Media in an ENCR encryption pool is frozen when attempting a KMS encryption backup

Media in an ENCR encryption pool is frozen when attempting a KMS encryption backup

Article: 100023104
Last Published: 2019-05-17
Ratings: 0 0
Product(s): NetBackup

Problem

Media in an ENCR encryption pool is frozen when attempting a KMS encryption backup

Error Message

FREEZING media id xxxxxx,Encryption unavailable for an ENCR pool



 

Cause

Second scenario:
Info bptm(pid=26732) Waiting for mount of media id 0514L4 (copy 1) on server abc390.,07/03/2017 16:59:44
mounting xxxxxx
Error bptm(pid=xxxx) FREEZING media id xxxxxx, Encryption unavailable for an ENCR pool
Warning bptm(pid=xxxx) media id xxxxxx load operation reported an error
Current media xxxx complete


Cause:
In the above scenario the Encryption Method was set to None.

Solution:
Connect to the tape library management console provided by the vendor and check the Encryption Method, The encryption method should be Application-Managed.



 

Solution

KMS is the NetBackup Key Management Service that manages symmetric cryptography keys for tape drives that conform to the T10 standard; for example LTO4.

A backup policy is configured to use media from a pool name with the prefix "ENCR".

This is the trigger for the bptm process to enable encryption in the tape drive. The bptm process mounts it's tape then checks that encryption is possible, given the selected tape and drive.

It logs the results of it's checks in it's bptm log file; for example:
  16:54:17.552 [8584] <2> manage_drive_attributes: report_attr, fl1 0x00010049, fl2 0x0000000c

If encryption is not possible, bptm will freeze the media and report this error in both the bperror log and it's own log file.

One possible cause of the failure is that the media is not suitable for use with drive based hardware encryption. For example, it is possible to mount an LTO3 tape cartridge into an LTO4 and perform normal backups to this tape. However, LTO3 tape cartridges are not suitable for use with LTO4 hardware encryption.

Check the value for "fl1" in the bptm log. In the example above it is 0x00010049 and this was for an LTO3 media. When the correct media is loaded, the value is 0x20000 greater. In this example, if LTO4 media is used, the fl1 value is 0x00030049
 
Bit 0x000 10000 indicates the Drive supports Encryption.
Bit 0x000 20000 indicates the Media supports Encryption.
If both the drive and media supports encryption, these values will be added together (0x000 30000) in the fl1 field.

The media can be physically inspected to check the type.
 
Note: bptm has to confirm both the drive and media supports encryption for KMS to work.

 
 

 

Was this content helpful?