Tape encryption overview
The tape drives that are supported by the TS4500 tape library can encrypt data as it is written to a tape cartridge.
Encryption is performed at full line speed in the tape drive after compression. (Data is compressed more efficiently before it is encrypted.) This capability adds a strong measure of security to stored data without any processing usage and performance degradation.
The following three major elements comprise the tape drive encryption
solution:
- The encryption-enabled tape drive
- All of the tape drives that are supported by the TS4500 tape library are encryption capable. Encryption capability
means that they are functionally capable of performing hardware encryption, but this capability is
not yet activated. To perform hardware encryption, the tape drives must be
encryption-enabled. Encryption can be enabled through the TS4500 management GUI . Note: FC 1604, Transparent LTO Encryption, is required for library-managed encryption on LTO tape drives. It is not required for application-managed encryption.
- Encryption key management
- Encryption involves the use of several kinds of keys in successive layers. How these keys are
generated, maintained, controlled, and transmitted depends upon the operating environment where the
encrypting tape drive is installed. Some data management applications, such as IBM Spectrum Protect,
can perform key management. For environments without such applications, or environments where
application-independent encryption is necessary, IBM® provides
a key manager to perform all necessary key management tasks. Provided key managers include:
- The IBM Encryption Key Manager component for the Java™ platform
- The IBM Security Key Lifecycle Manager (formerly the Tivoli® Key Lifecycle Manager)
- Encryption policy
- This is the method that is used to implement encryption. It includes the rules that govern which volumes are encrypted and the mechanism for key selection. How and where these rules are set up depends on the operating environment. See Managing encryption for more information about each of the available methods.
Note: In the tape storage environment, the encryption function on tape drives (desktop, stand-alone,
and within libraries) is configured and managed by the customer. It is not configured and managed by
the IBM System Services Representative (SSR). In some
instances, SSRs are required to enable encryption at a hardware level when service access or service
password controlled access is required. Customer setup support is by field technical sales
specialist (FTSS), customer documentation, and software support for encryption software problems.
Customer "how to" support is also provided with the support line contract.