AES keys and the 3592 tape drive

When a 3592 tape drive writes encrypted data, it first requests an encryption key from IBM® Security Guardium® Key Lifecycle Manager.

On receipt of the request, IBM Security Guardium Key Lifecycle Manager generates an Advanced Encryption Standard (AES) key. The key is served to the tape drive in two protected forms:

  • Encrypted or wrapped, by using Rivest-Shamir-Adleman (RSA) key pairs. 3592 tape drives write this copy of the key to the cartridge memory and extra places on the tape media in the cartridge for redundancy.
  • Separately wrapped for secure transfer to the tape drive where it is unwrapped upon arrival. The key inside is used to encrypt the data that is written to the tape.

When an encrypted tape cartridge is read by a 3592 tape drive, the protected AES key on the tape is sent to IBM Security Guardium Key Lifecycle Manager where the wrapped AES key is unwrapped. The AES key is then wrapped with a different key for secure transfer back to the tape drive. The key is unwrapped and used to decrypt the data that is stored on the tape. IBM Security Guardium Key Lifecycle Manager also allows protected AES keys to be rewrapped, or rekeyed, by using different RSA keys from the original ones that are used when the tape was written. Rekeying is useful when an unexpected need arises to export volumes to business partners whose public keys were not included. It eliminates rewriting the entire tape and enables the data key of a tape cartridge to be re-encrypted with the public key of a business partner.