The encryption-capable TS1120 tape drive supports encryption of media tape cartridges. The z/OS DFSMS support for tape subsystem encryption allows you to specify by data class that data is to be encrypted when stored on encryption-capable TS1120 tape drives. In addition to this, the key label-related information that is used to encrypt the data key (of a tape cartridge) can be specified through the DD statement (JCL, dynamic allocation and TSO ALLOCATE), data class or Encryption Key Manager component for the Java™ platform (EKM) defaults. The communication path to the Encryption Key Manager (EKM) is across TCP/IP with the choice to go either in-band or out-of-band for the key management flow. With out-of-band key management, the communication path to the Encryption Key Manager is handled by the control unit going directly to the Encryption Key Manager. Then for in-band key management, the communication path to the Encryption Key Manager is handled across ESCON/FICON with a new IOS proxy interface then handling the key exchange (across TCP/IP) with the Encryption Key Manager.

An encryption-capable TS1120 tape drive records in the existing non-encryption enterprise format 1 (EFMT1) and enterprise format 2 (EFMT2) recording formats and also records in the encryption specific recording format (enterprise encrypted format 2 (EEFMT2)). The EEFMT2 recording format is supported across all of the 3592 media types (MEDIA5 – MEDIA10). Even though the encryption-capable TS1120 tape drive can record in a lower density (EFMT1) and a higher density (EFMT2) recording format, an encrypted version of the lower recording format (EFMT1) is not supported. Only the higher recording format (EFMT2) will be supported with an encrypted version (EEFMT2). The existing Performance Scaling and Performance Segmentation data class options, applicable with MEDIA5 and MEDIA9, can also be used with the new encryption format EEFMT2. The capacities of EMFT2 and EEFMT2 written tapes are the same.

When writing from the beginning of tape (BOT), an encryption-capable TS1120 tape drive will, by default, record in the non-encryption recording format (EFMT2). Depending on the host platform and its encryption enablement mechanism, this default can be changed at the drive. However, under z/OS and OPEN processing (file sequence 1, DISP=NEW), unless explicitly requested through data class to record in the lower recording format (EFMT1) or the new encryption format (EEFMT2), the non-encryption format EFMT2 will be assumed and explicitly set during OPEN processing. When writing from the beginning of the tape (file sequence 1, DISP=OLD), since this processing does not go through the data class ACS routine, OPEN processing will determine if the previous usage of the tape was encrypted and if encrypted, OPEN will explicitly set the EEFMT2 format with the volume's existing key management-related information being used by the drive to encrypt the data.

For an encrypted tape cartridge, the cartridge stores both the encrypted user data and the critical key management-related information needed to interact with the Encryption Key Manager when decrypting data on the cartridge. A mix of data written in encrypted and non-encrypted formats is not supported on the same tape cartridge. Whether the data on a cartridge is written in encrypted format is determined during OPEN processing, when the first file sequence on the tape is written. If the first file written to a tape is in the encrypted format; all subsequent files written to that same tape cartridge will be written in the encrypted format. All files written to a cartridge in the encrypted format are encrypted using the same data key. The exception to this is the volume label structure for the first file sequence, which is encrypted using a key known to all encryption capable 3592 drives, which means it is effectively in the clear.

In the encryption-capable TS1120 tape drive environment (whether system-managed or not), when writing from the beginning of tape (file sequence 1, DISP=NEW), to request encryption format, EEFMT2 is specified in data class. OPEN processing passes key management-related information (such as the key labels) to the drive for subsequent communication with the Encryption Key Manager.

To select encryption for a cartridge, do these steps:

1. Define a data class that requests encryption.
2. Modify or create ACS routines to associate the tape output functions using encryption with a data class that requests encryption.
3. Specify the appropriate key labels either through the DD statement (JCL, dynamic allocation, or TSO allocate), data class, or by using Encryption Key Manager established defaults.