z/OS DFSMS Software Support for IBM System Storage TS1140, TS1130, and TS1120 Tape Drives (3592)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Tape encryption

z/OS DFSMS Software Support for IBM System Storage TS1140, TS1130, and TS1120 Tape Drives (3592)
SC23-6854-00

The TS1130 tape drive supports encryption of media tape cartridges. The existing z/OS DFSMS support for tape subsystem encryption (introduced with the TS1120) allows you to specify by data class that data is to be encrypted. In addition to this, the key label-related information that is used to encrypt the data key (of a tape cartridge) can be specified through the DD statement (JCL, dynamic allocation, and TSO ALLOCATE), data class, or Encryption Key Manager component for the Java™ platform (EKM) defaults. The communication path to the Encryption Key Manager (EKM) is across TCP/IP, with the choice to go either in-band or out-of-band for the key management flow. With out-of-band key management, the communication path to the Encryption Key Manager is handled by the control unit going directly to the Encryption Key Manager. Then, for in-band key management, the communication path to the Encryption Key Manager is handled across ESCON/FICON, with an IOS proxy interface then handling the key exchange (across TCP/IP) with the Encryption Key Manager.
Note: References in this document to Encryption Key Manager (EKM) also apply to the new Tivoli® Key Lifecycle Manager (TKLM). Either key manager can be used with the TS1130 and TS1120 tape drives. The TS1130 requires, at a minimum, version 2.1 of the EKM or version 1.0 of the TKLM. The first release of the TKLM is targeted for 2H2008 (plans are always subject to change).

Unless directed otherwise, a TS1130 tape drive records in the new non-encryption enterprise format 3 (EFMT3). It can also record in the new encryption specific recording format (enterprise encrypted format 3 (EEFMT3)). The EFMT3 and EEFMT3 recording formats are supported across all of the 3592 media types (MEDIA5 - MEDIA10). The existing Performance Scaling and Performance Segmentation data class options, applicable with MEDIA5 and MEDIA9, can also be used with the EFMT3 and EEFMT3 recording formats. The capacities of EMFT3 and EEFMT3 written tapes are the same.

A TS1130 tape drive can also read the existing EFMT1, EFMT2, EEFMT2 recording formats and can be explicitly directed to write from beginning of tape (BOT) in the EFMT2 or EEFMT2 recording format.

When writing from the beginning of tape (BOT), an encryption-capable TS1130 tape drive will, by default, record in the non-encryption recording format (EFMT3). Depending on the host platform and its encryption enablement mechanism, this default can be changed at the drive. However, under z/OS and OPEN processing (file sequence 1, DISP=NEW), unless explicitly requested through data class to record in the lower recording format (EFMT2 or EEFMT2) or the new encryption format (EEFMT3), the non-encryption format EFMT3 will be assumed and explicitly set during OPEN processing. When writing from the beginning of the tape (file sequence 1, DISP=OLD or DISP=SHR for volume reuse), since this processing does not go through the data class ACS routine, OPEN processing will determine whether encryption (EEFMT2 or EEFMT3) had previously been used and ensure that encryption is requested for this next usage of the tape. So, if the previous usage of the tape was encrypted, OPEN will explicitly set the new encryption format (EEFMT3) and will obtain and pass the volume’s existing key management-related information to the drive (key label and encoding mechanism). In this case, a new data key is generated and used. However, the volume’s existing key management-related information is used to encrypt the data key. This is similar to the way that the encryption format EEFMT2 is handled by the 3592 Model E05 (TS1120) encryption support. This is also consistent with today’s 3592 Model E05 drives, where, on reuse, if encryption was not used, the highest non-encryption recording format is specified.

For an encrypted tape cartridge, the cartridge stores both the encrypted user data and the critical key management-related information needed to interact with the Encryption Key Manager when decrypting data on the cartridge. A mix of data written in encrypted and non-encrypted formats is not supported on the same tape cartridge. Whether the data on a cartridge is written in encrypted format is determined during OPEN processing, when the first file sequence on the tape is written. If the first file written to a tape is in the encrypted format; all subsequent files written to that same tape cartridge will be written in the encrypted format. All files written to a cartridge in the encrypted format are encrypted using the same data key. The exception to this is the volume label structure for the first file sequence, which is encrypted using a key known to all encryption capable 3592 drives, which means it is effectively in the clear.

In the TS1130 tape drive environment (whether system-managed or not), when writing from the beginning of tape (file sequence 1, DISP=NEW), to request encryption format, EEFMT3 (or EEFMT2 for downward compatibility) is specified in the data class. OPEN processing passes key management-related information (such as the key labels) to the drive for subsequent communication with the Encryption Key Manager.

To select encryption for a cartridge, do these steps:

  1. Define a data class that requests encryption.
  2. Modify or create ACS routines to associate the tape output functions using encryption with a data class that requests encryption.
  3. Specify the appropriate key labels either through the DD statement (JCL, dynamic allocation, or TSO allocate), data class, or by using Encryption Key Manager established defaults.
Parent topic: Introduction for TS1130 tape drive

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014