IBM Ultrium Generation 4 (LTO-4) drive and drive encryption support

Product documentation


Abstract

Tivoli Storage Manager server support for LTO-4 drives and LTO-4 drive encryption is available beginning in Interim Fix 5.3.5.2 and Fix Pack 5.4.1. When enabled, Tivoli Storage Manager handles encrypting and decrypting data on tapes, according to specifications set when defining the device class. Tape device encryption provides security for data on individual tapes and protects sensitive information that may be transported off-site.

Content

Notes:

  • Administration Center support for LTO-4 drives and drive encryption is available with Tivoli Storage Manager Server version 5.5 and later.
  • LTO drive encryption is currently only supported with LTO tape drives manufactured by IBM.
  • Application Managed Encryption, with DRIVEENCRYPTION=ON, is only compatible with FORMAT=DRIVE if all the media in the device class's library supports encryption. If the library contains media that does not support encryption (e.g. LTO3 media), an explicit format must be used such as FORMAT=ULTRIUM4C
  • Tivoli Storage Manager supports Application Managed Encryption only when it is supported by the drive. Check with your hardware vendor to determine whether AME is supported.
  • IBM Tivoli Storage Manager for HP-UX supports IBM LTO-4 drive encryption in Fix Pack 5.3.6 and Interim Fix 5.4.1.1.
  • Application Managed Encryption is not supported with Tivoli Storage Manager Express.



    IBM LTO-4 drive support

    Tivoli Storage Manager supports the following media for LTO-4 drives:
    • Ultrium 2 200GB data cartridge (Read Only )
    • Ultrium 3 400GB data cartridge
    • Ultrium 4 800GB data cartridge

    WORM media is supported with LTO-4 drives. Pre-labeled WORM media is not supported with the LTO-4 WORM drive. WORM media is not compatible with drive encryption.

    Command Updates:

    DEFINE DEVCLASS


    Example
    Define a device class for an IBM TS3580 ULTRIUM 4 drive. Use the following when defining device classes for LTO-4 drives:


      devtype=LTO
      format=<DRIVE|ULTRIUM4|ULTRIUM4C|ULTRIUM3|ULTRIUM3C>

      DRIVE - The server selects the highest format that is supported by the drive on which a volume is mounted.

      ULTRIUM4 - Specifies that Tivoli Storage Manager writes data that uses the ULTRIUM4 recording format. The cartridge capacity is 800GB when Ultrium Generation 4 media is used.

      ULTRIUM4C - Specifies that Tivoli Storage Manager writes data that uses the ULTRIUM4 recording format with compression. The cartridge capacity is 1.6 TB when Ultrium Generation 4 media is used.

      ULTRIUM3 - Specifies that TSM writes data that uses the ULTRIUM recording format. This format results in a cartridge capacity of 400GB when using Ultrium Generation 3 media.

      ULTRIUM3C - Specifies that TSM writes data that uses the ULTRIUM recording format with compression. This format results in a cartridge capacity of approximately 800GB when using Ultrium Generation 3 media.

      1. DEFine DEVClass devclassname library_name DEVType=LTO FORMAT=ULTRIUM4

      2. DEFine DEVClass devclassname library_name DEVType=LTO FORMAT=ULTRIUM4C

      3. DEFine DEVClass devclassname library_name DEVType=LTO FORMAT=ULTRIUM3

      4. DEFine DEVClass devclassname library_name DEVType=LTO FORMAT=ULTRIUM3C



    UPDATE DEVCLASS


    Device identifications and firmware levels:
      IBM TS2340 (with encryption)
      Drive ID : IBM ULT3580-TD4
      Firmware : 74H1 and 7590

      IBM TS2240 (with encryption)
      Drive ID : IBM ULTRIUM-HH4 ( SAS interface )
      Firmware : 7A31

      IBM HH LTO Gen 4 (with encryption)
      Drive ID : IBM HH LTO Gen 4
      Firmware : 81S0
      ** IBM Half High LTO Gen 4 is supported only on Windows for xSeries systems. TSM version 5.5.2 or later is required. **

      actidata actiTape LTO-4 Half Height
      Drive ID: IBM ULTRIUM-HH4

      Dell Powervault LTO4-120HH
      Drive ID: IBM ULTRIUM-HH4
      *Supported on Windows only. The device driver must be downloaded from the Dell website.

