problem as #1.
- If the key is lost, we've effectively lost all of our backups. How can I mitigate this without increasing the risk that it is compromised?
- Should the key change regularly? Once per year? What is the best practice?
- How do the big ISV backup systems handle these issues?
Best Answer
Very good questions. I too would like to see good answers from people who know more about this than I do. :-)
Precisely, which is why many or most people don't use encrypted backups.
One possible way to go is to build a couple of "lifeboats", i.e. packages with install media, usernames and passwords for essential systems like backups, Active Directory and others (i.e. the stuff you need to load a backup if the main site has been completely destroyed in a fire, but not the backup data itself). You should store these lifeboats securely off site, for example in a bank vault, or in a high-security safe in a remote office with an alarm system. And lastly document this, so that others can figure out how to use the lifeboats after you've left the company, if needed.
From a practical point of view, I would say to not change the keys, since it quickly becomes unmanageable if you do. If you're worried about backup security not being good enough, then beef up physical security around your tapes, by using a service such as Iron Mountain, or by building a storage system with good physical security yourself.
Lastly: I would prefer to have all encryption & backup handling in one system, so there is less risk of recovery not working. By this I mean to use the built-in encryption in software like Retrospect or Backup Exec, rather than drive-level encryption.