Home » HP Manuals » Storage Devices » HP StoreOnce 4430 » Manual Viewer

HP StoreOnce 4430 HP StoreOnce Backup System Concepts and Configuration Guidel - Page 12

Security Features, Types of licensing, Data at Rest Encryption, Secure erase

Add to My Manuals
Save this manual to your list of manuals

Page 12 highlights

Types of licensing There are two types of licensing: • Full license (not time limited) • Instant on (time limited to 90 days): This allows you to try out licensable functionality on StoreOnce hardware products before paying for a full license for features such as Replication Target, Catalyst, or the Security features of Data at Rest Encryption and Secure Erase. For more information on applying this type of license, see the HP StoreOnce backup system Installation and Configuration guide and the HP StoreOnce Backup system CLI Reference Guide. Security Features The HP StoreOnce backup system offers two security features that can be applied using a Security license: Data at Rest Encryption and Secure Erase. Data at Rest Encryption When enabled, the Data at Rest Encryption security feature protects data at rest on a stolen, discarded, or replaced disk from forensic attack. Data encryption is only available on Catalyst and VTL devices. When you create a new store or library (VTL or Catalyst), you have the option to enable encryption if the security features license has already been applied. Once enabled, encryption will automatically be performed on the data before it is written to disk. Encryption cannot be disabled once it has been set for a library or Catalyst store. When you create an encrypted store or library, the key store is updated with the encryption key. This keystore may be backed up and saved securely offsite in case the original key store is corrupted. However, be sure to keep only the latest version of the key store as a backup; the key store on the StoreOnce Backup system is updated each time you create a library or Catalyst store. The StoreOnce CLI command that backs up the key store also encrypts it, ensuring that it can only be decrypted by the HP StoreOnce backup system, should you need to restore it. Be very diligent about backing up your keystore if you are creating encrypted stores or libraries! See the HP StoreOnce Backup system CLI Reference Guide for more information about the StoreOnce CLI commands for backing up and restoring key stores. NOTE: Each library or Catalysts store configured will use a different key. The StoreOnce software automatically tracks which key is relevant to which device in the Key Store File. Keys are automatically re-applied to the right device if the key store file is restored. IMPORTANT: B6200 systems: Every time that you expand storage by adding a couplet, you will need to restore your keystore. Installing the additional couplet is an HP Support task, but you are responsible for ensuring that a Security license has been installed for the new couplet and saving the existing keystore. Secure erase Secure Erase can be enabled for all store types. When enabled, this feature allows you to securely erase data that has been backed up as part of a regular backup job. The Secure Erase feature can only be enabled after store or library creation (edit the store or library to enable Secure Erase). All data written to disk once secure erase is enabled will be securely erased upon data deletion. For example, you may have unintentionally backed up confidential data and need to be sure that it has been securely erased. You must work with your backup application to trigger the secure erase, for example by forcing a format of a cartridge. The backup application sends the request to delete the data and the deletion is carried out as part of the Housekeeping function. 12 Before you start

