Managing encryption
A key manager is a software program that assists IBM® encryption-enabled tape drives in generating, protecting, storing, and maintaining encryption keys. The encryption keys encrypt information that is being written to tape media (tape and cartridge formats), and decrypt information that is being read from tape media.
IBM currently supports the IBM Security Guardium Key Lifecycle Manager with the tape library.
It is a shared resource that is deployed in several locations within an Enterprise. It can serve numerous IBM encrypting tape drives, regardless of where those drives are installed (for example, in tape library subsystems, connected to mainframe systems through various types of channel connections, or installed in other computing systems).
The key manager uses a key store to hold the certificates and keys (or pointers to the certificates and keys) required for all encryption tasks. Refer to the appropriate documentation for detailed information about the key manager and the key stores it supports.
- Application-managed encryption (AME) : Initiates data transfer for tape storage; for example, Tivoli® Spectrum Protect.
- Library-managed encryption (LME): The IBM Diamondback tape library, which contains an internal interface to each tape drive installed in the library.
- Where the encryption policy engine resides
- Where key management occurs for your encryption solution
- How the key manager is connected to the drive