Data encryption is an important tool for protecting against the possible misuse of confidential information, which could occur if tapes are lost or stolen. The 3592 Model E05, Model E06, and Model E07 support tape encryption with the actual encryption and decryption of the data occurring outboard in the tape drive itself. For further discussion of encryption-enablement and any MES capabilities in 3992 Models E05 and E06, refer to IBM System Storage TS1130 Tape Drive and TS1120 Tape Drive and Controller Introduction and Planning Guide 3592 Models J1A, E05, E06, EU6, J70, and C06 and IBM System Storage TS1130 Tape Drive and TS1120 Tape Drive and Controller Operator Guide 3592 Models J1A, E05, E06, EU6, J70, and C06. For further discussion of encryption-enablement and any MES capabilities in the 3592 Model E07, refer to IBM System Storage TS1130 Tape Drive and TS1120 Tape Drive and Controller Introduction and Planning Guide 3592 Models J1A, E05, E06, E07, J70, C06, and C07 and IBM System Storage TS1130 Tape Drive and TS1120 Tape Drive and Controller Operator Guide 3592 Models J1A, E05, E06, E07, J70, C06, and C07.

With the DFSMS tape subsystem encryption support, you can specify data class to have data encrypted when it is stored on an encryption-capable tape drive. In addition to this, the key label-related information that is used to encrypt the data key (of a tape cartridge) can be specified through the DD statement (JCL, dynamic, allocation and TSO ALLOCATE), data class, or encryption key manager (EKM) defaults. When the encryption-capable tape drive needs a key to perform an encrypted write, a data key is generated by the EKM. The data key used to encrypt the data on a tape cartridge is itself encrypted (using the public key of a public/private key pair) with either one or both key encrypting keys (KEKs) stored in the key stores. The KEKs are maintained by the EKM through an existing key store and are pointed to by the appropriate KEK label, which is also referred to as the key label.

The communication path to the encryption key manager (EKM) is across TCP/IP with the choice to go either in-band or out-of-band for the key management flow. With out-of-band key management, the communication path to the encryption key manager is handled by the control unit going directly to the encryption key manager. With in-band key management, the communication path to the encryption key manager is handled across ESCON/FICON with an IOS proxy interface in z/OS then handling the key exchange (across TCP/IP) with the encryption key manager. The IOS proxy interface supports both a primary and a secondary encryption key manager.

An encryption-capable 3592 Model E05 records in the existing non-encryption enterprise format 1 (EFMT1) and enterprise format 2 (EFMT2) recording formats, and also records in the encryption specific recording format (enterprise encrypted format 2 (EEFMT2)). The EEFMT2 recording format is supported across the MEDIA5, MEDIA6, MEDIA7, MEDIA8, MEDIA9, and MEDIA10 media types. Although the 3592 Model E05 can record in a lower (EFMT1) and a higher (EFMT2) recording format, an encrypted version of the lower recording format (EFMT1) is not supported. Only the higher recording format (EFMT2) is supported with an encrypted version (EEFMT2). You can also use the Performance Scaling and Performance Segmentation data class options, applicable with MEDIA5 and MEDIA9, with the encryption format EEFMT2. The capacities of EMFT2 and EEFMT2 written tapes are the same.

The 3592 Model E06 records in non-encryption enterprise format 2 (EFMT2) and 3 (EFMT3), as well as encrypted enterprise format 2 (EEFMT2) and 3 (EEFMT3), but does not record in non-encryption enterprise format 1 (EFMT1). The encryption formats (EEFMT2 and EEFMT3) are supported across the MEDIA5, MEDIA6, MEDIA7, MEDIA8, MEDIA9, and MEDIA10 media types. You can also use the Performance Scaling and Performance Segmentation data class options, applicable with MEDIA5 and MEDIA9, with EEFMT2 or EEFMT3. The capacities of EMFT3 and EEFMT3 written tapes are the same.

The 3592 Model E07 records in non-encryption enterprise format 3 (EFMT3) and 4 (EFMT4), as well as encrypted enterprise format 3 (EEFMT3) and 4 (EEFMT4). EFMT3 and EEFMT3 can be written to media types MEDIA9 and MEDIA10 and EFMT4 and EEFMT4 can be read from and written to media types MEDIA9, MEDIA10, MEDIA11, MEDIA12 and MEDIA13. The 3592 Model E07 can also read the older recording formats EFMT1 (MEDIA5 through MEDIA8) and EFMT2, EEFMT2, EFMT3, and EEFMT3 (MEDIA5 through MEDIA10). You can also use the Performance Scaling and Performance Segmentation data class options, applicable with MEDIA9 and MEDIA11, with EEFMT3 or EEFMT4. The capacities of EMFT4 and EEFMT4 written tapes are the same.

When writing from the beginning of tape (file sequence 1, DISP=NEW), the encryption-capable 3592 Model E05 drive records in the non-encryption recording format (EFMT2) by default; this default is set by z/OS OPEN processing. Lower format EFMT1 and encryption format EEFMT2 must be explicitly requested through data class. The 3592 Model E06 drives records in the non-encryption recording format (EFMT3) by default. This default is set by z/OS OPEN processing. Lower formats EFMT2 and EEFMT2, as well as the encryption format EEFMT3, must be explicitly requested through data class. The 3592 Model E06 will not write in recording format EFMT1. The 3592 Model E07 drives records in the non-encryption recording format (EFMT4) by default. Lower formats EFMT3 and EEFMT3, as well as the encryption formats EEFMT4, must be explicitly requested through data class.

When writing from the beginning of the tape (file sequence 1, DISP=OLD), since this processing does not go through the data class ACS routine, OPEN processing determines if the previous usage of the tape was encrypted and if encrypted, OPEN will explicitly set the EEFMT2 format (3592 Model E05), the EEFMT3 format (3592 Model E06), or the EEFMT4 format (3592 Model E07) with the volume's existing key management-related information being used by the drive to encrypt the data.

For an encrypted tape cartridge, the cartridge stores not only the encrypted user data but also critical key management-related information which is needed to interact with the key manager when decrypting data on the cartridge. A mix of data written in encrypted and non-encrypted formats is not supported on the same tape cartridge; whether the data on a cartridge is written in encrypted format is determined during OPEN processing, when the first file sequence on the tape is written. If the first file written to a tape is in the encrypted format; all subsequent files written to that same tape cartridge will be written in the encrypted format. All files written to a cartridge in the encrypted format are encrypted using the same data key. The exception to this is the volume label structure for the first file sequence, which is encrypted using a key known to all encryption-capable 3592 drives, which means it is in the clear.

In the 3592 Model E05, Model E06, and Model E07 environment (system-managed or stand-alone), when writing from the beginning of tape (file sequence 1, DISP=NEW), to request encryption format, EEFMT2, EEFMT3, or EEFMT4 is specified in data class. OPEN processing passes key management-related information (such as the key labels) to the drive for subsequent communication with the key manager.

For more information regarding the DFSMS encryption support, the encryption key manager (EKM) and the IOS proxy interface to the encryption key manager, refer to z/OS DFSMS Software Support for IBM System Storage TS1140, TS1130, and TS1120 Tape Drives (3592).