Library-managed tape encryption

Library-managed tape encryption is described.

This method is best for tape drives in an open-attached IBM® tape library. TS1120 and TS1130 tape drives can attach to a IBM TS3400, TS3500, or IBM 3494 tape library. E07 and E08 tape drives can attach to TS3500 libraries. EH7, EH8, 55F, and 60F tape drives can attach to TS4500 libraries. For TS3500 and TS4500 tape library attachment, bar code encryption policies can be used to specify when to use encryption, and are set up through the IBM Tape Library Specialist web interface. In such cases, policies are based on cartridge volume serial numbers.

Library-managed encryption also allows other options, such as encryption of all volumes in a library, independent of bar codes. Key generation and management are completed by the encryption key server. Policy control and keys pass through the library-to-drive interface. Therefore, encryption is not apparent to the applications.

Library-managed encryption, when used with certain applications such as Symantec Netbackup™ or the EMC Legato NetWorker, includes support for an internal label option. When the internal label option is configured, the TS1120 and later tape drives automatically derive the encryption policy and key information from the metadata that is written on the tape volume by the application. Refer to your Tape Library Operator's Guide for information.

System-managed tape encryption and library-managed tape encryption interoperate with one another. That is, a tape encrypted with system-managed encryption can be decrypted with library-managed encryption, and the other way around, provided they both have access to the same keys and certificates. Otherwise, this procedure cannot be feasible.