Managing tape encryption

This topic defines the encryption key managerserver component that is used to manage encryption on the IBM® TS7700.

The encryption key managerserver component is a software program such as the IBM® Encryption Key ManagerServer component for the Java™† platform or the Tivoli® Key Lifecycle Manager that assists IBM encryption-enabled tape drives in generating, protecting, storing, and maintaining encryption keys that are used to encrypt information that is being written to, and decrypt information that is being read from, tape media (tape and cartridge formats). An encryption key managerserver operates on z/OS®, i5/OS, AIX®, Linux®†, HP-UX, Sun Solaris, and Windows†, and is a shared resource deployed in several locations within an Enterprise. It can serve numerous IBM encrypting tape drives, regardless of where those drives reside (for example, in tape library subsystems, connected to mainframe systems through various types of channel connections, or installed in other computing systems).

An encryption key managerserver is a process that protects data by using key generation and retrieval. Requests for key generation or retrieval are sent to the encryption key managerserver through a TCP/IP connection from a tape library, subsystem, or drive. When a tape drive writes encrypted data, it first requests an encryption key from the encryption key managerserver. Upon receipt of the request, the encryption key managerserver generates an Advanced Encryption Standard (AES) key and serves it to the tape drives in two protected forms:

Encrypted, or wrapped, using Rivest-Shamir-Adleman (RSA) key pairs. When using this form of protection, the tape drive writes this copy of the key to the cartridge memory and three more places on the tape for redundancy.
Separately wrapped for secure transfer to the tape drive, where it is unwrapped upon arrival and used to encrypt the data that is being written to tape.

When an encrypted tape cartridge is read by a tape drive (TS1150 Tape Drive, TS1140 Tape Drive, TS1130 Tape Drive or TS1120 Tape Drive), the protected AES key on the tape is sent to the encryption key managerserver where it is decrypted. The AES key is then wrapped for secure transfer back to the tape drive, where it is unwrapped and used to decrypt the data stored on the tape. The encryption key managerserver also allows AES keys to be rewrapped, or rekeyed, by using RSA keys different from the original ones that were used. (For more information, see About tape encryption keys.) Rekeying is useful when shipping tapes for use on external systems.

Three methods of encryption management exist; which you choose depends on your operating environment and where you locate your encryption key managerserver application. The encryption key managerserver and the encryption policy engine can be in the application, system, or library layer, as illustrated by Figure 1.

Encryption policy interacts with application, system, and library layers and data paths. — Figure 1. Three possible locations for encryption policy engine and key management.

Application Layer: The application layer initiates data transfer for tape storage, for example Tivoli Storage Manager (TSM).
System Layer: The system layer contains everything between the application and the tape drives, for example the operating system, z/OS DFSMS, device drivers, and FICON® controllers.
Library Layer: The library layer contains the enclosure for tape storage, such as the TS3500 or TS4500 Tape Library. A modern tape library contains an internal interface to each tape drive.

†Refer to the topic Trademarks in the Related information section for complete attribution.