6

How to use AES hardware encryption of LTO tape drives on Linux?

I expect the LTO AES encryption to be faster than software solutions. A quick benchmark of aespipe on i7 CPU gives an impression on the effect of software AES

Without AES:

$ cat /dev/zero |  pipebench > /dev/null 
Summary:                                                                       
Piped   16.53 GB in 00h00m03.41s:    4.84 GB/second

With AES pipe (probably not the fastest...)

$ cat /dev/zero |  aespipe | pipebench > /dev/null 
Password: 
Summary:                                                                       
Piped    2.73 GB in 00h00m18.27s:  153.43 MB/second
Jonas Stein
  • 3,898
  • 4
  • 34
  • 55

1 Answers1

1

I have tested stenc as suggested by sendmoreinfo and it worked well with the LTO-6 drive.

Usage:

Insert a tape and ask the tape drive about its settings:

# stenc -f /dev/nst0 --detail

Generate your 256 bit key and store it:

# stenc -g 256 -k /root/myaes.key -kd Bobs_month_key

Load the key in the LTO tape drive. With --ckod it will forget the key after tape eject.

# stenc -f /dev/nst0 -e on -k /root/myaes.key -a 1 --ckod

Verify that the drive enabled AES now:

# stenc -f /dev/nst0 --detail
Status for /dev/nst0
--------------------------------------------------
Device Mfg:              TANDBERG
Product ID:              LTO-6 HH        
Product Revision:        3519
Drive Encryption:        on
Drive Output:            Decrypting
                         Unencrypted data not outputted
Drive Input:             Encrypting
                         Protecting from raw read
Key Instance Counter:    4
Encryption Algorithm:    1
Drive Key Desc.(uKAD):   Bobs_month_key
Volume Encryption:       Encrypted and able to decrypt
                         Protected from raw read
Volume Algorithm:        1

I have prepared a package for Gentoo Linux.

Jonas Stein
  • 3,898
  • 4
  • 34
  • 55