tape390_crypt - Manage tape encryption

6.10 LPAR mode z/VM guest

Use the tape390_crypt command to enable and disable tape encryption for a channel attached tape device. You can also specify key encrypting keys (KEK) by using labels or hashes.

For 3592 tape devices, it is possible to write data in an encrypted format. The encryption keys are stored on an encryption key manager (EKM) server, which can run on any machine with TCP/IP and Java™ support. The EKM communicates with the tape drive over the tape control unit by using TCP/IP. The control unit acts as a proxy and forwards the traffic between the tape drive and the EKM. This type of setup is called out-of-band control-unit based encryption.

The EKM creates a data key that encrypts data. The data key itself is encrypted with KEKs and is stored in so called external encrypted data keys (EEDKs) on the tape medium.

You can store up to two EEDKs on the tape medium. With two EEDKs, one can contain a locally available KEK and the other can contain the public KEK of the location or company to where the tape is to be transferred. Then, the tape medium can be read in both locations.

When the tape device is mounted, the tape drive sends the EEDKs to the EKM. The EKM tries to unwrap one of the two EEDKs and sends back the extracted data key to the tape drive.

Linux® can address KEKs by specifying either hashes or labels. Hashes and labels are stored in the EEDKs.

Note: If a tape is encrypted, it cannot be used for IPL.
Before you begin:
To use tape encryption, you need:
  • A 3592 crypto-enabled tape device and control unit that is configured as system-managed encryption.
  • A crypto-enabled 3590 channel-attached tape device driver.
  • A key manager. See Encryption Key Manager Component for the Java(TM) Platform Introduction, Planning, and User's Guide, GA76-0418 for more information.

tape390_crypt syntax

Read syntax diagramSkip visual syntax diagramtape390_crypt -q-eonoffKeys <node>
Keys
Read syntax diagramSkip visual syntax diagram-k <value>1<char>label<char>hash -d :-d <char> -f
Notes:
  • 1 The -k or --key operand can be specified maximally twice.
where:
-q or --query
displays information about the tape's encryption status. If encryption is active and the medium is encrypted, additional information about the encryption keys is displayed.
-e or --encryption
sets tape encryption on or off.
-k or --key
sets tape encryption keys. You can specify the -k option only if the tape medium is loaded and rewound. While processing the -k option, the tape medium is initialized and all previous data contained on the tape medium is lost.

You can specify the -k option twice because the tape medium can store two EEDKs. If you specify the -k option once, two identical EEDKs are stored.

<value>
specifies the key encrypting key (KEK), which can be up to 64 characters long. The keywords label or hash specify how the KEK in <value> is to be stored on the tape medium. The default store type is label.
-d or --delimiter
specifies the character that separates the KEK in <value> from the store type (label or hash). The default delimiter is : (colon).
<char>
is a character that separates the KEK in <value> from the store type (label or hash).
-f or --force
specifies that no prompt message is to be issued before writing the KEK information and initializing the tape medium.
<node>
specifies the device node of the tape device.
-h or --help
displays help text. To view the man page, enter man tape390_crypt.
-v or --version
displays information about the version.

Examples

The following scenarios illustrate the most common use of tape encryption. In all examples /dev/ntibm0 is used as the tape device.

Querying a tape device before and after encryption is turned on

This example shows a query of tape device /dev/ntibm0. Initially, encryption for this device is off. Encryption is then turned on, and the status is queried again.

# tape390_crypt -q /dev/ntibm0
ENCRYPTION: OFF
MEDIUM: NOT ENCRYPTED

tape390_crypt -e on /dev/ntibm0

tape390_crypt -q /dev/ntibm0
ENCRYPTION: ON
MEDIUM: NOT ENCRYPTED

Then, two keys are set, one in label format and one in hash format. The status is queried and there is now additional output for the keys.

# tape390_crypt -k my_first_key:label -k my_second_key:hash /dev/ntibm0
--->> ATTENTION! <<---
All data on tape /dev/ntibm0 will be lost.
Type "yes" to continue: yes
SUCCESS: key information set.

tape390_crypt -q /dev/ntibm0
ENCRYPTION: ON
MEDIUM: ENCRYPTED
KEY1:
	value: 	my_first_key
	type: 	label
	ontape: 	label
KEY2:
	value: 	my_second_key
	type: 	label
	ontape: 	hash

Using default keys for encryption

  1. Load the cartridge. If the cartridge is already loaded:
    • Switch off encryption:
      # tape390_crypt -e off /dev/ntibm0
    • Rewind:
      # mt -f /dev/ntibm0 rewind
  2. Switch encryption on:
    # tape390_crypt -e on /dev/ntibm0 
  3. Write data.

Using specific keys for encryption

  1. Load the cartridge. If the cartridge is already loaded, rewind:
    # mt -f /dev/ntibm0 rewind 
  2. Switch encryption on:
    # tape390_crypt -e on /dev/ntibm0
  3. Set new keys:
    # tape390_crpyt -k key1 -k key2 /dev/ntibm0 
  4. Write data.

Writing unencrypted data

  1. Load the cartridge. If the cartridge is already loaded, rewind:
    # mt -f /dev/ntibm0 rewind
  2. If encryption is on, switch off encryption:
    # tape390_crypt -e off /dev/ntibm0
  3. Write data.

Appending new files to an encrypted cartridge

  1. Load the cartridge
  2. Switch encryption on:
    # tape390_crypt -e on /dev/ntibm0 
  3. Position the tape.
  4. Write data.

Reading an encrypted tape

  1. Load the cartridge
  2. Switch encryption on:
    # tape390_crypt -e on /dev/ntibm0
  3. Read data.