Managing encryption

The encryption key server (EKS) and the three methods for managing encryption.

An encryption key server is a software program that assists IBM® encryption-enabled tape drives in generating, protecting, storing, and maintaining encryption keys. The keys are used to encrypt information that is written to, and decrypt information that is read from, tape media (tape and cartridge formats). IBM currently supports two encryption key servers: the Tivoli® Key Lifecycle Manager, and IBM Security Key Lifecycle Manager for z/OS®. Throughout the remainder of this publication, the encryption key servers are referred to collectively as "EKS" unless a specific software program is being described. The EKS operates on z/OS, i5/OS, AIX®, Linux®, HP-UX, Sun Solaris, and Windows, and is a shared resource that is deployed in several locations within an Enterprise. It can serve numerous IBM encrypting tape drives, regardless of where those drives reside. For example, in tape library subsystems, which are connected to mainframe systems through various types of channel connections, or installed in other computing systems.

Note: The Encryption Key Manager for the Java platform can be used on the TS1120 and the TS1130 tape drives. However, it is not supported for TS1140 and later tape drives, and is no longer available for download.

The EKS uses a keystore to hold the certificates and keys (or pointers to the certificates and keys) required for all encryption tasks. Refer to the appropriate EKS documentation for detailed information about the EKS and the keystores it supports.

The EKS acts as a daemon process that is awaiting key generation or key retrieval requests sent to it through a TCP/IP communication path between the EKS and the tape library, tape controller, tape subsystem, device driver, or tape drive. When a TS1120 or later tape drive writes encrypted data, it first requests an encryption key. Upon receipt of the request, the EKS generates an Advanced Encryption Standard (AES) key and serves it to the tape drives in two protected forms:

Encrypted or wrapped, with Rivest-Shamir-Adleman (RSA) key pairs. The tape drive writes this copy of the key to the cartridge memory and three extra places on the tape media in the cartridge for redundancy.
Separately wrapped for secure transfer to the tape drive where it is unwrapped upon arrival and the key inside is used to encrypt the data that is written to tape.

When an encrypted tape cartridge is read by a TS1120 or later tape drive, the protected AES key on the tape is sent to the EKS where the wrapped AES key is unwrapped. The AES key is then wrapped with a different key for secure transfer back to the tape drive, where it is unwrapped and used to decrypt the data that is stored on the tape. The EKS also allows protected AES keys to be rewrapped, or rekeyed, with different RSA keys from the original ones that are used when the tape was written. Rekeying is useful when an unexpected need arises to export volumes to Business Partners whose public keys were not included. It eliminates the need to rewrite the entire tape and enables a tape cartridge's data key to be reencrypted with a Business Partner's public key.

Three methods of encryption management are available to choose from. These methods differ in where the encryption policy engine resides and where key management is completed for your encryption solution, and how the EKS is connected to the drive. Your operating environment determines which is the best for you. Key management and the encryption policy engine can be in any one of the following three environmental layers.

Encryption management at application, system, or library layer — Figure 1. Three possible locations for encryption policy engine and key management.

Application Layer: Initiates data transfer for tape storage, for example TSM.
System Layer: Everything between the application and the tape drives, for example the operating system, z/OS DFSMS, device drivers, and FICON®/ESCON controllers.
Library Layer: The enclosure for tape storage, such as the IBM TS3500 tape library. A modern tape library contains an internal interface to each tape drive within it.