Enabling tape encryption

This topic provides an overview of how to enable encryption on the TS7700. You can enable encryption on back-end drives so that virtual drive operations on your TS7700 do not change. You can also manage encryption key server or Tivoli® Key Lifecycle Manager communications through the network to avoid interference with host operations. You can also control encryption by pools.

Before you begin

Before you enable encryption on the TS7700, you must ensure that the correct minimum required levels of microcode are installed. You must also ensure that:
  • The tape drives (TS1150 Tape Drives, TS1140 Tape Drives, TS1130 Tape Drives or TS1120 Tape Drives) are encryption-capable and enabled.
  • The encryption key server, TKLM (Tivoli Key Lifecycle Manager), ISKLM (IBM® Security Key Lifecycle Manager for z/OS®), or Guardium Key Lifecycle Manager (GKLM) 4.1 is installed and configured on the network.
  • Key-encrypting keys (KEKs) are defined.
  • The license key for FC 9900, Tape Encryption Tape is installed and activated.
No new host software is required.
Verify correct license keys are installed
Ask your IBM service representative to receive the most current level of TS7700 code.
  1. In the address bar of a web browser, enter the URL of the TS7700. For example, type: http://virtual IP/Console
  2. At the TS7700 welcome screen, enter the userid and the password to log on to the TS7700, and select Login.
  3. From the navigation select Settings>Feature Licenses.
  4. The Feature Licenses page is displayed, including the table shown in Figure 1. Verify that FC 9900, Tape Encryption configuration, displays on this table.
    Figure 1. Currently active feature licenses
    Figure is a screen capture of feature licenses active on theIBM TS7740.
If using TS1120 Tape Drives, verify they are encryption-capable
  1. From the navigation, select Physical>Physical Tape Drives.
  2. Select the radio button next to the drive you want to verify and select Select Action>Details. Then click Go.
  3. If Yes displays in the second column, adjacent to Encryption Capable, encryption capability and enablement are set. If No displays in the column adjacent to Encryption Capable, encryption capability and enablement are NOT set.
    Attention: If encryption capability and enablement are not set, contact your IBM Service Representative to enable encryption following the procedures in the IBM System Storage TS1120, TS1130, and TS1140 Tape Drives (16th Edition - June 2011) Maintenance Information IBM 3592 Models J1A, E05, E06, EU6, and E07.
Verify encryption key server or TKLM is installed and configured on the network
  1. From the navigation select Settings>Cluster Settings> Encryption Key Server Addresses.
  2. Verify that at a minimum, the Primary key server address and Port fields are complete.
    Attention: If encryption key server or TKLM is not installed and configured, contact your IBM Service Representative to enable encryption following the procedures in the IBM Encryption Key Server component for the Java™† platform Introduction, Planning, and User's Guide, the IBM Tivoli Key Lifecycle Manager Information Center, or the IBM Tivoli Key Lifecycle Manager Quick Start Guide.
Refer to the topic Trademarks in the Related information section for complete attribution.

About this task

To enable encryption on the TS7700, you must enable the tape drives for encryption, then install and activate the license key for FC 9900, Tape Encryption Tape.
Enable the TS1150 Tape Drives, TS1140 Tape Drives, TS1130 Tape Drives or TS1120 Tape Drives for encryption.
Note: If you intend to use tape drives in encryption mode, you must enable encryption on all tape drives that you attach to the TS7700.

Ask your IBM service representative to receive the most current levels of TS7700 code.

Install and activate the encryption license key

Procedure

  1. Enable the tape drives for encryption.
    1. Set the drives to native mode through the TS3500 or TS4500 Tape Library interface; do not use the TS7700 Management Interface.
      Note: You must take the TS7700 offline to perform this task.
    2. Enable encryption on all drives.
      Note: You can perform this task when the TS7700 is either online or offline.
  2. Determine whether or not you have the license key. Do you have the license key?
  3. Install and activate the license key through the TS7700 Management Interface.