Just finished loading up the tape library for work. 24 Tapes, each 18TB, about 20TB after compression. Makes about 480 TB of storage in there. About the size of 8 Pizza Cartoons. Next Step: Calibrating/Media Init of the tapes, which takes two hours per tape. That's gonna run over the weekend. And monday I can run the script that makes them all automagically encrypted.

All in all, not much work for half a petabyte of backups.

@cult so the data is being written unencrypted, and then encrypted over itself? out of curio, what prevents you from encrypting during initial writes?

@Flonne We don't encrypt writes at all, tape libs use SCSICrypto, so all the encryption is handled at the write head of the tape. All you need to do is give the tape library the encryption key when loading a tape, the rest is entirely transparent. That is sadly the only real way to encrypt tape, as otherwise you loose the compression aspect (which is a main driver for them being so cheap in $/TB and per tape).

The Calibration (also called Media Init, depending on which manual you're reading) I'm running now is just loading a tape for the first time. That takes about 2 hours from the moment I load it until the drive is available again. It doesn't write any data to the tape itself, to my knowledge, merely some metadata about the track alignment and similar to the RFID chip that accompanies every tape.

The encryption step itself will also set some flags on that chip along with a second encryption key. So each tape has it's own unique key derived from the key I gave the tape lib and the key on that chip. And the tape lib will refuse to let me use the tape without the key. Prevents me from doing unencrypted writes by accident (though sadly there isn't any great way to tell with my lib if encryption is happening at all!)

Sign in to participate in the conversation
Manechat on Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!