Other can't enable LTO hardware encryption

Does anyone have tape drive hardware encryption working on freebsd?

I have an HP LTO-5 tape drive. Unencrypted read/writes and toggling compression with mt works, but enabling encryption doesn't. I compiled stenc, which does have ifdef's for freebsd sg, but no matter what I try I get either an error for 0x19 or 0x16 from ioctl ("inappropriate ioctl for device") when I try to set a key. I've tried 128 and 256bits, with and without -a 1 (key index). I've tried various devices, including /dev/sa0, nsa0, sa0.ctl, and /dev/pass0 (which says I don't have permission, despite the fact I'm root - no jails or anything funny). sg_logs -a /dev/sa0 works fine.


(Unrelated note to others who find this in search: you must manually enable the drive's write buffer every power cycle, and possibly after an sg* tools, with this command: camcontrol cmd /dev/nsa0 -c '15 10 00 00 04 00' -o 4 '0 0 10 0' -- or write performance is terrible and it will shoe shine.)
 
The problem was GENERIC kernels don't include SCSI sg device! You have to build your own kernel. Follow the kernel build guide, copy GENERIC to MYKERNEL, add to the end of the file this line (without quotes of course): "device sg", build and install.

Then you can run camcontrol devlist to find the /dev/sg[0-9]+ file for your tape drive. Then stenc -f /dev/sg[0-9] works. For my HP drive -a 1 is necessary to set the encryption key.
 
The problem was GENERIC kernels don't include SCSI sg device! You have to build your own kernel. Follow the kernel build guide, copy GENERIC to MYKERNEL, add to the end of the file this line (without quotes of course): "device sg", build and install.

Then you can run camcontrol devlist to find the /dev/sg[0-9]+ file for your tape drive. Then stenc -f /dev/sg[0-9] works. For my HP drive -a 1 is necessary to set the encryption key.
sg seems to be there for Linux compatibility. The top of /usr/src/sys/cam/scsi/scsi_sg.c says "This driver is meant to implement the Linux * SG passthrough interface for SCSI."

The FreeBSD native method would be a pass(4) device. You should get one automatically when your tape drive is identified:
Code:
<IBM ULTRIUM-HH4 G361>             at scbus14 target 7 lun 0 (pass4,sa0)
 
The problem was GENERIC kernels don't include SCSI sg device! You have to build your own kernel. Follow the kernel build guide, copy GENERIC to MYKERNEL, add to the end of the file this line (without quotes of course): "device sg", build and install.

Then you can run camcontrol devlist to find the /dev/sg[0-9]+ file for your tape drive. Then stenc -f /dev/sg[0-9] works. For my HP drive -a 1 is necessary to set the encryption key.
I'm also trying to get hardware tape encryption to work in FreeBSD (13.1). Could you advise with instructions on how to compile 'stenc' for FreeBSD? How would one use the pass device described in Terry_Kennedy's post?
 
FreeBSD? How would one use the pass device described in Terry_Kennedy's post?
If you're asking how to find which passN device is your tape drive, do a # camcontrol devlist

Depending on the card and driver you have, you may need to do something "special" to get the /dev/passN devices to appear. If the drive is behind a RAID controller, you're probably out of luck.

Here's an example from one of my systems:
Code:
(0:1) host:/usr/terry# camcontrol devlist
<SEAGATE ST3300657SS-H EH04>       at scbus0 target 0 lun 0 (pass0)
<SEAGATE ST3300657SS-H EH04>       at scbus0 target 1 lun 0 (pass1)
<SEAGATE ST32000444SS KS6B>        at scbus0 target 2 lun 0 (pass2)
<SEAGATE ST32000444SS KS6B>        at scbus0 target 3 lun 0 (pass3)
<SEAGATE ST32000444SS KS6B>        at scbus0 target 4 lun 0 (pass4)
<SEAGATE ST32000444SS KS6B>        at scbus0 target 5 lun 0 (pass5)
<DP BACKPLANE 1.10>                at scbus0 target 32 lun 0 (pass6,ses0)
<IBM ULT3580-HH4 G361>             at scbus1 target 10 lun 0 (sa0,pass7)
<IBM 3573-TL F.11>                 at scbus1 target 10 lun 1 (pass8,ch0)
<IBM ULT3580-TD3 93GP>             at scbus2 target 4 lun 0 (sa1,pass9)
<IBM 3573-TL F.11>                 at scbus2 target 4 lun 1 (pass10,ch1)
<TEAC DVD-ROM DV-28SW R.2A>        at scbus5 target 0 lun 0 (cd0,pass11)
The IBM devices are 2 tape drives and their associated robot libraries.
 
