IBM Support

Tape encryption can be unexpectedly turned off when using DRIVEENCRYPT=ALLOW with OEM IBM library encryption solutions

Flashes (Alerts)


Abstract

Tivoli Storage Manager might turn off tape encryption with OEM IBM library solutions, leaving data on volumes unencrypted. When using these OEM solutions, the device class parameter DRIVEENCRYPT should be set to EXTERNAL instead of the default value, ALLOW. This problem is further addressed by APAR IC73806.

Content

Three different tape encryption methods are available for encrypting data with IBM hardware. The possible methods are Application Managed Encryption (AME), Library Managed Encryption (LME), or System Managed Encryption (SME). Tivoli Storage Manager encryption behavior is controlled through the use of the device class parameter DRIVEENCRYPT. This parameter can be set to ON, OFF, ALLOW (default), or EXTERNAL. The ON and OFF values assume that drives are configured for AME. When the parameter is set to ON, Tivoli Storage Manager actively encrypts data and manages the encryption keys. When the value is OFF, Tivoli Storage Manager disables encryption. The ALLOW value is meant for use with LME or SME configurations and Tivoli Storage Manager takes no role in the encryption.

The primary problem occurs when using OEM encryption solutions for IBM hardware as these solutions take responsibility for encryption by managing encryption keys and enabling or disabling encryption at a library level. However, instead of using LME, each OEM solution requires drives to be configured with AME. This creates a "pseudo-LME" configuration. If this configuration is combined with the device class setting of DRIVEENCRYPT=ALLOW, the Tivoli Storage Manager server still assumes it is responsible for encryption and turns off encryption, contrary to the intent of the OEM encryption solutions.

The required configuration in this case would be to specify DRIVEENCRYPT=EXTERNAL. The EXTERNAL value prevents the Tivoli Storage Manager server from interfering with encryption settings regardless of the drive's configuration. Encryption is not altered in any circumstances for drives that are configured for AME, LME, or SME. The Tivoli Storage Manager server assumes that some external entity is handling encryption if the DRIVEENCRYPT parameter is set to the EXTERNAL value.

The following table explains encryption behavior for different values of the DRIVEENCRYPT parameter:



Drive ConfigurationDRIVEENCRPT VALUEEncryption Behavior
LME or SMEALLOWTSM does not manage encryption but allows third-party using LME or SME to do it.
ONMount failure
OFFMount failure
EXTERNALAssumed external encryption -- TSM does not alter any encryption settings.
AMEALLOWTSM disables encryption.
ONTSM enables encryption and data is encrypted with TSM managing encryption keys
OFFTSM disables encryption.
EXTERNALAssumed external encryption -- TSM does not alter any encryption settings. **
    ** NOTE: A common situation would be to configure all drives for AME, and then set up two storage pools with device classes pointing to the same library and drives. One device class would enable encryption with a DRIVEENCRYPT=ON setting, and the other would not use encryption (with a setting of OFF or ALLOW). In this situation, the EXTERNAL value cannot be used for the non-encryption device class. Specifying EXTERNAL does not change encryption settings, so if a drive was previously used for an encryption operation, and then used by the DRIVEENCRYPT=EXTERNAL device class, it is still enabled for encryption. Using a value of EXTERNAL prevents the server from changing this setting which can lead to intermittent mount failures.

A server option that can be used instead of the device class parameter is also available. The EXTERNALENCRYPTION option accepts values of ON or OFF. OFF is the default value. This option affects all storage pools and device classes, so it is recommended to use the device class parameter instead of the option for more granular control of this behavior.

APAR IC73806 has been created to provide a warning about this situation. Any time the Tivoli Storage Manager server detects that a drive is using AME with encryption enabled and the requested mount specifies DRIVEENCRYPT=ALLOW, the server issues a warning message to indicate that encryption is being disabled.


Environments affected:
All Tivoli Storage Manager servers using the device class setting DRIVEENCRYPT=ALLOW and managing IBM OEM tape encryption solutions. The current IBM OEM encryption solutions are provided by NEC, SpectraLogic, and Fujitsu.

This issue affects all IBM drives that support tape encryption with Tivoli Storage Manager:
  • TS1120
  • TS1130
  • LTO4 (IBM only)
  • LTO5 (IBM only)

The following configurations are not affected:
  • Non-IBM encryption solutions.
  • Non-OEM IBM encryption solutions.
  • Any Tivoli Storage Manager server using the DRIVEENCRYPT parameter with ON, OFF, or EXTERNAL values. This situation only affects Tivoli Storage Manager servers using DRIVEENCRYPT=ALLOW.
  • Tape encryption configurations with drives using LME or SME. This situation only affects drives configured for AME encryption.

Recommendation

The following actions should be taken immediately:

  1. Determine which volumes should be encrypted with this "pseudo-LME" configuration, but reside in a storage pool that uses a device class with DRIVEENCRYPT=ALLOW.
  2. Mark all filling volumes from step 1 as READONLY.
  3. Any future backup or archive operations to this "pseudo-LME" configuration must be completed using a storage pool that has a device class with DRIVEENCRYPT=EXTERNAL. A new storage pool and device class can be created or the existing device class can be updated to change the DRIVEENCRYPT parameter to EXTERNAL.
  4. It should be assumed that any volumes from step 1 are unencrypted. Precaution should be taken to move the data on these volumes to new volumes in a storage pool that uses DRIVEENCRYPT=EXTERNAL and tape hardware configured for encryption. This process can be done volume by volume through the MOVE DATA command or it can be done over time with migration or reclamation.


Fix Availability Schedule

Apply the fix for IC73806 found in one of the following levels: 5.5.6, 6.1.5, and 6.2.3.

[{"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Supported Versions","Edition":"Edition Independent","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
25 September 2022

UID

swg21459734