Backing up the Encryption Key Manager

Hardware tape encryption uses tape devices with data encryption capabilities and the IBM® Encryption Key Manager (EKM) to encrypt your data. Use these steps to back up and restore the EKM. If you lose the encryption keys in the EKM, you will not be able to decrypt your tapes in a system recovery.

The EKM is a Java™ software program that assists IBM encryption-enabled tape drives in generating, protecting, storing, and maintaining encryption keys that are used to encrypt information being written to, and decrypt information being read from, tape media. EKM operates on i5/OS, and many other system platforms. EKM can serve numerous IBM encrypting tape drives, regardless of where those drives reside. EKM uses a keystore to hold the certificates and keys required for all encryption tasks. You can have multiple copies of the EKM on the network.

The EKM uses the following method to handle save requests.

The tape library receives a save request with a volume serial that is marked for encryption.
The tape library asks EKM to generate a random data key.
The EKM generates the data key for this tape. This data key is used to encrypt the data.
EKM uses the public key to encrypt the data key that is ready to be stored on the tape.
The tape library writes the encrypted data key on the cartridge in both the cartridge memory and on the tape.
The tape library uses the session key to encrypt the data as it writes it to the tape.

During a restore, the EKM decrypts the key using the public/private pair. The library uses the data key to decrypt the data as it reads it from the tape.

Important: Due to the critical nature of the keys in your keystore, it is highly recommended that you back up this data so that you can recover it as needed, and be able to read the tapes that were encrypted using those certificates associated with that tape drive or library.

Use any of the following methods to back up this keystore information in the EKM:

Keep a copy of all certificates loaded in the keystore.
Use system backup capabilities, such as save/restore commands or BRMS commands, to create a backup copy of this keystore information. Be careful not to encrypt this copy using the encrypting tape drives, as it would be impossible to decrypt it for recovery.
Maintain a primary and secondary EKM and keystore copy for backup, as well as for high availability. You can have two EKMs that are mirror images of each other with built-in backup of the critical keystore information, as well as a failover if an EKM becomes unavailable. When you configure your tape device, you can point it to two EKMs. If one EKM becomes unavailable for any reason, your device will use the alternate EKM.
If you are using a JCEKS (UNIX System Services file-based) keystore, copy the keystore file and store the clear (unencrypted) copy in a secure location, such as a vault. Be careful not to encrypt this copy using the encrypting tape drives, as it would be impossible to decrypt it for recovery.

It is important to test your recovery strategy carefully. At the primary site, run multiple EKM servers so that backups can continue to run while one EKM server is down. Export and synchronize keys on all EKM servers each time the keys change. Keep an offsite backup of EKM. At the disaster recovery site, have an encryption-capable tape drive or library with access to the EKM server. Do not encrypt the EKM server. Run EKM on a system or logical partition where none of the save operations are encrypted.