Managing encryption
A key manager is a software program that assists IBM® encryption-enabled tape drives in generating, protecting, storing, and maintaining encryption keys. The encryption keys encrypt information that is being written to tape media (tape and cartridge formats), and decrypt information that is being read from tape media.
IBM currently supports the IBM Security Key Lifecycle Manager (formerly Tivoli® Key Lifecycle Manager) with the TS4500 tape library.
The key manager operates on z/OS®, i5/OS, AIX®, Linux®, HP-UX, Sun Solaris, and Windows. It is a shared resource that is deployed in several locations within an Enterprise. It can serve numerous IBM encrypting tape drives, regardless of where those drives are installed (for example, in tape library subsystems, connected to mainframe systems through various types of channel connections, or installed in other computing systems).
The key manager uses a key store to hold the certificates and keys (or pointers to the certificates and keys) required for all encryption tasks. Refer to the appropriate documentation for detailed information about the key manager and the key stores it supports.
- Application-managed encryption (AME)
- System-managed encryption (SME)
- Library-managed encryption (LME)
- Where the encryption policy engine resides
- Where key management occurs for your encryption solution
- How the key manager is connected to the drive
Key management and the encryption policy engine can be in any of the environment layers shown in Figure 1
- Application layer
- Initiates data transfer for tape storage; for example, IBM Spectrum Protect.
- System layer
- Everything between the application and the tape drives; for example, z/OS DFSMS and FICON®/ESCON controllers.
- Library layer
- The TS4500 tape library, which contains an internal interface to each tape drive installed in the library.