Now that laws in many states may require customers to make a public notice if personally identifiable information (like Social Security and credit card numbers) are contained on lost and unencrypted backup tapes, prudence dictates that all tapes shipped offsite should be encrypted.
Luckily, encrypting data as it's to tape has never been easier. The current versions of most backup applications support tape encryption, as do the new LTO-4 tape drives. Encrypting data is computer intensive and will slow down the backup process, so you may want to recommend dedicated encryption appliances from Neoscale or Decru, which can encrypt data at 2 Gbps or better. Another point to bear in mind is that encrypted data is essentially uncompressible. So if you're encrypting data in software or an appliance, your tape drives won't be able to compress the data.
The real problem isn't encrypting data as it's written to tape. It's making sure the right decryption key is available when you need to read an encrypted tape. For small shops it's relatively simple to use a single encryption key for all tapes. Whatever device or software you use will store the key and ensure you can read the tapes. Make sure that the encryption key is exported to one or more external USB keys or CDs that are stored off site and separately from the backup tapes, so you can retrieve it in an emergency. Larger organizations that need to compartmentalize data will need an enterprise key management solution like those from Decru, Neoscale and SpectraLogic.
This was first published in November 2007