Planning for application-managed encryption

Edit online

Application-managed encryption (AME) is useful in operating environments that run an application that is already capable of generating and managing encryption policies and keys, such as IBM® Storage Protect.

With AME, policies that specify when encryption is to be used are defined through the application interface. The policies and keys pass through the data path between the application layer and the encrypting tape drives.

Encryption is the result of interaction between the application and the encryption-enabled tape drive, and does not require any changes to the system and library layers. Because the application manages the encryption keys, data volumes that are written and encrypted using the application-managed encryption method can be read only by the same software application that wrote them. A key manager is not required by, or used with, application-managed tape encryption.

Note: The capability to use AME is not pre-set. The logical library must be set to use AME.

Application-managed tape encryption can use either of two encryption command sets:

The IBM encryption command set developed for the key manager
The T10 command set defined by the InterNational Committee for Information Technology Standards (INCITS)

For more information about setting up application-managed encryption visit the IBM Storage Protect page.