Status 85 restoring from a KMS encrypted backup
|Article:TECH204085|||||Created: 2013-03-20|||||Updated: 2013-09-30|||||Article URL http://www.symantec.com/docs/TECH204085|
When performing a restore of a backup image that was encrypted using KMS (tape drive performed the encryption), no encryption key is retrieved from the KMS service and the data cannot be read from the tape.
The restore job fails with status 85. A status 2830 has also been observed.
In the BPTM log for a failed restore, we note the following:
09:53:38.963  <2> io_position_for_read: positioning 001440 to file number 99
09:53:38.963  <2> io_position_for_read: locating to absolute block number 1900480
09:54:45.495  <2> io_position_for_read: locate block is done
09:54:45.495  <2> io_read_back_header: drive index 1, reading backup header
09:54:45.586  <2> io_ioctl: command (3)MTFSR 3 0x0 from (bptm.c.6843) on drive index 1
09:54:45.605  <2> io_position_for_read: successfully positioned 001440 to file number 99, mpx_header = 4
09:54:45.607  <2> establish_decryption_key: next block encryption status: LON 0x00000000001cffc4, algorithm index 1, encryption status 0x3
You can see in the above that the “next block encryption status” being returned by the tape drive is 0x3, which indicates the data is clear text.
Because of this, we don’t ever retrieve an encryption key or put the drive into encryption mode, thus the restore fails when trying to read data from the tape.
A successful restore would show the code being returned from the tape drive as 0x6, which indicates that the data is encrypted and NetBackup will then retrieve a key from the KMS service, register it with the tape drive, and the restore would complete successfully.
This issue has been observed in environments that have IBM Ultrium tape drives with the following firmware releases:
Ultrium-4: B710, C7Q2 and C7Q4
Note that this list is not all inclusive and other series of firmware may show this issue. Please compare activity against the BPTM log entry above and contact the hardware vendor for assistance.
This issue is caused because the tape drive firmware is returning an incorrect encryption status code during the restore process as a result of defective firmware.
The tape drive is telling NetBackup that the data to be restored is not encrypted, when in fact it actually is.
No solution at the time of this writing. The hardware vendors involved with these cases are currently working with IBM to debug the firmware and release a corrected version.
As a workaround, customers have back-revved their tape drives to an older version of firmware and were able to complete their restores.
The following Ultrium-4 firmware versions have been proven to work correctly with these restores: A232 and BBH8
The following Ultrium-5 firmware version has been proven to work correctly with these restores: B6W0
The following Ultrium-6 firmware version has been proven to work correctly with these restores: D8E4
Article URL http://www.symantec.com/docs/TECH204085