Tape encryption methods
Deciding on the encryption method to use depends on how you want to manage your data.
It is critical to secure client data, especially when that data is sensitive. To ensure that data in onsite and offsite volumes is protected, IBM® tape encryption technology is available.
This technology uses a stronger level of encryption by requiring 256-bit Advanced Encryption Standard (AES) encryption keys. Keys are passed to the drive by a key manager to encrypt and decrypt data.
IBM tape technology supports different methods of drive encryption for the following devices:
- IBM 3592 Generation 2 and later generations
- IBM Linear Tape-Open Generation 4 and later generations
The methods of drive encryption that you can use with IBM Storage Protect are set up at the hardware level. IBM Storage Protect cannot control or change which encryption method is used in the hardware configuration. If the hardware is set up for the Application method, IBM Storage Protect can turn encryption on or off depending on the DRIVEENCRYPTION value on the device class.
To encrypt all data in a particular logical library or to encrypt data on more than just storage pool volumes, use the Library or System method. If the encryption key manager is set up to share keys, the Library and System methods can share the encryption key, which allows the two methods to be interchanged. IBM Storage Protect cannot share or use encryption keys between the Application method and either the Library or the System methods of encryption.
| Encryption method | Description |
|---|---|
| Application encryption |
With application-managed encryption, you can create dedicated storage pools that contain encrypted volumes only. This way, you can use storage pool hierarchies and policies to manage the way data is encrypted. Encryption keys are managed by the application, in this case, IBM Storage Protect. IBM Storage Protect generates and stores the keys in the server database. Data is encrypted during write operations, when the encryption key is passed from the server to the drive. Data is decrypted for read operations. To encrypt storage pool volumes and eliminate some encryption processing on your system, enable the Application method. Use application-managed encryption only for storage pool volumes. Other volumes, such as backup-set tapes, export volumes, and database backups, are not encrypted by using the Application method. Requirement: When application encryption is enabled, you must take
extra care to secure database backups because the encryption keys that are used to encrypt and
decrypt data are stored in the server database. To restore your data, you must have the correct
database backup and corresponding encryption keys to access your information. Ensure that you back
up the database frequently and safeguard the backups to prevent data loss or theft. Anyone who has
access to both the database backup and the encryption keys has access to your data.
|
| Library encryption |
With library-managed encryption, you can control which volumes are encrypted by using their serial numbers. You can specify a range or set of volumes to encrypt. Encryption keys are managed by the library. Keys are stored in an encryption key manager and provided to the drive. If you set up the hardware to use library-managed encryption, you can use this method by running the DEFINE DEVCLASS command and specifying the DRIVEENCRYPTION=ALLOW parameter. Restriction: Only certain IBM libraries support
IBM
LTO-4 and later encryption. For more information, see Configuring tape drive encryption.
|
| System encryption | System-managed encryption is available only on the AIX®® operating system. Encryption keys that are provided to the drive are managed by the device driver or operating system and stored in an encryption key manager. If the hardware is set up to use system encryption, you can use this method by running the DEFINE DEVCLASS command and specifying the DRIVEENCRYPTION=ALLOW parameter. |
To determine whether a volume is encrypted and which method was used, run the QUERY VOLUME command and specify the FORMAT=DETAILED parameter.