Section	Page
Backup systems Concepts and Configuration Guidelines	1
Contents	3
1 Before you start	7
Overview	7
HP StoreOnce Backup system models	7
StoreOnce Catalyst targets for backup applications	8
NAS targets for backup applications	9
Virtual Tape Library targets for backup applications	9
Comparing StoreOnce Catalyst, NAS and Virtual Tape Library target devices	9
Networking and Fibre Channel considerations	10
Licensing	11
Security Features	12
For more information	13
2 HP StoreOnce technology	14
Data deduplication	14
Key performance factors with deduplication that occurs on the StoreOnce Backup system	14
VTL and NAS Replication overview	15
Key performance factors with replication	15
Catalyst Copy and deduplication	15
Housekeeping	15
Backup Application considerations	16
Multi-stream or multiplex, what do they mean?	16
Why multiplexing is a bad practice	16
Effect of multiple streams on StoreOnce Performance	18
Data compression and encryption backup application features	21
3 Concepts specific to StoreOnce B6200 Backup system	22
The HP StoreOnce B6200 Backup system	22
B6200 Basic Concepts	23
Deployment choices	25
4 Networking considerations	27
Common networking considerations	27
Supported Ethernet configurations	27
Network bonding modes	28
Network configuration in single-node StoreOnce Backup systems	28
General guidelines	29
Single port configurations	30
Dual port configurations	31
Bonded port configurations (recommended)	32
10GbE Ethernet ports on StoreOnce Backup systems	33
Network configuration for CIFS AD	33
Option 1: HP StoreOnce Backup system on Corporate SAN and Network SAN	34
Option 2: HP StoreOnce Backup system on Network SAN only with Gateway	35
5 Network configuration in multi-node StoreOnce Backup systems	36
What is currently supported	36
What is not currently supported	36
Supported network configurations (templates)	36
Gateway considerations	37
Template 1, uses 10 GbE and 1 GbE sub-nets	37
Template 2, uses 1GbE network only	38
Template 3, uses 10GbE network only	39
Template 4, uses two 1GbE networks	39
Template 5, uses 1GbE network only	40
6 Fibre Channel considerations	41
Port assignment for StoreOnce Backup systems with two Fibre Channel cards	41
General Fibre Channel configuration guidelines	42
Switched fabric	42
Direct Attach (private loop)	44
Zoning	44
Use soft zoning for high availability	45
Diagnostic Fibre Channel devices	46
7 Configuring FC to support failover in a StoreOnce B6200 Backup system environment	47
Autonomic failover	47
What happens during autonomic failover?	47
Failover support with backup applications	48
Designing for failover	49
Key Failover FC zoning considerations	49
Fibre channel port presentations	50
Scenario 1, single fabric with dual switches, recommended	52
Scenario 2, single fabric with dual switches, not advised	53
Scenario 3, dual fabric with dual switches, recommended	54
What happens if a fabric fails?	55
Scenario 4, dual fabric with dual switches, not advised	56
8 StoreOnce Catalyst stores	58
StoreOnce Catalyst technology	58
Key features	58
StoreOnce interfaces with StoreOnce Catalyst	59
Catalyst Copy	60
Summary of Catalyst best practices	61
StoreOnce Catalyst and the StoreOnce GUI	62
Maximum concurrent jobs and blackout windows	62
Client access permissions	63
More information	64
9 Virtual Tape Devices	65
Overview	65
Tape Library Emulation	65
Emulation types	65
Cartridge sizing	66
Number of libraries per appliance	66
Backup application and configuration	66
Blocksize and transfer size	66
Rotation schemes and retention policy	67
Retention policy	67
Rotation scheme	67
Summary of VTL best practices	68
10 NAS shares	70
Operating system support	70
Backup application support	70
Shares and deduplication stores	70
Maximum concurrently open files	71
Maximum number of NAS shares	71
Maximum number of files per NAS share and appliance	71
Maximum number of users per CIFS share	72
Maximum number of hosts per NFS share	72
CIFS share authentication	72
Backup application configuration	72
Backup file size	73
Disk space pre-allocation	74
Block/transfer size	74
Concurrent operations	74
Buffering	74
Overwrite versus append	74
Compression and encryption	75
Verify	75
Synthetic full backups	75
Summary of NAS best practices	75
11 Replication	77
What is replication?	77
StoreOnce VTL and NAS replication overview	78
Replication usage models (VTL and NAS)	78
What to replicate	81
Appliance library and share replication fan in/fan out	82
Concurrent replication jobs	82
Apparent replication throughput	82
What actually happens in replication?	83
Limiting replication concurrency	83
WAN link sizing	83
Seeding and why it is required	84
Replication models and seeding	85
Controlling Replication	86
Replication blackout windows	87
Replication bandwidth limiting	87
Source appliance permissions	88
12 Seeding methods in more detail	89
Seeding over a WAN link	89
Co-location (seed over LAN)	92
Floating StoreOnce seeding	94
Seeding using physical tape or portable disk drive	95
13 Implementing replication with the HP B6200 Backup system	98
Active/Passive and Active/Active configurations	98
Many to One configurations	102
Implementing floating StoreOnce seeding	102
Balancing Many-to-One replication	103
Replication and load balancing	104
14 Housekeeping	106
Housekeeping Blackout window	106
Tuning housekeeping using the StoreOnce GUI	106
15 Tape Offload	109
Terminology	109
Direct Tape Offload	109
Backup application Tape Offload/Copy from StoreOnce Backup system	109
Backup application Mirrored Backup from Data Source	109
Tape Offload/Copy from StoreOnce Backup system versus Mirrored Backup from Data Source	110
When is Tape Offload required?	110
Catalyst device types	110
VTL and NAS device types	111
HP StoreOnce Optimum Configuration for Tape Offload	112
Offload Considerations	112
VTL Cloning/Media Copy to Physical Tape	112
HP StoreEver Tape Libraries	113
Backup Application	113
HP StoreOnce Optimum Tape Offload Configuration	113
16 Key parameters	115
StoreOnce B6200 Backup	115
StoreOnce 2700, 4500 and 4700 Backup	116
StoreOnce 2610/2620, 4210/4220 and 4420/4430 Backup	117
About this guide	120
Intended audience	120
Related documentation	120
Document conventions and symbols	120
HP technical support	121
HP websites	121

