Encrypting tape drive

Several tape library models, such as the IBM® System Storage® TS1120 and IBM Ultrium 4, provide data encryption and key management for backup data. The standalone tape drives do not support encryption. These tape drives must be part of a tape library with encryption capabilities.

You also can perform unencrypted save operations with tape libraries that support encryption.

The encrypting tape drive uses the IBM Encryption Key Manager (EKM) to manage the encryption keys. You can use the encrypting tape drive to save and restore encrypted data, or duplicate encrypted tapes. You can use save/restore commands or Backup, Recovery, and Media Services (BRMS) to back up the data using the encrypting tape drive. You can duplicate encrypted tapes.

For System i® environments, the encrypting tape drive must reside in a tape library because the library handles communications with the EKM.

At least two instances of the EKM need to be available in the network so that encryption keys can be provided when needed. The EKM needs to run on a system or logical partition where the backups are not encrypted. That way, you can recover the EKM and its required objects and have the keys for the encrypted saves available.

In a disaster recovery situation, if you are using an encrypting tape drive, you need to access another encrypting tape drive and need to access the keystore and EKM configuration information at the recovery site.

For more information about using the EKM, see IBM Encryption Key Manager Introduction, Planning, and User's Guide, GA76-0418, in the IBM Publications Center. Each of the manuals is available from the IBM Publications Center as a printed hardcopy that you can order, in an online format that you can download at no charge, or both.