What could cause a 'sense error' when setting LTO encryption?

Solution 1:

As usual, hours of troubleshooting mean nothing, but posting a question on a public forum immediately reveals the problem.

There's a bug in stenc 1.0.7 which causes a crash if you use --detail on a blank tape. I have tried to contact the author with a fix but can't get hold of him.

It seems that this crash leaves the drive in an inconsistent state, where it refuses to accept further keys. Fixing the bug and then running stenc --detail with no crash seems to have fixed the problem. I can now set any keys any number of times and there have been no further issues.

If anyone else is having the same problem, in stenc-1.0.7/sec/scsiencrypt.cpp at line 176 it says delete status;. You need to add a new line directly below this that reads status=NULL;. This fixes a double-free error causing the crash.

--- a/src/scsiencrypt.cpp
+++ b/src/scsiencrypt.cpp
@@ -174,6 +174,7 @@ SSP_NBES* SSPGetNBES(string tapeDevice,bool retry){
            if(status->nbes.encryptionStatus!=0x01)break;
            if(moves>=MAX_TAPE_READ_BLOCKS)break;
            delete status;
+           status=NULL; //double free bug fix
            if(!moveTape(tapeDevice,1,true))break;
            moves++;
            status=SSPGetNBES(tapeDevice,false);

Solution 2:

Starting with CentOS 7.3 or 7.4 (7.2 works) I encountered another Illegal Request Error that appears randomly when trying to enable encryption.

I figured out that some reserve bits in the SCSI command are not properly initialized. When setting #define DEBUGSCSI one can see that these bits vary on each call.

Add the following memset() in scsiencrypt.cpp to fix it:

SCSIWriteEncryptOptions():

...

  SSP_KAD kad;

=> memset(&kad,0,sizeof(kad));

  kad.type=0x00;

Solution 3:

I spent a day debugging why our Quantum LTO7 HH drive kept giving a Sense error when we were configuring encryption on it using a fully patched stenc 1.0.7, regardless of the options used when uploading it.

Finally, we figured out that in our case, it's because we set a Key Descriptor when generating the key – generating a key using stenc -g 256 -k test.key -kd TESTKEY and then uploading it using stenc -f /dev/nst0 -e on -k test.key -a 1 would fail, while stenc -g 256 -k test.key then uploading using the same command would succeed. Hope this helps somebody!