SafeTape and the entertainingly-named Paranoia 2 are sister products that provide compression and encryption for backup devices. Paranoia is a stand-alone encryption and compression appliance that sits between the backup server and the storage device; SafeTape is an appliance that includes both the Paranoia hardware and an in-built tape drive (any one of LTO, SDLT or AIT).
The need to encrypt your backups is pretty much a no-brainer if the media are going off-site. Even if you don’t have to worry about conformance with the raft of compliance legislation that we’re faced with today, common sense says that you need to think about the confidentiality risks of your tapes being mislaid or stolen.
You can, of course, use whatever encryption mechanisms are built into your backup software – most modern packages have fairly decent encryption support. Trouble is, though, that there are some problems with doing this.
First, the encryption is being done in software on the same machine that’s processing the backup, bundling everything up, sending it to the drive – which means there’s a good chance that encrypting the data will slow everything down. Second, and more importantly, if you encrypt the data before you write it to the tape drive, you’re knackering the drive’s built-in compression facilities. Compression algorithms rely on patterns in the data they’re compressing, but the whole point of compression is to remove any recognisable patterns.
Thus, if you encrypt the data, it becomes barely compressible and thus the storage space requirement goes up – so you need to compress before you encrypt. Oh, and if you decide to compress the data then encrypt it on the backup server, that’s more processing and an even slower backup. The third problem is that you generally only have one encryption key, which means that anyone who knows the key could theoretically walk off with a tape and pull off all the data.
Paranoia addresses problems one and two by taking the task away from the backup server and doing the compression and encryption in a separate box. Step one is to connect it into the SCSI chain (Fibre Channel and iSCSI are also supported, by the way); the device is initially invisible to both the server and the drive. Next, you run up the Windows GUI and configure the encryption keys (there are two), and turn on encryption. The tape drive and the server still don’t know the unit is connected, but the data flying from server to drive is transparently encrypted, and data from drive to server is transparently decrypted. Simple as that.
We mentioned that there are two keys. The way encryption works is to take each block of data, compress it, split it in half, encrypt each half with a different one of the two keys, then put it back together for forwarding to the drive. This means that even if you have one of the keys and you can decrypt half the data, you’re stuck with something of which half is the compressed version of the raw data, and the other half is still encrypted – so decoding the data is far from trivial.
Even better, you have a third key. This is burnt into a chip that plugs into a socket on the Paranoia’s motherboard, and which contains a code unique to your organisation. Each drive in your organisation (or, if you wish, in a sub-division) has the same chip code, but nobody else. So even if both “soft” keys are compromised, the thief can’t actually do anything with the data unless he (a) nicks the Paranoia; or (b) nicks the spare chip and acquires a box to shove it into. Oh, by the way: you can set the firmware to forget its keys, either immediately or after a short delay, in the event of power loss, thus mitigating the risk with option (a).
The architecture therefore makes it very simple to implement a highly effective encryption policy. By having each of the keys known to a different person, you can ensure that no one person can extract your data. And so long as you physically protect your infrastructure kit and keep the spare chips in a secure place (they exist, by the way, in case your kit gets fried in a fire and you need to buy a replacement box) the chances of information theft are reduced even further.
Physically, Paranoia is a 1U rack-mountable unit that has an RS-232 port for management and the appropriate ports for your drive/server connections (SCSI/iSCSI ports are presented on the back, Fibre Channel ones on the front). RS-232 sounds like a naff way to control the box, but it helps the perception of security – and anyway, if you want to control it via Ethernet you just need to buy an Ethernet-to-serial interface box, as the control GUI will work via both RS-232 and TCP/IP.
There’s a little display panel on the front showing the device’s status, and the plan is to add a live replica of this front panel on the management GUI in the next version so that you don’t have to be stood in front of the machine to see what’s going on. The GUI itself is very simple – after all, there’s not much to do apart from setting keys and turning encryption on and off. Incidentally, the SafeTape unit we looked at (which, as we’ve mentioned, is just a Paranoia 2 mounted in the same box as an off-the-shelf tape drive) was a familiar-looking, shoebox-style desktop unit with an internal DLT drive.
Paranoia 2 is a very clever product – clever, that is, in the sense that somebody has thought about every angle of the problems with tape security. The company’s aim is that it is simple and highly compatible – and they’ve achieved this by making it transparent to the server and the tape drive, which means you don’t need to muck about with drivers and whatnot. The lack of an Ethernet port on the device means you can’t network-sniff it and do nasty things, but if you do decide you want LAN connectivity, you just have to spend a few quid on an adaptor box.
The OS is on-board and not embedded Unix/Linux/Windows, and you can’t get at it from outside the box. The two-key approach complicates illicit decryption and allows you to ensure no one person can unpack your data. And the only moving parts are the fans, thus reliability shouldn’t be a problem.
If you’re buying this kind of kit, you should be doing so as part of a coherent, properly planned backup and disaster recovery plan.