How to confirm tape drive supports T10 Encryption (Security Protocol In & Security Protocol Out) - examples

Article: 100037886
Last Published: 2012-08-13
Ratings: 0 0
Product(s): NetBackup & Alta Data Protection

Description

There are various tools that can be used to query for the Security Protocol In data, but this document will stick with two.

  • Inbuilt NetBackup command ..../volmgr/bin/scsi_command - (support introduced in NetBackup 7.5 for Windows)
  • The 3rd party "sg3 utils" package - Available for Linux and Windows (https://sg.danny.cz/sg/sg3_utils.html)

Using the 'scsi_command' in the /usr/openv/volmgr/bin directory, a 'Security Protocol In' command can be sent to the drive.

Confirmation of Encryption support can be determined by the returned results.


Example of an IBM LTO-4 drive which does NOT support Encryption:

  • Mount a tape (In this example media id 000022, density 'hcart')

    # tpreq -m 000022 -d hcart -p NetBackup -f /tmp/fred
     

  • Now query device for Security Protocol In support

    # scsi_command -d /tmp/fred -spi
    IBM     ULT3580-TD4     8192

    Supported security protocol list:
      0x00

    Security Protocol In command failed
    status 2h, key 5h, ASC 24h, ASCQ 0h
    sense 0x05, asc 0x24, ascq 0x00 occured

     
  • Unmount the tape

    # tpunmount /tmp/fred    

This example has the 'sg3 utils' package extracted into c:\drivers\sg3_utils directory.

A tape is mounted into the drive accessed via \\.\Tape5 using robtest.

This SCSI command is the 'raw' Security Protocol IN querying for supported pages.

The returned data (received 9 bytes) is decoded as:

  • First 6 bytes are reserved and set to '0', e.g. 00 00 00 00 00 00
  • The next two bytes "00 01" indicates the length (number) of pages.
  • The next two bytes "00" indicates this target supports page '00h'
C:\drivers\sg3_utils>sg_raw -r 44 \\.\Tape5 a2 00 00 00 00 00 00 01 00 00 00
SCSI Status: Good

Sense Information:
sense buffer empty

Received 9 bytes of data:
 00     00 00 00 00 00 00 00 01  00                         .........

For a Tape Drive to support Security Protocol IN / OUT, this command needs to report support for page 20h

e.g.

C:\drivers\sg3_utils>sg_raw -r 44 \\.\Tape3 a2 00 00 00 00 00 00 01 00 00 00
SCSI Status: Good

Sense Information:
sense buffer empty

Received 10 bytes of data:
 00     00 00 00 00 00 00 00 02  00 20                      .........

Example of a HP LTO-4 drive which does NOT support Encryption:

Note: This example is from a customer's environment and further details are unknown

# /usr/openv/volmgr/bin/scsi_command -d /dev/rmt/3cbn -spi
HP Ultrium 4-SCSI H5AS

Security Protocol In command failed
status 2h, key 5h, ASC 24h, ASCQ 0h
sense 0x05, asc 0x24, ascq 0x00 occured 


An example of a tape drive that supports Encryption:

  • Mount a tape (In this example media id SYM021, density 'hcart')

    # tpreq -m SYM021 -p NetBackup -d hcart -f /tmp/fred
     
  • Now query device for Security Protocol In support
    # scsi_command -d /tmp/fred -spi
    STK     T10000B         550V

    Supported security protocol list:
      0x00
      0x20

    Tape Data Encryption Out Support page (0x0001, length 6)
      Page 0x0010

    Data Encryption Capabilities page (0x0010, length 44)
      EXTDEC 0, CFG_P 1
      Algorithm Index 0x01
      Decrypt 2, Encrypt 2, Nonce 1
      AVFCLP 0, DKAD_C 1, RDMC_C 1
      AVFMV
      MAC_C
      DED_C
      EAREM
      Max UNAUTH Key-associtated data 30 (bytes)
      Max AUTH Key-associtated data 0 (bytes)
      Key size 32 (bytes)
      Security Algorithm Code 0x80010010

    Supported Key Formats page (0x0011, length 6)
      0x00
      0x00

    Data Encryption Management Capabilities page (0x0012, length 16)
      LOCK_C
      CKOD_C
      CKORP_C
      CKORL_C
      AITN_C
      LOCAL_C
      PUBLIC_C

    Data Encryption Status page (0x0020, length 36)
      I_T Nexus Scope 1, Key Scope 1
      Encryption Mode 0x0, Decryption Mode 0x0
      Algorithm Index 0x1
      Key Instance Counter 0x5
      Parameters Control 0, CEEMS 0
    Key-associated data descriptors list:
      ba 10 00 1e 00 00 00 20 43 00 00 00 00 00 00 00

    Next Block Encryption Status page (0x0021, length 16)
      Logical Object Number 0x00000000 00000000
      Compression Status 0x0, Encryption Status 0x3
      Algorithm Index 0x1

     
  • Unmount the tape

    # tpunmount /tmp/fred

An example of a tape drive that DOES NOT support Encryption:

As per the IBM Documentation : "Setup, Operator, and Service Guide" Model T1600P (and TS2340) both state:

"IBM System Storage TS2340 Tape Drive supports host Application Managed Encryption (AME), using T10 encryption methods, for SAS drives only. Encryption is not supported on the Ultra160 SCSI drive. Data encryption is supported with LTO Ultrium 4 Data Cartridges only."

This can be confirmed using the 'sg_modes' and examining byte 7 (bit 0 & bit 3) of the returned data.

Confirm byte 7 bit 0 (Encr_C) is '0' which indicates that the hardware does notsupport encryption (Encryption Capable). Confirm byte 7 bit 3 (Encr_E) is '0' which indicates that encryption is notenabled in the drive (Encryption Enabled).c:\Temp\sg_util>sg_modes --page=0x24 tape0 IBM ULTRIUM-TD4 82F0 peripheral_type: tape [0x1]Mode parameter header from MODE SENSE(10): Mode data length=24, medium type=0x48, specific param=0x10, longlba=0 Block descriptor length=8> General mode parameter block descriptors: Density code=0x4600 46 00 00 00 00 00 00 00>> page_code: 0x24, page_control: current00 24 06 00 07 00 00 00 00 ^^ Byte 7

Was this content helpful?