HP StoreOnce Backup System Linux and UNIX Configuration Guide (BB852-90952)
5 Configuring media servers for Data in Flight Encryption
Introduction
IP packets have no in-built security measures. As such, access to the network enables packet content
to be viewed and, because no verification exists, no indication is available as to whether a packet
has been viewed or content has been modified. IPsec is an OSI layer 3 protocol that provides
encryption and mutual verification at the IP address level. The IPsec protocol is supported for data
subnet encryption on all StoreOnce models running StoreOnce software version 3.11.0 or later.
Data in Flight Encryption uses the IPsec protocol to support data encryption at subnet level. It
requires you to pair the IP addresses of the backup media server to a subnet that is configured on
the StoreOnce Backup system, and then create a rule that ensures the pair communicate uniquely
with each other, based on a password configured within the rule. Configuration on the StoreOnce
Backup system is completed through a single StoreOnce CLI command (the net add encryption
command). This command creates separate IPsec rules between each IP address in the subnet of
the StoreOnce Backup system and the IP address of the media server. It cannot be configured as
part of the StoreOnce net set config wizard. You must then configure IPsec on the media
server that forms the other half of the pair. Separate rules must be created between the IP address
of the media server and each IP address within the subnet that is configured on the StoreOnce
Backup system..
NOTE: Make note of the following:
• On HP StoreOnce 6500 and B6200 Backup systems, the IP address specified for the HP
StoreOnce Backup system is the Data Path VIF of the service set at which backups are targeted
from the media server. In the event of failover, the Data Path VIF automatically fails over to
the other service set in the couplet, and Data In Flight Encryption continues to function normally.
• Backup or restore performance may decrease when data in flight encryption is turned on. The
amount of decrease in performance depends on the:
◦ CPU and memory resources of the backup media servers.
◦ Amount of data being transmitted.
If a data in flight encryption link is to be setup between a backup media server and a StoreOnce
appliance, it is recommended that:
◦ Multiple VLANs be configured between the backup media server and the StoreOnce
appliance.
◦ A data in flight encryption link is configured within each VLAN to improve the aggregate
performance between the backup media server and the StoreOnce appliance.
• Key lifetimes settings can impact data performance in the flight encryption links. If the lifetime
values are set to low values, then there is a risk for low performances or even failures on
backup jobs. HP recommends that these values be set sufficiently high to allow backup jobs
to run and maintain the security of transferred data.
Licensing requirements
To use the IPsec feature, install the StoreOnce Security Pack license first. For multi-node systems,
install one Security Pack license on each couplet in the StoreOnce Backup system cluster.
Configure Linux media servers
IPsec is a point-to-point protocol. The StoreOnce CLI command creates a .conf/.secrets pair
on the StoreOnce Backup system. (It must be applied to each subnet for which you want to configure
36 Configuring media servers for Data in Flight Encryption