Planning for application-managed encryption
Application-managed encryption (AME) is useful in operating environments that run an application that is already capable of generating and managing encryption policies and keys, such as IBM Spectrum Protect.
With AME, policies that specify when encryption is to be used are defined through the application
interface. The policies and keys pass through the data path between the application layer and the
encrypting tape drives. Encryption is the result of interaction between the application and the
encryption-enabled tape drive, and does not require any changes to the system and library layers.
Because the application manages the encryption keys, data volumes that are written and encrypted
using the application-managed encryption method can be read only by the same software application
that wrote them. A key manager is not required by, or used with, application-managed tape
encryption.
Note: The capability to use AME is not pre-set. The logical library must be set to use
AME.
Application-managed tape encryption can use either of two encryption command sets:
- The IBM® encryption command set developed for the key manager
- The T10 command set defined by the InterNational Committee for Information Technology Standards (INCITS)
For more information about setting up application-managed encryption for IBM Spectrum Protect, visit the IBM Spectrum Protect page.