Tape encryption overview

An introduction to tape encryption with the 3592 tape drives.

Data is one of the most highly valued resources in a competitive business environment. Protecting that data, controlling access to it, and verifying its authenticity while its availability is maintained are priorities in our security-conscious world. Data encryption is a tool that answers many of these needs.

The IBM® TS1120 and later tape drives can encrypt data as it is written to any compatible IBM 3592 tape cartridge, including write-once, read-many (WORM) cartridges. This capability adds a strong measure of security to stored data without the processing overhead and performance degradation that is associated with encryption that is completed on the server or at the expense of a dedicated appliance.

Three major elements are available in the tape drive encryption solution.

The encryption-enabled tape drive: All E05, E06/EU6, E07/EH7, E08/EH8, 55F, and 60F tape drives are encryption-capable. All E05 tape drives with feature code 5592 or 9592 are encryption-capable. They are functionally capable of running hardware encryption, but this capability is not yet activated. To run hardware encryption, the tape drives must be encryption-enabled. In an IBM TS3500 or TS4500 tape library, E05 tape drives and later can be encryption-enabled through the IBM Tape Library Specialist web interface.
Note: When an E05 and later tape drive is attached to a tape controller, the tape drive must be encryption-enabled for system-managed encryption. This statement applies even when encryption is not being used by the host. The E05 and E06/EU6 tape drives can attach to a J70 Controller or C06 Controller. The E07 can attach to the C06 Controller.

Note: Not all E05 drives are encryption-capable. E05 tape drives with the Enc label and all EU6, E06, E07/EH7, E08/EH8, 55F, and 60F tape drives are encryption capable. No E06, E07/EH7, E08/EH8, 55F, and 60F tape drives and not all EU6 tape drives show the letters Enc or include an Enc label.
When EU5 and later tape drives are attached to a controller, this process consists of having an IBM System Services Representative (SSR) set up the drive as encryption-enabled. Only encryption-enabled EU5 and later tape drives can be used to read and write encrypted 3592 tape cartridges.
Encryption key management: Encryption involves the use of several kinds of keys, in successive layers. How these keys are generated, maintained, controlled, and transmitted depends upon the operating environment where the encrypting tape drive is installed. Some applications, such as Tivoli® Storage Manager, can run key management. For environments without such applications or those where application-independent encryption is wanted, IBM offers an encryption key server (such as the Tivoli Key Lifecycle Manager, or the IBM Security Key Lifecycle Manager for z/OS®). Managing encryption describes key management in detail.
Encryption policy: The method that is used to implement encryption. It includes the rules that govern which volumes are encrypted and the mechanism for key selection. How and where these rules are set up depends on the operating environment. See Managing encryption for information.

Note: In the tape storage environment, the encryption function on tape drives (desktop, stand-alone, and within libraries) is configured and managed by the customer and not the SSR. In some instances, an SSR is required to enable encryption at a hardware level when service access or service password controlled access is required. Customer setup support is by Field Technical Sales Specialist (FTSS), customer documentation, and software support for encryption software problems. Customer how to support is also provided with customers who have a support line contract.