How to confirm tape drive supports T10 Encryption (Security Protocol In & Security Protocol Out) - examples
Description
There are various tools that can be used to query for the Security Protocol In data, but this document will stick with two.
- Inbuilt NetBackup command ..../volmgr/bin/scsi_command - (support introduced in NetBackup 7.5 for Windows)
- The 3rd party "sg3 utils" package - Available for Linux and Windows (https://sg.danny.cz/sg/sg3_utils.html)
Using the 'scsi_command' in the /usr/openv/volmgr/bin directory, a 'Security Protocol In' command can be sent to the drive.
Confirmation of Encryption support can be determined by the returned results.
Example of an IBM LTO-4 drive which does NOT support Encryption:
Mount a tape (In this example media id 000022, density 'hcart')
# tpreq -m 000022 -d hcart -p NetBackup -f /tmp/fred
- Now query device for Security Protocol In support
# scsi_command -d /tmp/fred -spi
IBM ULT3580-TD4 8192
Supported security protocol list:
0x00
Security Protocol In command failed
status 2h, key 5h, ASC 24h, ASCQ 0h
sense 0x05, asc 0x24, ascq 0x00 occured
- Unmount the tape
# tpunmount /tmp/fred
This example has the 'sg3 utils' package extracted into c:\drivers\sg3_utils directory.
A tape is mounted into the drive accessed via \\.\Tape5 using robtest.
This SCSI command is the 'raw' Security Protocol IN querying for supported pages.
The returned data (received 9 bytes) is decoded as:
- First 6 bytes are reserved and set to '0', e.g. 00 00 00 00 00 00
- The next two bytes "00 01" indicates the length (number) of pages.
- The next two bytes "00" indicates this target supports page '00h'
C:\drivers\sg3_utils>sg_raw -r 44 \\.\Tape5 a2 00 00 00 00 00 00 01 00 00 00
SCSI Status: Good
Sense Information:
sense buffer empty
Received 9 bytes of data:
00 00 00 00 00 00 00 00 01 00 .........
For a Tape Drive to support Security Protocol IN / OUT, this command needs to report support for page 20h
e.g.
C:\drivers\sg3_utils>sg_raw -r 44 \\.\Tape3 a2 00 00 00 00 00 00 01 00 00 00
SCSI Status: Good
Sense Information:
sense buffer empty
Received 10 bytes of data:
00 00 00 00 00 00 00 00 02 00 20 .........
Example of a HP LTO-4 drive which does NOT support Encryption:
Note: This example is from a customer's environment and further details are unknown
# /usr/openv/volmgr/bin/scsi_command -d /dev/rmt/3cbn -spi
HP Ultrium 4-SCSI H5AS
Security Protocol In command failed
status 2h, key 5h, ASC 24h, ASCQ 0h
sense 0x05, asc 0x24, ascq 0x00 occured
An example of a tape drive that supports Encryption:
- Mount a tape (In this example media id SYM021, density 'hcart')
# tpreq -m SYM021 -p NetBackup -d hcart -f /tmp/fred
- Now query device for Security Protocol In support
# scsi_command -d /tmp/fred -spi
STK T10000B 550V
Supported security protocol list:
0x00
0x20
Tape Data Encryption Out Support page (0x0001, length 6)
Page 0x0010
Data Encryption Capabilities page (0x0010, length 44)
EXTDEC 0, CFG_P 1
Algorithm Index 0x01
Decrypt 2, Encrypt 2, Nonce 1
AVFCLP 0, DKAD_C 1, RDMC_C 1
AVFMV
MAC_C
DED_C
EAREM
Max UNAUTH Key-associtated data 30 (bytes)
Max AUTH Key-associtated data 0 (bytes)
Key size 32 (bytes)
Security Algorithm Code 0x80010010
Supported Key Formats page (0x0011, length 6)
0x00
0x00
Data Encryption Management Capabilities page (0x0012, length 16)
LOCK_C
CKOD_C
CKORP_C
CKORL_C
AITN_C
LOCAL_C
PUBLIC_C
Data Encryption Status page (0x0020, length 36)
I_T Nexus Scope 1, Key Scope 1
Encryption Mode 0x0, Decryption Mode 0x0
Algorithm Index 0x1
Key Instance Counter 0x5
Parameters Control 0, CEEMS 0
Key-associated data descriptors list:
ba 10 00 1e 00 00 00 20 43 00 00 00 00 00 00 00
Next Block Encryption Status page (0x0021, length 16)
Logical Object Number 0x00000000 00000000
Compression Status 0x0, Encryption Status 0x3
Algorithm Index 0x1
- Unmount the tape
# tpunmount /tmp/fred
An example of a tape drive that DOES NOT support Encryption:
As per the IBM Documentation : "Setup, Operator, and Service Guide" Model T1600P (and TS2340) both state:
"IBM System Storage TS2340 Tape Drive supports host Application Managed Encryption (AME), using T10 encryption methods, for SAS drives only. Encryption is not supported on the Ultra160 SCSI drive. Data encryption is supported with LTO Ultrium 4 Data Cartridges only."
This can be confirmed using the 'sg_modes' and examining byte 7 (bit 0 & bit 3) of the returned data.
Confirm byte 7 bit 0 (Encr_C) is '0' which indicates that the hardware does notsupport encryption (Encryption Capable). Confirm byte 7 bit 3 (Encr_E) is '0' which indicates that encryption is notenabled in the drive (Encryption Enabled).c:\Temp\sg_util>sg_modes --page=0x24 tape0 IBM ULTRIUM-TD4 82F0 peripheral_type: tape [0x1]Mode parameter header from MODE SENSE(10): Mode data length=24, medium type=0x48, specific param=0x10, longlba=0 Block descriptor length=8> General mode parameter block descriptors: Density code=0x4600 46 00 00 00 00 00 00 00>> page_code: 0x24, page_control: current00 24 06 00 07 00 00 00 00 ^^ Byte 7Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.