HOWTO confirm tape drive supports T10 Encryption (Security Protocol In & Security Protocol Out)
| Article:HOWTO56305 | | | Created: 2011-07-30 | | | Updated: 2012-08-13 | | | Article URL http://www.symantec.com/docs/HOWTO56305 |
This is one of three related articles.
TECH87444: Media being frozen when using NetBackup Key Management Service (KMS). The following two HOWTOs expand on further testing if you find yourself in this situtation.
HOWTO56305 (this document) is 'Confirming your tape drive responds correctly to the SCSI T10 Encryption'
HOWTO56306 expands on HOWTO56305 to confirm the loaded tape also supports encrypted data.
There are various tools that can be used to query for the Security Protocol In data, but this document will stick with two.
- Inbuilt NetBackup command ..../volmgr/bin/scsi_command - (support introduced in NetBackup 7.5 for Windows)
- The 3rd party "sg3 utils" package - Available for Linux and Windows (http://sg.danny.cz/sg/sg3_utils.html)
Using the 'scsi_command' in the /usr/openv/volmgr/bin directory, a 'Security Protocol In' command can be sent to the drive.
Confirmation of Encryption support can be determined by the returned results.
Example of an IBM LTO-4 drive which does NOT support Encryption:
- Mount a tape (In this example media id 000022, density 'hcart')
# tpreq -m 000022 -d hcart -p NetBackup -f /tmp/fred
- Now query device for Security Protocol In support
# scsi_command -d /tmp/fred -spi
IBM ULT3580-TD4 8192
Supported security protocol list:
0x00
Security Protocol In command failed
status 2h, key 5h, ASC 24h, ASCQ 0h
sense 0x05, asc 0x24, ascq 0x00 occured
- Unmount the tape
# tpunmount /tmp/fred
---------------------------------------
This example has the 'sg3 utils' package extracted into c:\drivers\sg3_utils directory.
A tape is mounted into the drive accessed via \\.\Tape5 using robtest.
This SCSI command is the 'raw' Security Protocol IN querying for supported pages.
The returned data (received 9 bytes) is decoded as:
- First 6 bytes are reserved and set to '0', e.g. 00 00 00 00 00 00
- The next two bytes "00 01" indicates the length (number) of pages.
- The next two bytes "00" indicates this target supports page '00h'
C:\drivers\sg3_utils>sg_raw -r 44 \\.\Tape5 a2 00 00 00 00 00 00 01 00 00 00
SCSI Status: Good
Sense Information:
sense buffer empty
Received 9 bytes of data:
00 00 00 00 00 00 00 00 01 00 .........
For a Tape Drive to support Security Protocol IN / OUT, this command needs to report support for page 20h
e.g.
C:\drivers\sg3_utils>sg_raw -r 44 \\.\Tape3 a2 00 00 00 00 00 00 01 00 00 00
SCSI Status: Good
Sense Information:
sense buffer empty
Received 10 bytes of data:
00 00 00 00 00 00 00 00 02 00 20 .........
---------------------------------------
Example of a HP LTO-4 drive which does NOT support Encryption:
(Note: This example is from a customer's environment and further details are unknown)
# /usr/openv/volmgr/bin/scsi_command -d /dev/rmt/3cbn -spi
HP Ultrium 4-SCSI H5AS
Security Protocol In command failed
status 2h, key 5h, ASC 24h, ASCQ 0h
sense 0x05, asc 0x24, ascq 0x00 occured
---------------------------------------
An example of a tape drive that supports Encryption:
- Mount a tape (In this example media id SYM021, density 'hcart')
# tpreq -m SYM021 -p NetBackup -d hcart -f /tmp/fred
- Now query device for Security Protocol In support
# scsi_command -d /tmp/fred -spi
STK T10000B 550V
Supported security protocol list:
0x00
0x20
Tape Data Encryption Out Support page (0x0001, length 6)
Page 0x0010
Data Encryption Capabilities page (0x0010, length 44)
EXTDEC 0, CFG_P 1
Algorithm Index 0x01
Decrypt 2, Encrypt 2, Nonce 1
AVFCLP 0, DKAD_C 1, RDMC_C 1
AVFMV
MAC_C
DED_C
EAREM
Max UNAUTH Key-associtated data 30 (bytes)
Max AUTH Key-associtated data 0 (bytes)
Key size 32 (bytes)
Security Algorithm Code 0x80010010
Supported Key Formats page (0x0011, length 6)
0x00
0x00
Data Encryption Management Capabilities page (0x0012, length 16)
LOCK_C
CKOD_C
CKORP_C
CKORL_C
AITN_C
LOCAL_C
PUBLIC_C
Data Encryption Status page (0x0020, length 36)
I_T Nexus Scope 1, Key Scope 1
Encryption Mode 0x0, Decryption Mode 0x0
Algorithm Index 0x1
Key Instance Counter 0x5
Parameters Control 0, CEEMS 0
Key-associated data descriptors list:
ba 10 00 1e 00 00 00 20 43 00 00 00 00 00 00 00
Next Block Encryption Status page (0x0021, length 16)
Logical Object Number 0x00000000 00000000
Compression Status 0x0, Encryption Status 0x3
Algorithm Index 0x1
- Unmount the tape
# tpunmount /tmp/fred
An example of a tape drive that DOES NOT supports Encryption:
As per the IBM Documentation : "Setup, Operator, and Service Guide" Model T1600P (and TS2340) both state:
"IBM System Storage TS2340 Tape Drive supports host Application Managed Encryption (AME), using T10 encryption methods, for SAS drives only. Encryption is not supported on the Ultra160 SCSI drive. Data encryption is supported with LTO Ultrium 4 Data Cartridges only."
This can be confirmed using the 'sg_modes' and examining byte 7 (bit 0 & bit 3) of the returned data.
Confirm byte 7 bit 0 (Encr_C) is '0' which indicates that the hardware does not
support encryption (Encryption Capable).
Confirm byte 7 bit 3 (Encr_E) is '0' which indicates that encryption is not
enabled in the drive (Encryption Enabled).
c:\Temp\sg_util>sg_modes --page=0x24 tape0
IBM ULTRIUM-TD4 82F0 peripheral_type: tape [0x1]
Mode parameter header from MODE SENSE(10):
Mode data length=24, medium type=0x48, specific param=0x10, longlba=0
Block descriptor length=8
> General mode parameter block descriptors:
Density code=0x46
00 46 00 00 00 00 00 00 00
>> page_code: 0x24, page_control: current
00 24 06 00 07 00 00 00 00
^^ Byte 7
|
|
Related Articles
Article URL http://www.symantec.com/docs/HOWTO56305
Terms of use for this information are found in Legal Notices
Thank you.