      Imation LR1100 LTO-4 and Imation LTO-4 HH
      Drive ID : IBM ULTRIUM-HH4

      Tandberg 1640LTO (without encryption)
      Drive ID: IBM ULTRIUM-TD4
      Firmware: 74H4

      Sun StorageTek T1600 (without Encryption)
      Drive ID: IBM ULTRIUM-TD4
      Firmware: 7381

      Sun StorageTek IBM LTO4-E
      Drive ID: IBM ULTRIUM-TD4
      Firmware: 94D7
      ** Application Managed Encryption (AME) is not supported. Encryption is supported through the Sun StorageTek Crypto Key Management System (KMS) version 2.0 or later only. **


    Device Driver:
      The IBM device driver is required and can be downloaded from Fix Central.


    IBM LTO-4 drive encryption support

    Encrypting Data
    It is often critical to secure client data, especially when that data may be of a sensitive nature. To ensure that data for off-site volumes is protected, IBM tape encryption technology is available. This technology utilizes a stronger level of encryption by requiring 256-bit Advanced Encryption Standard (AES) encryption keys. Keys are passed to the drive by a key manager in order to encrypt and decrypt data.

    The Application method of encryption is supported for IBM tape with IBM LTO-4 drives. With this method, encryption keys are managed by the application, in this case, Tivoli Storage Manger. Tivoli Storage Manager generates and stores the keys in the server database. Data is encrypted during WRITE operations, when the encryption key is passed from the server to the drive. Data is decrypted on READ operations.

      Warning: When using Application encryption, you must take extra care to secure database backups since the encryption keys used to encrypt and decrypt data are stored in the server database. In order to restore your data, you must have the correct database backup and corresponding encryption keys to access your information. Ensure that you back up the database frequently and safeguard the backups to prevent data loss or theft. Anyone who has access to both the database backup and the encryption keys has access to your data.
    Application managed encryption is only supported for storage pool volumes. Other volumes such as backupset tapes, export volumes, and database backups will not be encrypted using the Application method.

    Encryption support is set up at the hardware level. Tivoli Storage Manager cannot control or change an encryption method that is used in the hardware configuration. If the hardware is set up for the Application method, Tivoli Storage Manager can turn encryption on or off depending on the DRIVEENCRYPTION value on the device class. Tivoli Storage Manager server will not display a warning message if the DRIVEENCRYPTION parameter is set to ON for drives other than IBM LTO-4 even though no encryption is occurring.

    Using Drive Encryption
    In order to utilize drive encryption, your Tivoli Storage Manager environment should be set up so that all drives in a library support the new encryption format. In addition, all drives within a logical library must use the same method of encryption. Tivoli Storage Manager does not support an environment in which some drives use the Application method and some drives use another method of encryption.

    When using encryption-capable drives with the Application method, a new format will be used to write encrypted data to tapes. If data is written to volumes using the new format and if the volumes are then returned to scratch, they will contain labels that are only readable by encryption-enabled drives. To use these scratch volumes in a drive that is not enabled for encryption, either because the hardware is not capable of encryption or because the encryption method is set to OFF, you must relabel them.

    For more information on setting up your hardware environment to use drive encryption, refer to your hardware documentation.


    Specifying the DRIVEENCRYPTION Parameter
    The DRIVEENCRYPTION parameter is only supported for LTO-4 (ULTRIUM4 and ULTRIUM4C) formats. It specifies whether or not drive encryption is enabled or can be enabled. Application encryption is supported with LTO-4 drives.

    To utilize this method, the parameter must be set to ON. This permits the encryption of data for empty storage pool volumes. When the parameter is set to ON, backup operations will fail if the hardware is configured for another encryption method.

    To disable encryption on new volumes, the parameter should be set to OFF. If the hardware is configured to encrypt data through a method other than Application encryption, and DRIVEENCRYPTION is set to OFF, backup operations will fail.

    The DRIVEENCRYPTION parameter is optional. The default value is to allow another method of encryption.

