Encryption overview

IBM tape storage devices include options to encrypt data as it is written to a tape cartridge.

Encryption occurs at full line speed in the tape drive after compression. (Data is compressed more efficiently before it is encrypted.) This capability adds a strong measure of security to stored data without any processing usage and performance degradation.

The following elements comprise the encryption solution for tape drives:

The encryption-capable tape drive: Encryption capability means that they are functionally capable of hardware encryption. All tape drives in the tape library are encryption-capable.
Note: Transparent LTO Encryption is standard with the tape library.
Encryption policy: Encryption policy is the method that is used to implement encryption. It includes the rules that govern which volumes are encrypted and the mechanism for key selection. How and where these rules are set up depends on the operating environment.; Encryption policy is managed at the logical library level. The Logical Libraries GUI page is used to enable encryption for a logical library and modify the encryption method that is being used. The Security GUI page is used to manage key servers and key labels.

Note: In the tape storage environment, the customer configures and manages the encryption function on tape drives (desktop, stand-alone, and within libraries). the IBM® System Services Representative (SSR) does not configure or manage the encryption function.

Drive specific details

Data is one of the most highly valued resources in a competitive business environment. Protecting that data, controlling access to it, and verifying its authenticity while its availability is maintained are priorities in our security-conscious world. Data encryption is a tool that answers many of these needs.

This capability adds a strong measure of security to stored data without the processing overhead and performance degradation that is associated with encryption that is completed on the server or at the expense of a dedicated appliance.

Three major elements are available for tape drive encryption.

The encryption-enabled tape drive: All LTO Ultrium 4 and newer tape drives are encryption-capable. All EH7, EH8, 55F, 60F and 70F/70S tape drives are encryption-capable.; To run hardware encryption, the tape drives must be encryption-enabled via the management GUI of your tape system.The 70F/70S tape drive can attach to a C07 Controller.; All LTO Ultrium 4 Tape Drives can be encryption-enabled through the IBM Tape Specialist. However, encryption must be licensed on LTO Ultrium 4 Tape Drives in tape libraries. This license is acquired with feature code 1604 on the TS3500 library or feature code 5900 on other libraries. Refer to your library documentation for information.
Encryption key management: Encryption involves the use of several kinds of keys, in successive layers. How these keys are generated, maintained, controlled, and transmitted depends upon the operating environment where the encrypting tape drive is installed. Some applications, such as Tivoli® Storage Manager, can run key management. For environments without such applications or those where application-independent encryption is wanted, IBM offers an encryption key server (such as the Tivoli Key Lifecycle Manager, or the IBM Security Key Lifecycle Manager for z/OS®)
Encryption policy: This is the method that is used to implement encryption. It includes the rules that govern which volumes are encrypted and the mechanism for key selection. How and where these rules are set up depends on the operating environment.; Encryption policy is managed at the logical library level. The Logical Libraries GUI page is used to enable encryption for a logical library and modify the encryption method that is being used. The Security GUI page is used to manage key servers and key labels.
IBM external key management: The Encryption Key Manager can be used on the TS1120 and the TS1130 tape drives. However, it is not supported for TS1140 and later tape drives, and is no longer available for download. If changes to your encryption must be made, consider upgrading to the IBM Security Guardium Key Lifecycle Manager. Another IBM option is IBM Spectrum Protect.

Note: In the tape storage environment, the encryption function on tape drives (desktop, stand-alone, and within libraries) is configured and managed by the customer and not the SSR. In some instances, an SSR is required to enable encryption at a hardware level when service access or service password controlled access is required. Customer setup support is by Field Technical Sales Specialist (FTSS), customer documentation, and software support for encryption software problems. Customer how to support is also provided with customers who have a support line contract.