Tape encryption overview
The Tape encryption overview describes tape encryption in the TS3500 tape library.
The IBM® TS1120 (3592 Model E05) and later tape drives can encrypt data as it is written to any size IBM Enterprise tape cartridge 3592, including WORM cartridges. The IBM TS1040 LTO 4 and later tape drives can also encrypt data as it is written to any LTO 4 or later data cartridge. Encryption is performed at full line speed in the tape drive after compression. (Data is compressed more efficiently before it is encrypted.) This capability adds a strong measure of security to stored data without any processing usage and performance degradation.
The following three major elements comprise the tape drive encryption solution:
- The encryption-enabled tape drive
- The TS1130 Model E06 tape drives and the LTO 4 and later drives are
encryption-capable. All TS1120 Model E05 tape drives with Feature Code 5592 or
9592 are encryption capable. Encryption capability means that they are functionally
capable of performing hardware encryption, but this capability is not yet activated. To perform
hardware encryption, the tape drives must be encryption-enabled. Encryption can be
enabled on the encryption-capable tape drives through the Tape Library Specialist Web interface. Refer to Setting up and using encryption for more information.Note: FC 1604, Transparent LTO Encryption, is required for system-managed or library-managed encryption on LTO tape drives. It is not required for application-managed encryption.
- Encryption key management
- Encryption involves the
use of several kinds of keys in successive layers. How these keys are generated, maintained,
controlled, and transmitted depends upon the operating environment where the encrypting tape drive
is installed. Some data management applications, such as Tivoli® Storage Manager, can perform key management. For environments without such
applications, or environments where application-independent encryption is necessary, IBM provides a key manager to perform all necessary key
management tasks. Provided key managers include:
- The IBM Encryption Key Manager component for the Java™ platform
- The IBM Security Key Lifecycle Manager (formerly the Tivoli Key Lifecycle Manager
- Encryption policy
- This is the method that is used to implement encryption. It includes the rules that govern which volumes are encrypted and the mechanism for key selection. How and where these rules are set up depends on the operating environment. See Managing encryption for more information about each of the available methods.
Note: In the tape storage environment, the encryption function on tape drives (desktop, stand-alone,
and within libraries) is configured and managed by the customer. It is not configured and managed by
the IBM System Services Representative (SSR). In some
instances SSRs are required to enable encryption at a hardware level when service access or service
password controlled access is required. Customer setup support is by field technical sales
specialist (FTSS), customer documentation, and software support for encryption software problems.
Customer
how tosupport is also provided with the support line contract.