For years, backup tape encryption technology has gotten a bad rap. Many IT pros think the process of encrypting a backup tape is slow, unreliable and ineffective.
Why is it important to encrypt your backups? The reason lies in the nature of a backup tape. A backup tape is a mirror of your server's contents, and nothing stands in the way of someone stealing a backup tape and restoring it to their own server. Sure, most companies password-protect their backup tapes, but passwords can be cracked. Besides, if a hacker has physical possession of one of your backup tapes, he's not under any time constraints.
So while it's critical to keep your tapes from falling into the wrong hands, physical security will only get you so far. Since most backups run late at night, there is little to stop a trusted employee from sneaking into the office and stealing the tape as soon as the backup completes. If you store backup tapes in an offsite facility, there's always the chance that a tape could be lost or stolen in transit.
Encrypted tape backups got a reputation for being insecure because 56-bit Data Encryption Standard (DES) was originally used to encrypt tapes. In 1998, it was proven that DES could be cracked through brute force. Today, however, companies can use more secure encryption algorithms, such as 128-bit 3DES (triple DES) or 256-bit AES (Advanced Encryption Standard).
The only problem from the past that still plagues encrypted backups is that they can take longer to complete than a comparable non-encrypted backup. The reason is that encryption is a mathematical process, one that is CPU-intensive. The decrease in performance applies mostly to software-based encryption, but recent advances in data compression have helped to compensate for the slow throughput.
If you're worried about the amount of time it takes to complete a backup, compression should be done prior to encrypting the data. Compression decreases the amount of data that must be written to backup tape by removing redundancy from the data. Since compressed data can be encrypted just as easily as uncompressed data, it makes sense to compress the data first. This way you have fewer bytes to encrypt.
The problem is that most of the time, compression is handled by the tape drive. If you're planning to encrypt the data through software, make sure your backup software can handle compression and encryption at the software level.
Speed as a factor
It's hard to quantify the differences in speed between unencrypted backup, software-encrypted backup and hardware-encrypted backup because backup times vary so much. The timing depends on the type of data you're backing up, the speed of the underlying infrastructure (such as disks, tapes, network links and processors), the encryption algorithms being used and even variances among brands of backup software and encryption hardware.
Although I could not find any meaningful benchmark data, my own experience has been that encrypted backup that uses software-based encryption can take up to 30% longer to complete than a comparable unencrypted backup. There can be huge variances in this number, depending on the efficiency of the underlying hardware. Hardware-based encryption appliances allow backups to run almost as fast as a comparable unencrypted backup because they offload the encryption process to a dedicated CPU.
For many administrators, software-based encryption is still the encryption method of choice because most decent backup software comes with an encryption function built into the software. A common practice for getting around the speed issue is to encrypt only the sensitive data and leave non-sensitive data unencrypted. But I don't agree with this technique; I've seen too many situations in which seemingly harmless data was used for malicious purposes
Hardware-based tape encryption dramatically improves the speed of the encryption process. Sustained encryption rates of 52 MB per second are not uncommon. These appliances tend to be rather pricey -- ranging from about $1,000 to well over $10,000.
No matter whether you use a hardware or software tape encryption product, backup encryption depends on keys, which can carry serious consequences. If a key is lost, any data encrypted with that key is unreadable. If a key is compromised, any data encrypted with the key is at risk of also being compromised. My advice: Before you adopt tape encryption, you should perfect your organization's key management strategy.
Botom line: Whether or not to use encryption and which encryption method you want to use is not a decision you should take lightly.
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows
2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in
charge of IT security for Fort Knox. You can visit Brien's personal Web site at www.brienposey.com.
This was first published in October 2005