Tape encryption

You can encrypt tape drives used with the TS7700 Tape Attach.

The IBM® TS1150 Tape Drive (3592 E08/EH8), IBM TS1140 Tape Drive (3592 E07/EH7), IBM TS1130 Tape Drive (3592 E06/EU6), and IBM TS1120 Tape Drive (3592 E05) encrypt data as it is written to any size IBM 3592 Enterprise Tape Cartridge (3592 Tape Cartridge), including WORM cartridges. Encryption is performed at full line speed in the tape drive after compression (compression is more efficiently done before encryption). This new capability adds a strong measure of security to stored data without the processing overhead and performance degradation associated with encryption performed on the server or the expense of a dedicated appliance.

Note: The IBM Encryption Key Manager is not supported for use with TS1140 Tape Drives. If encryption is used, either the Tivoli Key Lifecycle Manager (TKLM) or the IBM Security Key Lifecycle Manager (ISKLM) must be used.
Three major elements comprise the tape drive encryption solution:
Encryption-enabled tape drive
All TS1150 Tape Drives, TS1140 Tape Drives, and TS1130 Tape Drives are encryption-capable. All TS1120 Tape Drives installed with FC 5592 or 9592 are encryption-capable. This means that they are functionally capable of performing hardware encryption, but this capability is not yet activated. To perform hardware encryption, TS1150 Tape Drives, TS1140 Tape Drives, TS1130 Tape Drives and TS1120 Tape Drives must be encryption-enabled. In a TS3500 or TS4500 Tape Library, these tape drives can be encryption-enabled through the tape library management GUI. When TS1150 Tape Drives, TS1140 Tape Drives, TS1130 Tape Drives or TS1120 Tape Drives are attached to a controller, an IBM representative is required to set up the drive as encryption-enabled. Only encryption-enabled TS1150 Tape Drives, TS1140 Tape Drives, TS1130 Tape Drives or TS1120 Tape Drives can be used to read and write encrypted 3592 Tape Cartridges.
Encryption key management
Encryption involves the use of several kinds of keys in successive layers. How these keys are generated, maintained, controlled, and transmitted depends upon the operating environment in which the encrypting tape drive is installed. Some applications perform key management. For environments without such applications, IBM provides a key server such as the IBM Encryption Key Server component for the Java™† platform or the Tivoli® Key Lifecycle Manager to perform all necessary key management tasks. Managing tape encryption describes these tasks in more detail.
Encryption policy configuration
Encryption policy configuration is the set of rules, or policies, that specify which volumes are to be encrypted. How and where these rules are established depends on the existing operating environment. For more information, see Managing tape encryption.
The tape drive encryption solution supports:
  • Out-of-band key exchanges (network connection to encryption key servers)
  • Key specification by one or two Key Encryption Key (KEK) labels or the use of default key labels
  • Label and hash key methods
  • Up to two encryption key servers

Refer to the topic Trademarks in the Related information section for complete attribution.

Parent topic: Upgrades for the TS7700 Tape Attach
Related information
Trademarks