Planning for library-managed tape encryption
To complete encryption on the encryption-capable tape drive, the following items are required.
- Encryption-capable tape drive
- Keystore (Refer to documentation on Security Key Lifecycle Manager (SKLM))
- Encryption configuration features
- Security Key Lifecycle Manager (SKLM)
- Tape system library code updates and Transparent LTO Encryption feature code for encryption-capable libraries
- Tape drive code updates
Library-managed tape encryption tasks
Any task that is not identified as an IBM service task is the responsibility of the customer.
- Install, verify, and configure
- Keystore
- EKM (Refer to documentation on Security Key Lifecycle Manager (SKLM)) for information on both.
- Install and cable the encryption-capable tape drive (IBM service task for TS1120 Tape Drive).
- Use IBM tape library specialist to enable the tape drive for library-managed tape encryption (refer to your IBM Tape Drive or Library Operator's Guide).
- Use library diagnostic functions to verify.
Bulk rekey
For customers with Library-Managed Encryption with 3592 Enterprise tape drives and IBM tape and changer drivers that are running on open systems operating system (AIX®, HP-UX, Linux®, Solaris, Windows), sample code for completing bulk rekey operations is available. The sample code packages are provided "as-is" with limited testing, and are provided to give customers guidance on bulk rekey operations.
For UNIX operating systems, a sample script (rekey_unix.sh) is provided and must be used with the tapeutil version that is bundled in the same package. For Windows operating systems, a sample c program (rekey_win.c) is provided. Both of these sample programs must be used with both the IBM tape and changer drivers. In addition, data cartridges must be in storage cells, not in I/O station cells or tape drives.
For information and to download the sample code packages, see http://www.ibm.com/support/fixcentral/.