2012-03-29 09:32 AM
Is there a way to verify that encryption is actually working on a Decru FC1020 appliance? I was asked to provide proof in the way of a report. I don't really see any reporting or verification options when in the DataFort Management Console. Perhaps through CLI?
Thanks in advance!
2012-03-29 10:41 AM
While cryptainers can be created as a "cleartext" (unencrypted) container, that's NOT the default. So, if you can prove that all cryptainers have encryption enabled, you've satisified the audit request.
To do this, run a cryptainer list command from the CLI, or view the cryptainers in the web GUI. If there is an 'e' in the Options, it is encrypted.
Depending on the type of cryptainer (iscsi, nfs, fc), you may have to modify the command. For example, for iscsi it is iscsi cryptainer list
The FC1020 CLI manual should have all options for you. Are you encrypting fiber activity to tape, or disk volumes?
2012-03-29 11:41 AM
I am encrypting fiber activity to tape.
Now, what I did is ran from the CLI "fccryptainer list" and it showed me my containers are set to NO for "Enc". I also ran "pool list" and for the Pools I show, one being the Default Pool and the other is one someone created, they both show YES for "Enc".
Finally I ran "tape list" and sadly, the tapes I see show an encryption key and YES for 'Enc", however the tapes are from 2006.
So the real encryption happens at the cryptainer first?
2012-03-29 11:55 AM
Your environment is actually the same kind I managed. I saw the same output as you (fccryptainer list showed 'no' while the pool assigned to the cryptainer said "yes"). It's the latter that matters here, for tapes...
The other environment I described is when using DataForts for san/disk encryption.
Sounds to me like you're good to go! Why did you say "sadly" about the tapes from 2006?
2012-03-29 01:51 PM
...Regarding the tapes, when I do a "tape list" I would think I should be seeing tapes up to today's date if we are backing up each night. No? This is what prompted me to say "sadly", because I equate not seeing current dated tapes as encryption not working...
2012-03-29 02:07 PM
Yes, that would cause some concern. 'tape list' should give you a list of all the barcodes that DF has written to. Have you contacted support? What kind of tapes are you using? If you have the know-how, you can use library or backup software utilities to try and read the tape through a non-DF-connected drive. If you can read header (OML) information or backup data off the tape without the DF in the path, it's not encrypted.
2012-03-30 05:39 AM
Really appreciate the feedback. We use HP LTO4 tapes. I may try doing something with HP Library Tapes Tools to test reading the OML if it can. Probably won't wast a whole lot of time now because I have been tasked with rolling out a new Brocade Encryption Switch and new tape library as a replacement.
Our support on this appliance ended last year so your info has really helped!!