3592 tape sharing

IBM Security Key Lifecycle Manager can store two sets of wrapped encryption keys on a 3592 tape. This practice allows another organization to read that specific tape without providing them any shared secret information or compromising the security of your certificates and keys.

Add the public part of the public/private certificate of the other organization, and keys to the keystore database of your IBM Security Key Lifecycle Manager, by using a second alias (or key label). When the tape is written, the encryption keys are stored on the tape, which is protected by two sets of public/private keys that are your set and the set that belongs to another organization. The other organization must have an encryption-enabled 3592 tape drive. The other organization can use its IBM Security Key Lifecycle Manager and its private key to unwrap the data key that allows reading that specific tape.

Your IBM Security Key Lifecycle Manager must have the certificate of the partner organization. The other organization must have the associated private key in the keystore that is used by the IBM Security Key Lifecycle Manager that the other organization runs. This flexibility provides tapes that are readable by both organizations. If you want to take advantage of this capability you must add the certificate of the other organization, which contains the public key, to your keystore database.