    Setting up Encrypted Storage Pools
    You can set up encrypted storage pools to protect tapes that contain critical or sensitive data. This is particularly beneficial for tapes that are removed from the Tivoli Storage Manager server environment to an off-site location. Tapes that contain sensitive security or financial information can become an exposure if data is not encrypted and tapes are lost.

    Example

    Define an encrypted storage pool so that Tivoli Storage Manager is the encryption key manager. This method is defined through the device class. Complete the following steps:
      1. First, define your library:
      define library 3584 libtype=SCSI

      2. Next, define a device class LTO_ENCRYPT such that storage pool volumes will be encrypted:
      define devclass LTO_encrypt library=3584 devt=lto format=ultrium4c drivee=on

      3. Now define a storage pool named LTO_ENCRYPT_POOL with a MAXSCRATCH value of 10:
      define stgpool LTO_encrypt_pool LTO_encrypt maxscr=10


    Command Updates:

    DEFINE DEVCLASS


    DRIVEEncryption
    Specifies whether drive encryption will be permitted. This parameter is optional. The default is ALLOW.

    ON
    Specifies that Tivoli Storage Manager is the key manager for drive encryption and will permit drive encryption for empty storage pool volumes only if the Application method is enabled through the hardware. (Other volumes, for example, backup sets, export volumes, and database backup volumes will not be encrypted.) If you specify ON and enable another method of encryption, drive encryption will not be permitted and backup operations will fail.

    Note:
    o DRIVEEncryption=ON is not supported for WORM media.
    o DRIVEENcryption=ON is only supported for IBM LTO-4 tape drives

    ALLOW
    Specifies that Tivoli Storage Manager does not manage the keys for drive encryption. However, drive encryption for empty volumes is permitted if another method of encryption is enabled.

    OFF
    Specifies that drive encryption will not be permitted. If you enable another method of encryption, backups will fail. If you enable the Application method, Tivoli Storage Manager will disable encryption and backups will be attempted.

    Example
    Define a device class for an IBM TS3580 ULTRIUM4 drive with encryption.
      DEFine DEVClass devclassname DEVTYPE= LTO FORMAT= ULTRIUM4 DRIVEEncryption= ON

      DEFine DEVClass devclassname DEVTYPE= LTO FORMAT= ULTRIUM4C DRIVEEncryption= ON


    UPDATE DEVCLASS


    DRIVEEncryption
    Specifies whether drive encryption is permitted. This parameter is optional. Updating this parameter will affect empty volumes only. If a filling volume was previously encrypted or is currently unencrypted, and you update the DRIVEENCRYPTION parameter, the volume maintains its original encrypted or unencrypted status. The data appended to this volume will also maintain the original key-management status.

    ON
    Specifies that Tivoli Storage Manager is the key manager for drive encryption and will permit drive encryption for empty storage pool volumes only if the Application method is enabled through the hardware. (Other volumes, for example backup sets, export volumes, and database backup volumes will not be encrypted.) If you specify ON and you enable another method of encryption, drive encryption will not be permitted and backup operations will fail.

    Note: DRIVEEncryption=ON is not supported for WORM media

    ALLOW
    Specifies that Tivoli Storage Manager does not manage the keys for drive encryption. However, drive encryption for empty volumes is permitted if another method of encryption is enabled.

    OFF
    Specifies that drive encryption will not be permitted. If you enable another method of encryption, backups will fail. If you enable the Application method, Tivoli Storage Manager will disable encryption and backups will be attempted.



    QUERY DEVCLASS (Detailed) output



    QUERY VOLUME (Detailed) output
    Product Details


    Related APAR
    • IC53162 TSM SERVER 5.3.5.1 IBM LTO-4 DRIVEENCRYPTION=ON FAILS TO ENCRYPT DATA WITH A UNIQUE, NONTRIVIAL KEY
    • IC53695 TSM SERVER REPORTS ANR8302E BUT IGNORES THE ERROR.
  • Rate this page:

    (0 users)Average rating

    Document information


    More support for:

    Tivoli Storage Manager
    Server

    Software version:

    All Supported Versions

    Operating system(s):

    AIX, HP-UX, Linux, Solaris, Windows

    Reference #:

    7009625

    Modified date:

    2010-08-09

    Translate my page

    Machine Translation

    Content navigation