Other can't enable LTO hardware encryption

Does anyone have tape drive hardware encryption working on freebsd?

I have an HP LTO-5 tape drive. Unencrypted read/writes and toggling compression with mt works, but enabling encryption doesn't. I compiled stenc, which does have ifdef's for freebsd sg, but no matter what I try I get either an error for 0x19 or 0x16 from ioctl ("inappropriate ioctl for device") when I try to set a key. I've tried 128 and 256bits, with and without -a 1 (key index). I've tried various devices, including /dev/sa0, nsa0, sa0.ctl, and /dev/pass0 (which says I don't have permission, despite the fact I'm root - no jails or anything funny). sg_logs -a /dev/sa0 works fine.


(Unrelated note to others who find this in search: you must manually enable the drive's write buffer every power cycle, and possibly after an sg* tools, with this command: camcontrol cmd /dev/nsa0 -c '15 10 00 00 04 00' -o 4 '0 0 10 0' -- or write performance is terrible and it will shoe shine.)
 
  • Like
Reactions: jbo
The problem was GENERIC kernels don't include SCSI sg device! You have to build your own kernel. Follow the kernel build guide, copy GENERIC to MYKERNEL, add to the end of the file this line (without quotes of course): "device sg", build and install.

Then you can run camcontrol devlist to find the /dev/sg[0-9]+ file for your tape drive. Then stenc -f /dev/sg[0-9] works. For my HP drive -a 1 is necessary to set the encryption key.
 
The problem was GENERIC kernels don't include SCSI sg device! You have to build your own kernel. Follow the kernel build guide, copy GENERIC to MYKERNEL, add to the end of the file this line (without quotes of course): "device sg", build and install.

Then you can run camcontrol devlist to find the /dev/sg[0-9]+ file for your tape drive. Then stenc -f /dev/sg[0-9] works. For my HP drive -a 1 is necessary to set the encryption key.
sg seems to be there for Linux compatibility. The top of /usr/src/sys/cam/scsi/scsi_sg.c says "This driver is meant to implement the Linux * SG passthrough interface for SCSI."

The FreeBSD native method would be a pass(4) device. You should get one automatically when your tape drive is identified:
Code:
<IBM ULTRIUM-HH4 G361>             at scbus14 target 7 lun 0 (pass4,sa0)
 
The problem was GENERIC kernels don't include SCSI sg device! You have to build your own kernel. Follow the kernel build guide, copy GENERIC to MYKERNEL, add to the end of the file this line (without quotes of course): "device sg", build and install.

Then you can run camcontrol devlist to find the /dev/sg[0-9]+ file for your tape drive. Then stenc -f /dev/sg[0-9] works. For my HP drive -a 1 is necessary to set the encryption key.
I'm also trying to get hardware tape encryption to work in FreeBSD (13.1). Could you advise with instructions on how to compile 'stenc' for FreeBSD? How would one use the pass device described in Terry_Kennedy's post?
 
FreeBSD? How would one use the pass device described in Terry_Kennedy's post?
If you're asking how to find which passN device is your tape drive, do a # camcontrol devlist

Depending on the card and driver you have, you may need to do something "special" to get the /dev/passN devices to appear. If the drive is behind a RAID controller, you're probably out of luck.

Here's an example from one of my systems:
Code:
(0:1) host:/usr/terry# camcontrol devlist
<SEAGATE ST3300657SS-H EH04>       at scbus0 target 0 lun 0 (pass0)
<SEAGATE ST3300657SS-H EH04>       at scbus0 target 1 lun 0 (pass1)
<SEAGATE ST32000444SS KS6B>        at scbus0 target 2 lun 0 (pass2)
<SEAGATE ST32000444SS KS6B>        at scbus0 target 3 lun 0 (pass3)
<SEAGATE ST32000444SS KS6B>        at scbus0 target 4 lun 0 (pass4)
<SEAGATE ST32000444SS KS6B>        at scbus0 target 5 lun 0 (pass5)
<DP BACKPLANE 1.10>                at scbus0 target 32 lun 0 (pass6,ses0)
<IBM ULT3580-HH4 G361>             at scbus1 target 10 lun 0 (sa0,pass7)
<IBM 3573-TL F.11>                 at scbus1 target 10 lun 1 (pass8,ch0)
<IBM ULT3580-TD3 93GP>             at scbus2 target 4 lun 0 (sa1,pass9)
<IBM 3573-TL F.11>                 at scbus2 target 4 lun 1 (pass10,ch1)
<TEAC DVD-ROM DV-28SW R.2A>        at scbus5 target 0 lun 0 (cd0,pass11)
The IBM devices are 2 tape drives and their associated robot libraries.
 
If you're asking how to find which passN device is your tape drive, do a # camcontrol devlist

Depending on the card and driver you have, you may need to do something "special" to get the /dev/passN devices to appear. If the drive is behind a RAID controller, you're probably out of luck.

Here's an example from one of my systems:
Code:
(0:1) host:/usr/terry# camcontrol devlist
<SEAGATE ST3300657SS-H EH04>       at scbus0 target 0 lun 0 (pass0)
<SEAGATE ST3300657SS-H EH04>       at scbus0 target 1 lun 0 (pass1)
<SEAGATE ST32000444SS KS6B>        at scbus0 target 2 lun 0 (pass2)
<SEAGATE ST32000444SS KS6B>        at scbus0 target 3 lun 0 (pass3)
<SEAGATE ST32000444SS KS6B>        at scbus0 target 4 lun 0 (pass4)
<SEAGATE ST32000444SS KS6B>        at scbus0 target 5 lun 0 (pass5)
<DP BACKPLANE 1.10>                at scbus0 target 32 lun 0 (pass6,ses0)
<IBM ULT3580-HH4 G361>             at scbus1 target 10 lun 0 (sa0,pass7)
<IBM 3573-TL F.11>                 at scbus1 target 10 lun 1 (pass8,ch0)
<IBM ULT3580-TD3 93GP>             at scbus2 target 4 lun 0 (sa1,pass9)
<IBM 3573-TL F.11>                 at scbus2 target 4 lun 1 (pass10,ch1)
<TEAC DVD-ROM DV-28SW R.2A>        at scbus5 target 0 lun 0 (cd0,pass11)
The IBM devices are 2 tape drives and their associated robot libraries.
Thanks, it looks like it is pass6 on my system:
<HP Ultrium 4-SCSI U57D> at scbus1 target 0 lun 0 (sa0,pass6)

I'm not sure how to use it, though. I can make normal backups using something like tar cvf /dev/nsa0 /mnt/somedir/, is it as simple as changing the target to /dev/pass6? I assume I'd need to set a key somehow.
 
Top