Planning for library-managed encryption

Edit online

Library-managed encryption (LME) is useful for encryption-enabled tape drives in an open-attached IBM tape library.

Note: The capability to use LME is not pre-set. The logical library must be set to use LME.

Bar code encryption policies, which are set up through the management GUI, can be used to specify when to use encryption. In such cases, policies are based on cartridge volume serial numbers. Library-managed encryption also allows other options, such as encryption of all volumes in a library, independent of bar codes. Key generation and management are performed by the key manager. Policy control and keys pass through the library-to-drive interface, therefore encryption is not apparent to the applications.

Library-managed encryption, when used with certain applications such as Symantec Netbackup or the EMC Legato NetWorker, includes support for an internal label option. When the internal label option is configured, the encryption-enabled tape drive automatically derives the encryption policy and key information from the metadata that is written on the tape volume by the application.
Notes:
  • If you use LME and IBM® device drivers that run on Open Systems platforms (AIX®, Linux®, Solaris, Windows), information for bulk rekey is available in the IBM Tape Device Drivers Installation and User's Guide.
  • When you use LME, on a TS4500 with more than one LCC, an extra Ethernet cable must be attached from at least one other LCC, preferably to a different network switch. The extra cable is for redundancy and better backup job reliability.
  • When you use LME with LTO tape drives, IBM Security Guardium Key Lifecycle Manager (formerly the Tivoli® Key Lifecycle Manager) is required as the key manager.

The following components are required to use encryption:

  • Encryption-enabled tape drive
  • Keystore
  • Key manager