Tape encryption overview

The tape drives that are supported by the TS4500 tape library can encrypt data as it is written to a tape cartridge.

Encryption is performed at full line speed in the tape drive after compression. (Data is compressed more efficiently before it is encrypted.) This capability adds a strong measure of security to stored data without any processing usage and performance degradation.

The following three major elements comprise the tape drive encryption solution:

The encryption-enabled tape drive

All of the tape drives that are supported by the TS4500 tape library are encryption capable. Encryption capability means that they are functionally capable of performing hardware encryption, but this capability is not yet activated. To perform hardware encryption, the tape drives must be encryption-enabled. Encryption can be enabled through the TS4500 management GUI .

Note: FC 1604, Transparent LTO Encryption, is required for library-managed encryption on LTO tape drives. It is not required for application-managed encryption.

Encryption key management

Encryption involves the use of several kinds of keys in successive layers. How these keys are generated, maintained, controlled, and transmitted depends upon the operating environment where the encrypting tape drive is installed. Some data management applications, such as IBM Spectrum Protect, can perform key management. For environments without such applications, or environments where application-independent encryption is necessary, IBM® provides a key manager to perform all necessary key management tasks. Provided key managers include:

The IBM Encryption Key Manager component for the Java™ platform
The IBM Security Key Lifecycle Manager (formerly the Tivoli® Key Lifecycle Manager)

The Managing encryption topic provides more information.

Encryption policy

This is the method that is used to implement encryption. It includes the rules that govern which volumes are encrypted and the mechanism for key selection. How and where these rules are set up depends on the operating environment. See Managing encryption for more information about each of the available methods.

Encryption policy is managed at the logical library level. The Logical Libraries GUI page is used to enable encryption for a logical library and modify the encryption method that is being used. The Security GUI page is used to manage key servers and key labels.

Note: In the tape storage environment, the encryption function on tape drives (desktop, stand-alone, and within libraries) is configured and managed by the customer. It is not configured and managed by the IBM System Services Representative (SSR). In some instances, SSRs are required to enable encryption at a hardware level when service access or service password controlled access is required. Customer setup support is by field technical sales specialist (FTSS), customer documentation, and software support for encryption software problems. Customer "how to" support is also provided with the support line contract.