Tivoli Storage Manager server support for LTO-4 drives and LTO-4 drive encryption is available beginning in Interim Fix 18.104.22.168 and Fix Pack 5.4.1. When enabled, Tivoli Storage Manager handles encrypting and decrypting data on tapes, according to specifications set when defining the device class. Tape device encryption provides security for data on individual tapes and protects sensitive information that may be transported off-site.
IBM LTO-4 drive support
Tivoli Storage Manager supports the following media for LTO-4 drives:
- Ultrium 2 200GB data cartridge (Read Only )
- Ultrium 3 400GB data cartridge
- Ultrium 4 800GB data cartridge
WORM media is supported with LTO-4 drives. Pre-labeled WORM media is not supported with the LTO-4 WORM drive. WORM media is not compatible with drive encryption.
Define a device class for an IBM TS3580 ULTRIUM 4 drive. Use the following when defining device classes for LTO-4 drives:
DRIVE - The server selects the highest format that is supported by the drive on which a volume is mounted.
ULTRIUM4 - Specifies that Tivoli Storage Manager writes data that uses the ULTRIUM4 recording format. The cartridge capacity is 800GB when Ultrium Generation 4 media is used.
ULTRIUM4C - Specifies that Tivoli Storage Manager writes data that uses the ULTRIUM4 recording format with compression. The cartridge capacity is 1.6 TB when Ultrium Generation 4 media is used.
ULTRIUM3 - Specifies that TSM writes data that uses the ULTRIUM recording format. This format results in a cartridge capacity of 400GB when using Ultrium Generation 3 media.
ULTRIUM3C - Specifies that TSM writes data that uses the ULTRIUM recording format with compression. This format results in a cartridge capacity of approximately 800GB when using Ultrium Generation 3 media.
1. DEFine DEVClass devclassname library_name DEVType=LTO FORMAT=ULTRIUM4
2. DEFine DEVClass devclassname library_name DEVType=LTO FORMAT=ULTRIUM4C
3. DEFine DEVClass devclassname library_name DEVType=LTO FORMAT=ULTRIUM3
4. DEFine DEVClass devclassname library_name DEVType=LTO FORMAT=ULTRIUM3C
Device identifications and firmware levels:
IBM TS2340 (with encryption)
Drive ID : IBM ULT3580-TD4
Firmware : 74H1 and 7590
IBM TS2240 (with encryption)
Drive ID : IBM ULTRIUM-HH4 ( SAS interface )
Firmware : 7A31
IBM HH LTO Gen 4 (with encryption)
Drive ID : IBM HH LTO Gen 4
Firmware : 81S0
** IBM Half High LTO Gen 4 is supported only on Windows for xSeries systems. TSM version 5.5.2 or later is required. **
actidata actiTape LTO-4 Half Height
Drive ID: IBM ULTRIUM-HH4
Dell Powervault LTO4-120HH
Drive ID: IBM ULTRIUM-HH4
*Supported on Windows only. The device driver must be downloaded from the Dell website.
Imation LR1100 LTO-4 and Imation LTO-4 HH
Drive ID : IBM ULTRIUM-HH4
Tandberg 1640LTO (without encryption)
Drive ID: IBM ULTRIUM-TD4
Sun StorageTek T1600 (without Encryption)
Drive ID: IBM ULTRIUM-TD4
Sun StorageTek IBM LTO4-E
Drive ID: IBM ULTRIUM-TD4
** Application Managed Encryption (AME) is not supported. Encryption is supported through the Sun StorageTek Crypto Key Management System (KMS) version 2.0 or later only. **
The IBM device driver is required and can be downloaded from
IBM LTO-4 drive encryption support
It is often critical to secure client data, especially when that data may be of a sensitive nature. To ensure that data for off-site volumes is protected, IBM tape encryption technology is available. This technology utilizes a stronger level of encryption by requiring 256-bit Advanced Encryption Standard (AES) encryption keys. Keys are passed to the drive by a key manager in order to encrypt and decrypt data.
The Application method of encryption is supported for IBM tape with IBM LTO-4 drives. With this method, encryption keys are managed by the application, in this case, Tivoli Storage Manger. Tivoli Storage Manager generates and stores the keys in the server database. Data is encrypted during WRITE operations, when the encryption key is passed from the server to the drive. Data is decrypted on READ operations.
Warning: When using Application encryption, you must take extra care to secure database backups since the encryption keys used to encrypt and decrypt data are stored in the server database. In order to restore your data, you must have the correct database backup and corresponding encryption keys to access your information. Ensure that you back up the database frequently and safeguard the backups to prevent data loss or theft. Anyone who has access to both the database backup and the encryption keys has access to your data.
Encryption support is set up at the hardware level. Tivoli Storage Manager cannot control or change an encryption method that is used in the hardware configuration. If the hardware is set up for the Application method, Tivoli Storage Manager can turn encryption on or off depending on the DRIVEENCRYPTION value on the device class. Tivoli Storage Manager server will not display a warning message if the DRIVEENCRYPTION parameter is set to ON for drives other than IBM LTO-4 even though no encryption is occurring.
Using Drive Encryption
In order to utilize drive encryption, your Tivoli Storage Manager environment should be set up so that all drives in a library support the new encryption format. In addition, all drives within a logical library must use the same method of encryption. Tivoli Storage Manager does not support an environment in which some drives use the Application method and some drives use another method of encryption.
When using encryption-capable drives with the Application method, a new format will be used to write encrypted data to tapes. If data is written to volumes using the new format and if the volumes are then returned to scratch, they will contain labels that are only readable by encryption-enabled drives. To use these scratch volumes in a drive that is not enabled for encryption, either because the hardware is not capable of encryption or because the encryption method is set to OFF, you must relabel them.
For more information on setting up your hardware environment to use drive encryption, refer to your hardware documentation.
Specifying the DRIVEENCRYPTION Parameter
The DRIVEENCRYPTION parameter is only supported for LTO-4 (ULTRIUM4 and ULTRIUM4C) formats. It specifies whether or not drive encryption is enabled or can be enabled. Application encryption is supported with LTO-4 drives.
To utilize this method, the parameter must be set to ON. This permits the encryption of data for empty storage pool volumes. When the parameter is set to ON, backup operations will fail if the hardware is configured for another encryption method.
To disable encryption on new volumes, the parameter should be set to OFF. If the hardware is configured to encrypt data through a method other than Application encryption, and DRIVEENCRYPTION is set to OFF, backup operations will fail.
The DRIVEENCRYPTION parameter is optional. The default value is to allow another method of encryption.
- Customer upgrading from Tivoli Storage Manager server 22.214.171.124 to 5.4 will see ANR999D messages related to LTO-4 drive support and encryption support. See the following technote ( 1258764 ) for more information
- Tivoli Storage Manager server 126.96.36.199, 188.8.131.52 or TSM 5.4.1 user will receive ANR8944E hardware or media error message on IBM LTO4 drives with KEY=04, ASC=44, ASCQ=00. See the following technote ( 1269649 ) for more information
- IC53162 TSM SERVER 184.108.40.206 IBM LTO-4 DRIVEENCRYPTION=ON FAILS TO ENCRYPT DATA WITH A UNIQUE, NONTRIVIAL KEY
- IC53695 TSM SERVER REPORTS ANR8302E BUT IGNORES THE ERROR.