Backing up the Encryption Key Manager

Hardware tape encryption uses tape devices with data encryption capabilities and key management software to encrypt your data. Use these steps to back up and restore the key manager data. If you lose the encryption keys in the key manager, you will not be able to decrypt your tapes in a system recovery.

Key management software assists IBM® encryption-enabled tape drives in generating, protecting, storing, and maintaining encryption keys that are used to encrypt information being written to, and decrypt information being read from, tape media. The key manager operates on IBM i, and many other system platforms. The key manager can serve numerous IBM encrypting tape drives, regardless of where those drives reside. The key manager uses a keystore to hold the certificates and keys required for all encryption tasks. You can have multiple copies of the key manager on the network.

The key manager uses the following method to handle save requests.
  • The tape library receives a save request with a volume serial that is marked for encryption.
  • The tape library asks key manager to generate a random data key.
  • The key manager generates the data key for this tape. This data key is used to encrypt the data.
  • The key manager uses the public key to encrypt the data key that is ready to be stored on the tape.
  • The tape library writes the encrypted data key on the cartridge in both the cartridge memory and on the tape.
  • The tape library uses the session key to encrypt the data as it writes it to the tape.

During a restore, the key manager decrypts the key using the public/private pair. The library uses the data key to decrypt the data as it reads it from the tape.

Important: Due to the critical nature of the keys in your keystore, it is highly recommended that you back up this data so that you can recover it as needed, and be able to read the tapes that were encrypted using those certificates associated with that tape drive or library.

Use any of the following methods to back up this keystore information in the key manager:

  • Keep a copy of all certificates loaded in the keystore.
  • Use system backup capabilities, such as save/restore commands or BRMS commands, to create a backup copy of this keystore information.
    Be careful not to encrypt this copy using the encrypting tape drives, as it would be impossible to decrypt it for recovery.
  • Maintain a primary and secondary key manager and keystore copy for backup, as well as for high availability.
    You can have two key managers that are mirror images of each other with built-in backup of the critical keystore information. When you configure your tape device, you can point it to two key managers. If one key manager becomes unavailable for any reason, your device will use the alternate key manager.
  • If you are using a JCEKS (UNIX System Services file-based) keystore, copy the keystore file and store the clear (unencrypted) copy in a secure location, such as a vault.
    Be careful not to encrypt this copy using the encrypting tape drives, as it would be impossible to decrypt it for recovery.

It is important to test your recovery strategy carefully. At the primary site, run multiple key manager servers so that backups can continue to run while one key manager server is down. Export and synchronize keys on all key manager servers each time the keys change. Keep an offsite backup of the key manager data. At the disaster recovery site, have an encryption-capable tape drive or library with access to the key manager server. Do not encrypt the key manager server. Run the key manager on a system or logical partition where none of the save operations are encrypted.