NetWorker: LTO Hardware Encryption

Summary: This Article describes Linear Tape Open (LTO) tape technology and its features since version 4.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

What causes the encryption management to fail is the responsibility of the encryption key manager. When working correctly this is entirely transparent to NetWorker. The Encryption Manager vendor should be contacted for assistance to allow all nodes access to the appropriate encryption keys.
 
  • Failures mounting, reading, recovering, or writing tapes
  • Able to label tapes, but unable to complete writes to them
  • Volumes may be read by some Storage Nodes, but not others
  • Error running scanner on tapes: 8945:scanner: read: -1 bytes

Cause

  • LTO-4 and higher includes hardware encryption which requires software to manage the encryption keys used to protect the data on the tapes (For example: Dell / IBM Encryption Key Manager and SUN Key Management Services).
  • If there is an issue with drives receiving the correct keys on-demand, the data will NOT be decrypted for NetWorker as it attempts to read the data (including simple reads on mount to reposition for writes, or label verification) leading to unpredictable failure messages for any read operation (which may also precede write operations).
  • This can be caused by access issues to the key manager software, misconfiguration of the software or devices, or firmware issues with the devices themselves. In all cases, encryption management is outside NetWorker's scope, and if functioning properly, should be invisible to the application.

Resolution

Despite its effect on NetWorker, this is not a NetWorker resolvable issue. Failure of the encryption components will result in different types of volume access failures for NetWorker, since the Storage Node can no longer read even label or block header data. When encryption and decryption is working due to proper key management, it is transparent to NetWorker.

To disprove NetWorker involvement, disable the encryption component entirely and label / write a fresh scratch tape.

Key Managers may be configured to provide keys to different hosts and drives and for different barcodes, but the nuances of Key Manager failures should be addressed with that software's support.

Affected Products

NetWorker
Article Properties
Article Number: 000015870
Article Type: Solution
Last Modified: 23 Mar 2026
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.