If you're asking how to find which passN device is your tape drive, do a # camcontrol devlist

Depending on the card and driver you have, you may need to do something "special" to get the /dev/passN devices to appear. If the drive is behind a RAID controller, you're probably out of luck.

Here's an example from one of my systems:
Code:
(0:1) host:/usr/terry# camcontrol devlist
<SEAGATE ST3300657SS-H EH04>       at scbus0 target 0 lun 0 (pass0)
<SEAGATE ST3300657SS-H EH04>       at scbus0 target 1 lun 0 (pass1)
<SEAGATE ST32000444SS KS6B>        at scbus0 target 2 lun 0 (pass2)
<SEAGATE ST32000444SS KS6B>        at scbus0 target 3 lun 0 (pass3)
<SEAGATE ST32000444SS KS6B>        at scbus0 target 4 lun 0 (pass4)
<SEAGATE ST32000444SS KS6B>        at scbus0 target 5 lun 0 (pass5)
<DP BACKPLANE 1.10>                at scbus0 target 32 lun 0 (pass6,ses0)
<IBM ULT3580-HH4 G361>             at scbus1 target 10 lun 0 (sa0,pass7)
<IBM 3573-TL F.11>                 at scbus1 target 10 lun 1 (pass8,ch0)
<IBM ULT3580-TD3 93GP>             at scbus2 target 4 lun 0 (sa1,pass9)
<IBM 3573-TL F.11>                 at scbus2 target 4 lun 1 (pass10,ch1)
<TEAC DVD-ROM DV-28SW R.2A>        at scbus5 target 0 lun 0 (cd0,pass11)
The IBM devices are 2 tape drives and their associated robot libraries.
Thanks, it looks like it is pass6 on my system:
<HP Ultrium 4-SCSI U57D> at scbus1 target 0 lun 0 (sa0,pass6)

I'm not sure how to use it, though. I can make normal backups using something like tar cvf /dev/nsa0 /mnt/somedir/, is it as simple as changing the target to /dev/pass6? I assume I'd need to set a key somehow.
 
Thanks, it looks like it is pass6 on my system:
<HP Ultrium 4-SCSI U57D> at scbus1 target 0 lun 0 (sa0,pass6)

I'm not sure how to use it, though. I can make normal backups using something like tar cvf /dev/nsa0 /mnt/somedir/, is it as simple as changing the target to /dev/pass6? I assume I'd need to set a key somehow.
I am very keen to hear is anyone knows the answer to this question.

Thank you.
 
Hi,
I cannot test stenc with HP tape drive on FREEBSD (LTFS doesn't work with HP drives on FREEBSD)

But I can confirm that stenc and LTFS works with IBM Tape drives on 14.0-RELEASE
(in example below - no need to use pass0, it works with well with sa0)
Bash:
root@bsd:/ # camcontrol devlist
<IBM HH LTO Gen 6 J451>            at scbus0 target 1 lun 0 (sa0,pass0)

root@bsd:/ # stenc -f /dev/sa0 -e on -k yoursecret.key -a 1 --ckod
Decrypt mode not specified, using decrypt = on
Changing encryption settings for device /dev/sa0...
Success! See system logs for a key change audit log.

root@bsd:/ # stenc
Status for /dev/nsa0 (IBM HH LTO Gen 6 J451)
--------------------------------------------------
Reading:                         Decrypting (AES-256-GCM-128)
                                 Unencrypted blocks not readable
Writing:                         Encrypting (AES-256-GCM-128)
Key instance counter:            1
Drive key desc. (U-KAD):         Yoursecretkey
Current block status:            Encrypted and able to decrypt (AES-256-GCM-128)
Supported algorithms:
1    AES-256-GCM-128
     Key descriptors allowed, maximum 32 bytes
     Raw decryption mode allowed, raw read enabled by default
2    AES-256-GCM-128
     Key descriptors allowed, maximum 32 bytes
     Raw decryption mode allowed, raw read enabled by default
3    AES-256-GCM-128
     Key descriptors allowed, maximum 32 bytes
     Raw decryption mode allowed, raw read enabled by default
    
root@bsd:/ # tar cvbf 512 /dev/nsa0 filetobackup.mpg
a filetobackup.mpg
 
Stenc with LTO5 works for me.
There is a unique pattern you need supply the command.
Eirher search thiz forum for stenc or i will post it later today.

NVM didn't see the last post.
 
Back
Top