Choosing or modifying an encryption method
Encryption is managed at the logical library level. All encryption-enabled drives that are assigned to a logical library use the same method of encryption. Enable encryption, or modify the method that is being used, on the Logical Libraries page.
To enable encryption, or modify the method that is being used, select a logical library on the Logical Libraries page. Then select . Choose a method from the Encryption menu on the Modify Encryption Method Window and click Modify .
- Application-managed encryption (AME)
- Use this method if the application generates and manages encryption policies and keys. Applications such as Tivoli® Storage Manager can manage encryption.
- Library-managed encryption (LME) by bar code
-
Use this method to use the default key that is specified by the key manager for all VOLSER
ranges. The encryption policy is specified based on cartridge volume serial numbers.
Note: To modify the behavior for different VOLSER ranges, use the modifyVolserRanges CLI command.
- Library-managed encryption (LME) by internal label selective encryption
-
Use this method if you use Symantec NetBackup or the EMC Legato
NetWorker. This encryption method encrypts cartridges with pool identifiers
from 1500 - 9999 (inclusive), using keys specific to each pool. Labels
for these keys are generated by the tape drive based on the pool identifier.
For instance, key label
INTERNAL_LABEL_NBU_1505_A
would be generated for a cartridge in pool 1505. Go to and click on the Key Label Mapping tab to map these generated labels to the wanted key-encrypting key labels in the keystore of the encryption key manager. All other cartridges remain unencrypted.
Click Ping on the Modify Encryption Method window to test the connection to the encryption key servers if using LME.
To set up or modify the encryption key servers, go to . and click the Encryption Key Servers tab