Chapter 8. Tape Encryption Overview - IBM TS3500 Introduction And Planning Manual

Chapter 8. Tape encryption overview

This topic describes tape encryption in the TS3500 Tape Library.
Data is one of the most highly valued resources in a competitive business
environment. Protecting that data, controlling access to it, and verifying its
authenticity while maintaining its availability are priorities in our
security-conscious world. Data encryption is a tool that answers many of these
needs.
The IBM System Storage TS1120 (3592 Model E05) and TS1130 (3592 Model E06)
tape drives are capable of encrypting data as it is written to any size IBM
TotalStorage Enterprise Tape Cartridge 3592, including WORM cartridges. The IBM
System Storage TS1040 LTO Ultrium 4 and newer Ultrium tape drives are also
capable of encrypting data as it is written to any LTO 4 or newer data cartridge.
Encryption is performed at full line speed in the tape drive after compression.
(Compression is more efficiently done before encryption.) This new capability adds
a strong measure of security to stored data without the processing overhead and
performance degradation associated with encryption performed on the server or
the expense of a dedicated appliance.
The following three major elements comprise the tape drive encryption solution:
The encryption-enabled tape drive
Encryption key management
Encryption policy
© Copyright IBM Corp. 2008, 2012
The TS1130 Model E06 tape drives and the LTO Ultrium 4 and newer Ultrium
drives are encryption-capable. All TS1120 Model E05 Tape Drives with Feature
Code 5592 or 9592 are encryption capable. This means that they are functionally
capable of performing hardware encryption, but this capability has not yet
been activated. In order to perform hardware encryption, the tape drives must
be encryption enabled. Encryption can be enabled on the encryption-capable tape
drives through the Tape Library Specialist Web interface. Refer to the
appropriate section in the IBM System Storage TS3500 Tape Library with ALMS
Operator Guide for information about how to enable encryption.
Note: FC 1604, Transparent LTO Encryption, is required in order to use
system-managed or library-managed encryption on LTO Ultrium 4 and LTO
Ultrium 5 tape drives. It is not required for application-managed encryption.
Refer to the sections on each method of encryption for more information.
Encryption involves the use of several kinds of keys, in successive layers. How
these keys are generated, maintained, controlled, and transmitted depends
upon the operating environment where the encrypting tape drive is installed.
Some data management applications, such as Tivoli Storage Manager, are
capable of performing key management. For environments without such
applications or those where application agnostic encryption is desired, IBM
provides a key manager (such as the IBM Encryption Key Manager component
™
for the Java platform or the Tivoli Key Lifecycle Manager) to perform all
necessary key management tasks. "Managing encryption" on page 216
provides more information.
This is the method used to implement encryption. It includes the rules that
govern which volumes are encrypted and the mechanism for key selection.
215