Asymmetric keys and the DS8000 Turbo drive

IBM® Security Guardium® Key Lifecycle Manager also uses public/private (asymmetric) key cryptography to protect 256-bit AES symmetric data encryption keys as they pass between IBM Security Guardium Key Lifecycle Manager and the DS8000® Turbo drive.

Public/private key cryptography is also used to verify the identity of the tape drives to which IBM Security Guardium Key Lifecycle Manager serves keys. When a DS8000 Turbo drive requests a new key, IBM Security Guardium Key Lifecycle Manager generates a random symmetric data encryption key. Use public/private key cryptography to wrap the data encryption key by using a key encryption key, which is the public key of an asymmetric key pair.

The wrapped data key, along with key label information about that private key that is required to unwrap the symmetric key, forms a digital envelope, called an externally encrypted data key structure. The structure is stored in the tape header area of any tape cartridge that holds data encrypted using this method. The key that you use to decrypt the data is stored with the data on the tape itself, protected by asymmetric, public/private key wrapping. The public key that is used to wrap the data key is obtained from one of the following two sources:

  • A certificate (from a business partner, for example) stored in the keystore.
  • A public key (part of an internally generated public/private key pair) stored in the keystore.

The certificates and keys that are stored in the keystore are the point of control that allows a DS8000 Turbo drive to be unlocked. Without the information in the keystore, the DS8000 Turbo drive cannot be unlocked.

You must prevent unauthorized users from obtaining the private keys from the keystore, and to always keep the keystore available to you to unlock the arrays. The data encryption key is stored only on the DS8000 Turbo drive in a wrapped, protected form.

To unlock a DS8000 Turbo drive, the DS8000 Turbo drive sends the externally encrypted data key to IBM Security Guardium Key Lifecycle Manager. IBM Security Guardium Key Lifecycle Manager determines from the alias or key label which private key encryption key from its keystore to use to unwrap the externally encrypted data key and recover the data encryption key. After the data encryption key is recovered, it is then wrapped with a different key, which the tape drive can decrypt. The key is sent back to the tape drive to enable the tape drive for data decryption.

IBM Security Guardium Key Lifecycle Manager uses aliases, also known as key labels, to identify the public/private keys that you use to wrap the unlocking key. You can define specific aliases for each device. IBM Security Guardium Key Lifecycle Manager allows the definition of up to two aliases (certificates or key labels) for each DS8000 Turbo drive to prevent deadlock conditions. IBM Security Guardium Key Lifecycle Manager must be on the same system as the DS8000 Turbo drive. The DS8000 Turbo drive must unlock before the IBM Security Guardium Key Lifecycle Manager can come up. The private key for one of these aliases must be known. If you do not want to specify two different key labels or aliases, you can define both aliases with the same value.