Match case Limit results 1 per page

Types of licensing

There are two types of licensing:

•

Full license (not time limited)

•

Instant on (time limited to 90 days): This allows you to try out licensable functionality on

StoreOnce hardware products before paying for a full license for features such as Replication

Target, Catalyst, or the Security features of Data at Rest Encryption and Secure Erase. For

more information on applying this type of license, see the

HP StoreOnce backup system

Installation and Configuration guide

and the

HP StoreOnce Backup system CLI Reference

Guide

Security Features

The HP StoreOnce backup system offers two security features that can be applied using a Security

license: Data at Rest Encryption and Secure Erase.

Data at Rest Encryption

When enabled, the Data at Rest Encryption security feature protects data at rest on a stolen,

discarded, or replaced disk from forensic attack. Data encryption is only available on Catalyst

and VTL devices.

When you create a new store or library (VTL or Catalyst), you have the option to enable encryption

if the security features license has already been applied. Once enabled, encryption will automatically

be performed on the data before it is written to disk. Encryption cannot be disabled once it has

been set for a library or Catalyst store.

When you create an encrypted store or library, the key store is updated with the encryption key.

This keystore may be backed up and saved securely offsite in case the original key store is corrupted.

However, be sure to keep only the latest version of the key store as a backup; the key store on the

StoreOnce Backup system is updated each time you create a library or Catalyst store. The StoreOnce

CLI command that backs up the key store also encrypts it, ensuring that it can only be decrypted

by the HP StoreOnce backup system, should you need to restore it. Be very diligent about backing

up your keystore if you are creating encrypted stores or libraries! See the

HP StoreOnce Backup

system CLI Reference Guide

for more information about the StoreOnce CLI commands for backing

up and restoring key stores.

NOTE:

Each library or Catalysts store configured will use a different key. The StoreOnce software

automatically tracks which key is relevant to which device in the Key Store File. Keys are

automatically re-applied to the right device if the key store file is restored.

IMPORTANT:

B6200 systems: Every time that you expand storage by adding a couplet, you will

need to restore your keystore. Installing the additional couplet is an HP Support task, but you are

responsible for ensuring that a Security license has been installed for the new couplet and saving

the existing keystore.

Secure erase

Secure Erase can be enabled for all store types. When enabled, this feature allows you to securely

erase data that has been backed up as part of a regular backup job. The Secure Erase feature

can only be enabled after store or library creation (edit the store or library to enable Secure Erase).

All data written to disk once secure erase is enabled will be securely erased upon data deletion.

For example, you may have unintentionally backed up confidential data and need to be sure that

it has been securely erased. You must work with your backup application to trigger the secure

erase, for example by forcing a format of a cartridge. The backup application sends the request

to delete the data and the deletion is carried out as part of the Housekeeping function.

Before you start