AES keys and the LTO tape drive

When an LTO tape drive writes encrypted data, it first requests an encryption key from IBM® Security Guardium® Key Lifecycle Manager.

Upon receipt of the request, IBM Security Guardium Key Lifecycle Manager obtains an existing AES key from a keystore. The key is then wrapped for secure transfer to the tape drive. The key is then unwrapped and used to encrypt the data that is written to the tape.

When an encrypted tape is read by an LTO tape drive, IBM Security Guardium Key Lifecycle Manager obtains the required key from the keystore. The key is based on the information in the Key ID on the tape, and serves it to the tape drive wrapped for secure transfer.