I was using drive based encryption on a Win2k3 R2 server running DP 6. So I have my omnikeystore file located at the root of the omniback directory and the omnirc file was edited to allow for the drive based encryption and no license was required. I have been running drive based encryption on DP 6 successfully.
Now I just upgraded to DP 6.1.1 (no patches yet) on this server. I still have not purchased any encryption extension licenses, because I'm under the assumption that "Drive-based encryption" is still free? But now since the upgrade to DP 6.1.1 I'm no longer able to restore any previous backups, or even backup to a tape that has encrypted backups on it. I get the following errors from KMS [Critical] From: RSM@strs.win2k.cfbb.org "" Time: 1/25/2010 1:57:19 PM [60:1061] KMS reports storeid:keyid 00000000000000000000000000000000:001E0B76573849CA794E0987473C197A not found. Aborting session.
Not sure how much this will help, but came across this in the Installing License Guide pdf, under section of Upgrading to DP 6.1. ====================================== ...After the upgrade of the Cell Manager, Installation Server, and all clients to the Data Protector A.06.10, the omnikeymigrate command automatically migrates all existing key store files from all client systems in the cell and imports them into the central key store file on the Data Protector A.06.10 Cell Manager. If an active encryption key is migrated from the specified client system, all backup specifications that are associated with this particular client system are automatically migrated with the key. After the import, all migrated encryption keys are inactive. If automigration is not functioning for any reason, you can manually migrate the encryption keys. For details, refer to the omnikeymigrate man page or the HP Data Protector command line interface reference. 258 Upgrading to Data Protector A.06.10 ==================================
What caught my eye was the "all keys become inactive".
So, have you tried running the omnikeytool -activate (..etc...) command yet?
I looked at omnikeytool -list. I don't see any keys,so there is nothing to activate. Now I've been using drive-based encryption so the encryption is tied to the medium, correct? Since I'm dealing with the same server I would assume I could restore the data off those tapes.
I installed the patches for DP 6.1.1. The drive-base encryption under device drive settings is still greyed out. I did find under the backup specifications > backup job > destination properties a checkbox for drive-based encryption, which is not greyed out.
I'm just confused why I can't restore data from these tapes, or backup to tapes that have encrypted data on them.
Thanks Rita... That's a good idea. I'm looking at the DP 6.1.1 CLI reference and I'll give the omnikeytool -import and -activate a try. All I have is this one omnikeystore file, so hopefully this is the file it needs?
In DP 6.0 I had to edit the omnirc file. Do you know if this file is still referenced in DP 6.1.1? I still have all the settings turned on as you can see and I'm wondering if this could be causing part of my problem too?
OB2_ENCRYPT_MA=1|1 # Default: 0 # This variable is used to turn on or off Media Agent/ Hardware Encryption. # OB2_ENCRYPT_DEVICE_STRICT=TRUE|TRUE # Default: FALSE # This variable if turned on (TRUE) then the device used for backup has to be a # Encryption supported device. # OB2_ENCRYPT_MEDIUM_STRICT=TRUE|TRUE # Default: FALSE # This variable if turned on (TRUE) mandates the medium used for backup to be a # a Encryption supported medium.
I backup Windows servers, but I run it on HPUX cell manager.
From what I'm reading you may have turned on both software & hardware encryption in the past. On Windows software can be turned on by going into the GUI for the backup and checking the Encode box on the FileSystem Advanced/Other tabs. OR you may have turned it on by editing the OB2ENCODE setting and putting it to OB2ENCODE=1.
What I'm thinking...and just is that if you had software & hardware encryption turned on in the past, you did some kind of double encryption. And if that is the way the tapes were done, it may require setting up the same thing under DP6.1 to be able to read/write to those tapes again.
I'm thinking your new DP6.1 environment needs to replicate the old 6.0 environment. So if you think you had both software & hardware turned on - try to set that up again and see if that allows you to import/activate a key that was made under that environment.
Otherwise, I'm running out of ideas and think it's time to call HP Support.
The "Drive-based encryption" option under the drive settings is still greyed out. So I wonder if that has something to do with this, and needs to be selected in order to do the restores and append to an already encrypted tape?
For example - here I have an MSL tape library, that I can web into with an account that has admin rights I can turn on drive based encryption. I never even touch Data Protector. It is strictly on the library itself.
