Tape encryption overview

The Tape encryption overview describes tape encryption in the TS3500 tape library.

The IBM® TS1120 (3592 Model E05) and later tape drives can encrypt data as it is written to any size IBM Enterprise tape cartridge 3592, including WORM cartridges. The IBM TS1040 LTO 4 and later tape drives can also encrypt data as it is written to any LTO 4 or later data cartridge. Encryption is performed at full line speed in the tape drive after compression. (Data is compressed more efficiently before it is encrypted.) This capability adds a strong measure of security to stored data without any processing usage and performance degradation.

The following three major elements comprise the tape drive encryption solution:

The encryption-enabled tape drive

The TS1130 Model E06 tape drives and the LTO 4 and later drives are encryption-capable. All TS1120 Model E05 tape drives with Feature Code 5592 or 9592 are encryption capable. Encryption capability means that they are functionally capable of performing hardware encryption, but this capability is not yet activated. To perform hardware encryption, the tape drives must be encryption-enabled. Encryption can be enabled on the encryption-capable tape drives through the Tape Library Specialist Web interface. Refer to Setting up and using encryption for more information.

Note: FC 1604, Transparent LTO Encryption, is required for system-managed or library-managed encryption on LTO tape drives. It is not required for application-managed encryption.

Encryption key management

Encryption involves the use of several kinds of keys in successive layers. How these keys are generated, maintained, controlled, and transmitted depends upon the operating environment where the encrypting tape drive is installed. Some data management applications, such as Tivoli® Storage Manager, can perform key management. For environments without such applications, or environments where application-independent encryption is necessary, IBM provides a key manager to perform all necessary key management tasks. Provided key managers include:

The IBM Encryption Key Manager component for the Java™ platform
The IBM Security Key Lifecycle Manager (formerly the Tivoli Key Lifecycle Manager

The Managing encryption provides more information.

Encryption policy

This is the method that is used to implement encryption. It includes the rules that govern which volumes are encrypted and the mechanism for key selection. How and where these rules are set up depends on the operating environment. See Managing encryption for more information about each of the available methods.

Note: In the tape storage environment, the encryption function on tape drives (desktop, stand-alone, and within libraries) is configured and managed by the customer. It is not configured and managed by the IBM System Services Representative (SSR). In some instances SSRs are required to enable encryption at a hardware level when service access or service password controlled access is required. Customer setup support is by field technical sales specialist (FTSS), customer documentation, and software support for encryption software problems. Customer how to support is also provided with the support line contract.