Encrpytion light on tape drive lit?

A

ahorner

New Member
Dec 21, 2023
28
1
3
I just noticed when running a backup, the hardware Encryption light was lit on my drive for one of my tapes. This tape has been used without hardware encryption in the past.

Has PBS made a change to the way encryption is implemented, now using the hardware encryption by default?

Has PBS just corrupted my tape?

Thanks
 
Hi dietmar,

If I understand correctly, hardware encryption is optional and not recommended, and instead software encryption before the encryption hit the tape is used in order to allow key recovery?

In the case of the bug you mentioned, does that mean tapes may contain unencrypted data which was otherwise expected to be encrypted? This is of course very bad and blanking and rewriting the tapes would be necesary if true.
 
ahorner said:
If I understand correctly, hardware encryption is optional and not recommended, and instead software encryption before the encryption hit the tape is used in order to allow key recovery?
Click to expand...
There are different types/layers of encryption, You can use client side encryption, or tape encryption...
 
Does the tape encryption, which appears to be what is happening here with the hardware encryption enabled, still allow for key recovery? I was under the assumption it does not, so I cose software encryption hence my confusion at the light being lit
 
Just gonna bump that last question as I would say it is quite a major and reasonable concern - Selecting encryption should encrypt data. If it isn't encrypted, that's a problem!
 
Does anyone care to comment on this? It really seems to me like something went wrong with LTO and a bug was silently fixed as noted by yourself @dietmar

There was a bug fix (Older version did not always enable encryption correctly).
Click to expand...

but I cannot see any further expansion on this. Is there a bug report which goes into detail anywhere? I can't find one about this on the Proxmox Bugzilla. I just want to find out what was changed and whether I need to do anything about it, because as far as I can tell, PBS is doing something I never asked it to do with my tapes.
 
Hi, sorry for the late answer, but we did now officially announce the issue here:
https://forum.proxmox.com/threads/proxmox-backup-server-security-advisories.149332/#post-676280

basically previously we accidentally did not write on the tape encrypted, now we do, so the change in behaviour is intended

if encryption is enabled for a tape media pool we now correctly use the hardware encryption like it was intended and documented: https://pbs.proxmox.com/docs/tape-backup.html#media-pools

ahorner said:
I was under the assumption it does not, so I cose software encryption hence my confusion at the light being lit
Click to expand...
AFAIK this is possible because we don't let the drive generate the key, but we create it ourselves and configure the drive to use it (which is supported since LTO-4)
 
dcsapak said:
Hi, sorry for the late answer, but we did now officially announce the issue here:
https://forum.proxmox.com/threads/proxmox-backup-server-security-advisories.149332/#post-676280

basically previously we accidentally did not write on the tape encrypted, now we do, so the change in behaviour is intended

if encryption is enabled for a tape media pool we now correctly use the hardware encryption like it was intended and documented: https://pbs.proxmox.com/docs/tape-backup.html#media-pools


AFAIK this is possible because we don't let the drive generate the key, but we create it ourselves and configure the drive to use it (which is supported since LTO-4)
Click to expand...
Hi @dcsapak,

Thank you for your reply.

How does this now work when you want to recover encryption keys from the tape?

It is my understanding that when you configure the tape drive to use hardware encryption, this is an all or nothing process which means you cannot read from the tape at all unless you provide the correct encryption key, so how would you read the encryption key to recover? Maybe my understanding here is incorrect.

Thanks
 
ahorner said:
It is my understanding that when you configure the tape drive to use hardware encryption, this is an all or nothing process which means you cannot read from the tape at all unless you provide the correct encryption key, so how would you read the encryption key to recover? Maybe my understanding here is incorrect.
Click to expand...
the first blocks on the tape are always written without hardware encryption (contains the (software) encrypted key + some meta information) so that we can always identify the tape, regardless of encryption setting
 
dcsapak said:
the first blocks on the tape are always written without hardware encryption (contains the (software) encrypted key + some meta information) so that we can always identify the tape, regardless of encryption setting
Click to expand...
Okay cool, I need to revisit my understanding of LTO then, no problemo. Thanks for the update, I will rebuild my tapes
 
ahorner said:
Okay cool, I need to revisit my understanding of LTO then, no problemo. Thanks for the update, I will rebuild my tapes
Click to expand...
glad to be able to help!

just fyi: the unencrypted starting blocks have nothing directly to do with LTO but with our custom on tape format
we directly talk with the drive via scsi so we don't use any existing format like tar/LTFS/etc.

that way we're much more flexible in how and what to write
 
dcsapak said:
glad to be able to help!

just fyi: the unencrypted starting blocks have nothing directly to do with LTO but with our custom on tape format
we directly talk with the drive via scsi so we don't use any existing format like tar/LTFS/etc.

that way we're much more flexible in how and what to write
Click to expand...
Understood, I believe you're using the standard LTO "file" structure though? It was my understanding that LTO files were all or nothing encrypted, so that understanding must be incorrect if so
 
no actually we're just writing blocks to the tapes with our custom format, we reuse the lto file markers for our convenience but it has actually nothing to do with ltfs or something similar.
the downside is that you can't read any info without our software/tools but since it's open source that shouldn't be a problem ;)
 
Yep sorry, I meant that block format, not LTFS. When using some software it calls each block a file, just terminology confusion.

Thanks again!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back