This topic describes data encryption using the 3592-C07 controller and TS1120 and later tape drives.
Data is one of the most highly valued resources in a competitive
business environment. Protecting that data, controlling access to
it, and verifying its authenticity while maintaining its availability
are priorities in our security conscious world. Data encryption is
a tool that answers many of these needs.
The IBM® System Storage™ TS1120 and later tape drives, together
with the 3592-C07 controller,
are capable of encrypting data as it is written to any compatible
size IBM 3592 Tape Cartridge,
including write-once, read-many (WORM) cartridges. This capability
adds a strong measure of security to stored data without the processing
overhead and performance degradation associated with encryption performed
on the server or the expense of a dedicated appliance. Encryption
is performed at full line speed in the tape drive after compression.
(Compression is more efficiently done before encryption.)
The following three major elements comprise the tape drive encryption
solution:
- The encryption-enabled tape drive
- All TS1140 and TS1130 tape drives are encryption-capable.
All TS1120 tape drives with feature code 5592 or 9592 are encryption-capable.
This means that they are functionally capable of performing hardware
encryption, but this capability has not yet been activated. In order
to perform hardware encryption, the tape drives must be encryption-enabled.
In an IBM System Storage TS3500 Tape Library, TS1120 and later tape drives can be
encryption-enabled through the IBM System Storage Tape Library
Specialist web interface.
Note: When a TS1120 and later tape drive
is attached to a 3592-C07 controller,
the tape drive must be encryption-enabled for system-managed encryption. This
applies even when encryption is not being used by the host.
When TS1120 and later tape drives are attached
to a 3592-C07,
this process consists of having an IBM service support representative (SSR) set
up the drive as encryption-enabled. Only encryption-enabled TS1120 and later tape drives can be
used to read and write encrypted 3592 tape cartridges.
- Encryption key management
- Encryption involves the use of several kinds of keys, in successive
layers. How these keys are generated, maintained, controlled, and
transmitted depends upon the operating environment where the encrypting
tape drive is installed. Some applications, such as Tivoli® Storage Manager, are capable of performing
key management. For environments without such applications or those
where application independent encryption is desired, IBM offers an encryption
key server (such as
the IBM Encryption Key Manager
component for the Java™ platform,
the Tivoli Key Lifecycle
Manager, or the IBM Security
Key Lifecycle Manager for z/OS®).
See Encryption key management for more information.
- Encryption policy
- This is the method used to implement encryption. It includes the
rules that govern which volumes are encrypted and the mechanism for
key selection. How and where these rules are set up depends on the
operating environment. See Encryption key management for
more information.
Note: In the tape storage environment, the encryption
function on tape drives (desktop, stand-alone and within libraries)
is configured and managed by the customer and not the SSR. In some
instances an SSR is required to enable encryption at a hardware level
when service access or service password controlled access is required.
Customer setup support is by Field Technical Sales Specialist (FTSS),
customer documentation, and software support for encryption software
problems. Customer "how to" support is also provided with customers
who have a support line contract.