Device driver configuration
System-Managed Encryption can be set on global or a specific tape
drive in IBMtape.conf in /usr/kernel/drv.
There are two new configuration parameters added for encryption.
- sys_encryption_proxy “ON/OFF” Use System Encryption FCP Proxy Manager
- sys_encryption_write “OFF/ON/CUSTOM” System Encryption for Write Commands at BOP
The sys_encryption_proxy parameter enables device driver system-managed encryption for a tape drive by setting the value to ON (default set).
The sys_encryption_write parameter controls if the device driver can set the tape drive to encryption enabled for write commands. When set to OFF, the tape drive uses encryption for read operations; write operations do not use encryption. When set to ON, the tape drive uses encryption for both read/write operations. When set to CUSTOM, the device driver does not modify current tape drive setting. The custom setting is intended for applications by using system-managed encryption to control write encryption without device driver intervention. The parameter is set to “CUSTOM” by default.
Note: If sys_encryption_write is set to ON,
an application cannot open a tape drive by using the append mode.
To make a global setting to enable SME in IBMtape.conf:
sys_encryption_write=1; # System Encryption for Write Commands at BOPTo enable SME for a particular target
- name="IBMtape"
- class="scsi"
- target=0
- lun=0
- block_size=0
- buffering=1
- immediate=0
- trailer=0
- sili=0
- sys_encryption_write=1;
To disable SME in a particular target
- name="IBMtape"
- class="scsi"
- target=0
- lun=0
- block_size=0
- buffering=1
- immediate=0
- trailer=0
- sili=0
- sys_encryption_proxy=0;