HOWTO confirm tape drive supports T10 Encryption (Security Protocol In & Security Protocol Out)

Article:HOWTO56305  |  Created: 2011-07-30  |  Updated: 2012-08-13  |  Article URL http://www.symantec.com/docs/HOWTO56305
Article Type
How To



This is one of three related articles.

TECH87444: Media being frozen when using NetBackup Key Management Service (KMS). The following two HOWTOs expand on further testing if you find yourself in this situtation.

HOWTO56305 (this document) is 'Confirming your tape drive responds correctly to the SCSI T10 Encryption'

HOWTO56306 expands on HOWTO56305 to confirm the loaded tape also supports encrypted data.

 

There are various tools that can be used to query for the Security Protocol In data, but this document will stick with two.

  • Inbuilt NetBackup command ..../volmgr/bin/scsi_command - (support introduced in NetBackup 7.5 for Windows)
  • The 3rd party "sg3 utils" package - Available for Linux and Windows (http://sg.danny.cz/sg/sg3_utils.html)

Using the 'scsi_command' in the /usr/openv/volmgr/bin directory, a 'Security Protocol In' command can be sent to the drive.

Confirmation of Encryption support can be determined by the returned results.

Example of an IBM LTO-4 drive which does NOT support Encryption:

- Mount a tape (In this example media id 000022, density 'hcart')

# tpreq -m 000022 -d hcart -p NetBackup -f /tmp/fred

- Now query device for Security Protocol In support

# scsi_command -d /tmp/fred -spi
IBM     ULT3580-TD4     8192

Supported security protocol list:
  0x00

Security Protocol In command failed
status 2h, key 5h, ASC 24h, ASCQ 0h
sense 0x05, asc 0x24, ascq 0x00 occured
 

- Unmount the tape

# tpunmount /tmp/fred    

  ---------------------------------------

This example has the 'sg3 utils' package extracted into c:\drivers\sg3_utils directory.

A tape is mounted into the drive accessed via \\.\Tape5 using robtest.

This SCSI command is the 'raw' Security Protocol IN querying for supported pages.

The returned data (received 9 bytes) is decoded as:

  • First 6 bytes are reserved and set to '0', e.g. 00 00 00 00 00 00
  • The next two bytes "00 01" indicates the length (number) of pages.
  • The next two bytes "00" indicates this target supports page '00h'
C:\drivers\sg3_utils>sg_raw -r 44 \\.\Tape5 a2 00 00 00 00 00 00 01 00 00 00
SCSI Status: Good

Sense Information:
sense buffer empty

Received 9 bytes of data:
 00     00 00 00 00 00 00 00 01  00                         .........

For a Tape Drive to support Security Protocol IN / OUT, this command needs to report support for page 20h

e.g.

C:\drivers\sg3_utils>sg_raw -r 44 \\.\Tape3 a2 00 00 00 00 00 00 01 00 00 00
SCSI Status: Good

Sense Information:
sense buffer empty

Received 10 bytes of data:
 00     00 00 00 00 00 00 00 02  00 20                      .........

  ---------------------------------------

Example of a HP LTO-4 drive which does NOT support Encryption:

(Note: This example is from a customer's environment and further details are unknown) 

# /usr/openv/volmgr/bin/scsi_command -d /dev/rmt/3cbn -spi
HP Ultrium 4-SCSI H5AS

Security Protocol In command failed
status 2h, key 5h, ASC 24h, ASCQ 0h
sense 0x05, asc 0x24, ascq 0x00 occured
 

  ---------------------------------------

An example of a tape drive that supports Encryption:

- Mount a tape (In this example media id SYM021, density 'hcart')

# tpreq -m SYM021 -p NetBackup -d hcart -f /tmp/fred

- Now query device for Security Protocol In support

# scsi_command -d /tmp/fred -spi
STK     T10000B         550V

Supported security protocol list:
  0x00
  0x20

Tape Data Encryption Out Support page (0x0001, length 6)
  Page 0x0010

Data Encryption Capabilities page (0x0010, length 44)
  EXTDEC 0, CFG_P 1
  Algorithm Index 0x01
  Decrypt 2, Encrypt 2, Nonce 1
  AVFCLP 0, DKAD_C 1, RDMC_C 1
  AVFMV
  MAC_C
  DED_C
  EAREM
  Max UNAUTH Key-associtated data 30 (bytes)
  Max AUTH Key-associtated data 0 (bytes)
  Key size 32 (bytes)
  Security Algorithm Code 0x80010010

Supported Key Formats page (0x0011, length 6)
  0x00
  0x00

Data Encryption Management Capabilities page (0x0012, length 16)
  LOCK_C
  CKOD_C
  CKORP_C
  CKORL_C
  AITN_C
  LOCAL_C
  PUBLIC_C

Data Encryption Status page (0x0020, length 36)
  I_T Nexus Scope 1, Key Scope 1
  Encryption Mode 0x0, Decryption Mode 0x0
  Algorithm Index 0x1
  Key Instance Counter 0x5
  Parameters Control 0, CEEMS 0
Key-associated data descriptors list:
  ba 10 00 1e 00 00 00 20 43 00 00 00 00 00 00 00

Next Block Encryption Status page (0x0021, length 16)
  Logical Object Number 0x00000000 00000000
  Compression Status 0x0, Encryption Status 0x3
  Algorithm Index 0x1

- Unmount the tape

# tpunmount /tmp/fred

An example of a tape drive that DOES NOT supports Encryption:

As per the IBM Documentation : "Setup, Operator, and Service Guide" Model T1600P (and TS2340) both state:

"IBM System Storage TS2340 Tape Drive supports host Application Managed Encryption (AME), using T10 encryption methods, for SAS drives only. Encryption is not supported on the Ultra160 SCSI drive. Data encryption is supported with LTO Ultrium 4 Data Cartridges only."

This can be confirmed using the 'sg_modes' and examining byte 7 (bit 0 & bit 3) of the returned data.

Confirm byte 7 bit 0 (Encr_C) is '0' which indicates that the hardware does not
support encryption (Encryption Capable).

Confirm byte 7 bit 3 (Encr_E) is '0' which indicates that encryption is not
enabled in the drive (Encryption Enabled).

c:\Temp\sg_util>sg_modes --page=0x24 tape0
    IBM       ULTRIUM-TD4       82F0   peripheral_type: tape [0x1]
Mode parameter header from MODE SENSE(10):
  Mode data length=24, medium type=0x48, specific param=0x10, longlba=0
  Block descriptor length=8
> General mode parameter block descriptors:
   Density code=0x46
00     46 00 00 00 00 00 00 00

>> page_code: 0x24, page_control: current
00     24 06 00 07 00 00 00 00
                            ^^ Byte 7



Article URL http://www.symantec.com/docs/HOWTO56305


Terms of use for this information are found in Legal Notices