If I have a MSL2024 FC attached to my Windows 2003 server running Data Protector 6.0, I see the following from my omnidownload -list_devices -detail:
NAME "HP:Ultrium 4-SCSI_1_xxx" DESCRIPTION "CLAIMED:HP LTO4 Drive" HOST xxx POLICY SCSI-II TYPE LTO-Ultrium POOL "Default LTO-Ultrium" LIBRARY "HP:MSL G3 Series_xxx" DRIVES "Tape0:0:0:0C" "1" LOCKNAME "HP:Ultrium 4-SCSI:HU19396YMD" SANSTABLEADDR DEVSERIAL "HU19396YMD"
If I uninstall 6.0 and install 6.11 and patch it, I see the device configuration is expanded some with new 6.11 device settings:
NAME "HP:Ultrium 4-SCSI_1_xxx" DESCRIPTION "CLAIMED:HP LTO4 Drive" HOST xxx POLICY SCSI-II TYPE LTO-Ultrium POOL "Default LTO-Ultrium" LIBRARY "HP:MSL G3 Series_xxx" DRIVES "Tape0:0:0:0C" "1" LOCKNAME "HP:Ultrium 4-SCSI:HU19396YMD" SANSTABLEADDR DEVSERIAL "HU19396YMD" RESTOREDEVICEPOOL NO COPYDEVICEPOOL NO
I also notice the drive-based encryption checkbox is grayed out. I can still enable the encryption within the backup specifications, but cannot configure it as a device default.
If I delete and re-autoconfigure my MSL under 6.11, I now see the new setting of relevance:
NAME "HP:Ultrium 4-SCSI_1_xxx" DESCRIPTION "CLAIMED:HP LTO4 Drive" HOST xxx POLICY SCSI-II TYPE LTO-Ultrium POOL "Default LTO-Ultrium" LIBRARY "HP:MSL G3 Series_xxx" ENCRCAPABLE <<<<-------|||||| DRIVES "Tape0:0:0:0C" "1" LOCKNAME "HP:Ultrium 4-SCSI:HU19396YMD" DEVSERIAL "HU19396YMD" RESTOREDEVICEPOOL NO COPYDEVICEPOOL NO
And now my drive-based encryption checkbox can be selected in my drive advanced settings. So the upgrade is not rechecking devices for this functionality. You will either have to omnidownload / manual add ENCRCAPABLE line / omniupload or delete and re-autoconfigure the drives to enable that checkbox.
As for the OP's restore/append issue, it seems that omnikeymigrate was failing to find the 6.0 omnikeystore to migrate the keys. I have seen that in my 6.11 upgrade, the keys were also not automigrated. But an omnikeymigrate -client worked in my case, without the need to fully specify the omnikeystore path with -file. It only worked for the OP when he used -file . Not sure why the difference.
Thanks.... I'm using the MSL 2024 tape drive Rita. I thought about enabling it right on the drive, but I thought you had to purchase licenses? And I wasn't sure about key management.
Problem #1 Like Scott said for migrating the key I ended up using the automigration omnikeymigrate -client "c:\program files\omniback\omnikeystore"
The key migrated in!!!!
Then to be safe I backed up key by exporting it. I just created any .csv name.
omnikeytool -export key.csv -all
The key was exported and was sent to the export folder under C:\Program Files\OmniBack\Config\Server\export
Problem #2 For the device-based encryption check box being greyed out. I deleted the device out of Data Protector then I used Autoconfigure devices. I wish I had taken print screens of my settings before doing this.
Because after it autoconfigured under the drive settings for Direct Backup , the World Wide Name and Logical Unit Number was wiped out. So I had to find it on our SAN fibre switch.
But now the drive-based encryption is now visible!
Drive-based encryption has been working well for me these past few days. I have been able to backup (encrypt) and restore (decrypt)with no problems. I'm closing this ticket and want to thank you all for your help.
Hello... we are using Data Protector 6.0 to backup 4 hp unix servers. We have 2 MSL6000 series libraries each with 2 LTO scsi drives. One of the libraries has 2 LTO3 drives and the other has 2 LTO4 recently installed drives. Our goal is to perform drive based encryption backups on the LTO 4 drives. We've recently installed all of the required patches for 6.0 and drive based encryption as well as created the encryption key files and turned on the omnirc variable for drive based encryption. I've added the 2 new LTO4 drives in Data Protector GUI but we still can't get the encyypted bkups working. I found this thread and was wondering if anyone would be able to provide any help. I did try removing one of the drives from Data Protector then adding it back with the Autoconfig Option but I don't see any advanced setting to turn on encryption at the drive level. As was indicated at the end of this thread we are not doing direct backup nor are we using FC drives. Any help would be appreciated. Thanks, Les