Data encryption is an important tool for protecting against the possible misuse of confidential information that could occur should tapes be lost or stolen. The 3592 Model E05, Model E06, and Model E07 support tape encryption with the actual encryption and decryption of the data occurring outboard in the tape drive itself. References in this document to "encryption-capable," mean that the encryption feature in the drive has been enabled and the drive is capable of encrypting. In other documents, this may be referred to as "encryption-enabled." For further discussion of encryption-enablement and any MES capabilities, refer to IBM System Storage TS1120/TS1130 Tape Drive and Controller Introduction and Planning Guide 3592 Models J1A, E05, E06, E07, J70, C06, and C07 and IBM System Storage TS1120/TS1130 Tape Drive and Controller Operator Guide 3592 Models J1A, E05, E06, E07, J70, C06, and C07

The DFSMS tape subsystem encryption support allows specification by data class that data is to be encrypted when stored on an encryption-capable tape drive. In addition to this, the key label-related information that is used to encrypt the data key (of a tape cartridge) can be specified through the DD statement (JCL, dynamic allocation, and TSO ALLOCATE), data class or Encryption Key Manager (EKM) defaults. When the encryption-capable tape drive needs a key to perform an encrypted write, a data key is generated by the EKM. The data key used to encrypt the data on a tape cartridge is itself encrypted (using the public key of a public/private key pair) with either one or two key encrypting keys (KEKs) stored in the key stores. The KEKs are maintained by the EKM through an existing key store and are pointed to by the appropriate KEK label, also referred to as the key label.

The communication path to the Encryption Key Manager (EKM) is across TCP/IP with the choice to go either in-band or out-of-band for the key management flow. With out-of-band key management, the communication path to the Encryption Key Manager is handled by the control unit going directly to the Encryption Key Manager. Then for in-band key management, the communication path to the Encryption Key Manager is handled across ESCON/FICON with a new IOS proxy interface in z/OS then handling the key exchange (across TCP/IP) with the Encryption Key Manager. The IOS proxy interface supports both a primary and a secondary encryption key manager.

An encryption capable 3592 Model E05 records in the non-encryption enterprise format 1 (EFMT1) and enterprise format 2 (EFMT2) recording formats, and also records in the encryption specific recording format (enterprise encrypted format 2 (EEFMT2)). The EEFMT2 recording format is supported across all of the 3592 media types (MEDIA5, MEDIA6, MEDIA7, MEDIA8, MEDIA9, and MEDIA10). Although the 3592 Model E05 can record in a lower (EFMT1) and a higher (EFMT2) recording format, an encrypted version of the lower recording format (EFMT1) is not supported. Only the higher recording format (EFMT2) is supported with an encrypted version (EEFMT2). You can also use the Performance Scaling and Performance Segmentation data class options, applicable with MEDIA5 and MEDIA9, with EEFMT2. The capacities of EMFT2 and EEFMT2 written tapes are the same.

The 3592 Model E06 records in non-encryption enterprise format 2 (EFMT2) and 3 (EFMT3), as well as encrypted enterprise format 2 (EEFMT2) and 3 (EEFMT3). The encryption formats (EEFMT2 and EEFMT3) are supported across media types MEDIA5, MEDIA6, MEDIA7, MEDIA8, MEDIA9, and MEDIA10. You can also use the Performance Scaling and Performance Segmentation data class options, applicable with MEDIA5 and MEDIA9, with EEFMT2 or EEFMT3. The capacities of EMFT3 and EEFMT3 written tapes are the same.

The 3592 Model E07 records in non-encryption enterprise format 3 (EFMT3) and 4 (EFMT4), as well as encrypted enterprise format 3 (EEFMT3) and 4 (EEFMT4). EFMT3 and EEFMT3 can be recorded only on media types MEDIA9 and MEDIA10. EFMT4 and EEFMT4 are supported with 3592 media types MEDIA9, MEDIA10, MEDIA11, MEDIA12, and MEDIA13. You can also use the Performance Scaling and Performance Segmentation data class options, applicable with MEDIA9 and MEDIA11, with the encrypted formats (EEFMT3 or EEFMT4). The capacities of EMFT4 and EEFMT4 written tapes are the same.

When writing from the beginning of tape (file sequence 1, DISP=NEW), the encryption capable 3592 Model E05 drive records in the non-encryption recording format (EFMT2) by default; this default is set by z/OS OPEN processing. Lower format EFMT1 and encryption format EEFMT2 must be explicitly requested through data class. The 3592 Model E06 drives records in the non-encryption recording format (EFMT3) by default. Lower formats EFMT2 and EEFMT2, as well as the encryption format EEFMT3, must be explicitly requested through data class. The 3592 Model E07 drives records in the non-encryption recording format (EFMT4) by default. Lower formats EFMT3 and EEFMT3, as well as the encryption formats EEFMT4, must be explicitly requested through data class.

When writing from the beginning of the tape (file sequence 1, DISP=OLD), since this processing does not go through the data class ACS routine, OPEN processing determines if the previous usage of the tape was encrypted and if encrypted, OPEN will explicitly set the EEFMT2 format (3592 Model E05), the EEFMT3 format (3592 Model E06), or the EEFMT4 format (3592 Model E07) with the volume's existing key management-related information being used by the drive to encrypt the data.

For an encrypted tape cartridge, the cartridge stores not only the encrypted user data but also critical key management-related information which is needed to interact with the key manager when decrypting data on the cartridge. A mix of data written in encrypted and non-encrypted formats is not supported on the same tape cartridge; whether the data on a cartridge is written in encrypted format is determined during OPEN processing, when the first file sequence on the tape is written. If the first file written to a tape is in the encrypted format; all subsequent files written to that tape cartridge are written in the encrypted format. All files written to a cartridge in the encrypted format are encrypted using the same data key. The exception to this is the volume label structure for the first file sequence, which is encrypted using a key known to all encryption capable 3592 drives.

In the 3592 Model E05, Model E06, and Model E07 environment (system-managed or stand-alone), when writing from the beginning of tape (file sequence 1, DISP=NEW), to request the encryption format, EEFMT2 or EEFMT3 or EEFMT4 is specified in data class. OPEN processing passes key management-related information (such as the key labels) to the drive for subsequent communication with the key manager.

For more information regarding the DFSMS encryption support, the encryption key manager (EKM), and the IOS proxy interface to the encryption key manager, refer to z/OS DFSMS Software Support for IBM System Storage TS1140, TS1130, and TS1120 Tape Drives (3592).