2014 02 comForte SecurTape product

comForte’s SecurTape product provides software-based cryptography to secure the data at rest on your NonStop backup tapes. It co-operates

with the standard NonStop Tape utilities BACKUP, RESTORE and BACKCOPY, as well the TMF audit & online dump and restore

software, to transparently encrypt and decrypt the data.

1

2

3

SecurTape is designed with performance in mind. It can be configured to scale by launching slave processes to multiple CPUs to perform

compression and encryption. Many of our customers have reported that it actually takes less time to perform their backups now they are

using SecurTape to perform the encryption.

4

5

In a typical, unencrypted tape backup

• the operator invokes the BACKUP process which sends the files to the TAPE process to interfaces with the physical tape drive. The restore process is the reverse

procedure.

Before we can do an encrypted backup, we need to do a one time preparation of the environment.

• First we need to establish the KEYSTORE which will securely houses our encryption keys. As indicated, this is done with two fairly simple TACL commands.

• Next we need to bind STAPELIB into a copy of the Backup process and the Restore process. Now we are ready to do an encrypted backup:

• Now when the operator runs the backup process, STAPE is used to encrypt the data before sending the data to the TAPE process.

6

Since backups are often done in a tight window during non-peak times, it is important to minimize the duration of the backup cycle. This diagram will demonstrate how

SecurTape is optimized to reduce the time it takes to encrypt and backup the data. SecurTape has the ability to allocate parallel processing to multiple CPUs. Since it

takes less CPU to compress data than to encrypt it, SecurTape first compress, then encrypts the datablocks before sending them to the TAPE process. Here is how it

accomplishes this:

•The backup process breaks up the files into datablocks which are sent to the STAPE Master processes . When STAPE master receives a datablock, it deligates the

block to slave STAPEs running in other CPUs. If all STAPE slaves are busy, STAPE master also uses its own cryptengine. This gives the slaves time to complete.

• STAPE first compresses, then encrypts the datablock. The encrypted data blocks are then sent to the Stape Master and are written in the correct order to tape

7

8

PCI requirement 3.6 specifies that you must “Fully document and implement all key management processes and procedures for keys used

for encryption of cardholder data.” SecurTape provides a rich set of commands to be able to accomplish this requirement.

9

Proper key management requires planning. SecurTape uses strong cryptographic techniques to protect the data written to the backup tapes.

Losing a key for a specific backup tape is equivalent to losing the backup tape itself. It is *not* possible to RESTORE an encrypted backup tape without possession of the proper key. Therefore, it is important to plan for a disaster which might require you to restore the backup tapes

• Keys used to encrypt the tape should be exported and stored in a secure place to be available in case of a disaster.

• The keys should be exported using a passphrase to secure the private key. You will then only be able to “Import” the key if you know the passphrase.

• Practice your disaster recovery plan - a backup can only be useful if it can be successfully restored. Always practice a restore before you actually have to rely on it.

10

This leads us to the question of how we restore a secure tape to another system.

If we want to backup from one NonStop system and then restore that secure backup tape on another NonStop system, we’ll need to make the encryption keys available on the restore

system to do the decryption.

•To accomplish this, we first need to export the keys which were used to do the original backup. This is accomplished using the SecurTape “EXPORT” command as shown in this

example TACL command. Note the use of a pass phrase to secure the exported key files.

• Next we need to transport the key files to the other NonStop system typically using FTP.

• Finally, doing an IMPORT of the key files to generate the keystore on the second system, we are now ready to restore the encrypted tape.

If TMF is used to audit the Keystore file, then the export/import process is unnecessary since standard replication is used between the two sites.

Authors note: Don’t need to be super.super if key was generated as weak user

11

12

13