Encryption Enabledm - Oracle StorageTek T10000D Manual

operating in the Permanent Encryption Mode, operators of the module do not
have the ability to disable encryption services.
Permanent Encryption Mode is non-reversible. The ETD will be able to read
from unencrypted tape cartridges while operating in this mode, but will be unable
to append to them if unencrypted data is already present.
To determine that the module is operating in the Permanent Encryption Mode, an
operator can use the VOP to view the drive settings and verify that the
"Encryption Active" and "Permanently encrypting" labels are both set to "Yes".
In addition, the operator shall verify that the "Use OKM or DPKM
"OKM". Instructions to place the module into the Permanent Encryption Mode
are provided in Section 3.1.4 (Permanent Encryption Approved Mode Set-Up).
2.2.2 Encryption Enabled Approved Mode
The second FIPS-Approved mode of operation is the Encryption Enabled
Approved Mode or Encryption Enabled Mode. The Encryption Enabled Mode
provides operators the ability to encrypt and decrypt data that is stored on
magnetic tape. Encryption and decryption are performed using the 256-bit AES
cryptographic algorithm. This mode operates in the same way as the Permanent
Encryption Mode, but with the ability to switch to the Permanent Encryption, the
Encryption Disabled Approved mode and the Mixed mode. The ETD will be able
to read from unencrypted tape cartridges while operating in this mode, but it will
be unable to append to them if unencrypted data is already present.
An operator of the module can determine if the module is operating in the
Encryption Enabled Mode by using the VOP to view the drive settings and verify
that the "Encryption Active" label is set to "Yes" and the "Permanently
encrypting" label is set to "No". Finally, the operator shall confirm that the "Use
OKM or DPKM" label is set to "OKM". Instructions to place the module into the
Encryption Enabled Mode are provided in Section 3.1.3 (Encryption Enabled
Approved Mode Set-Up).
2.2.3 Encryption Disabled Approved Mode
When operating in the Encryption Disabled Mode, only plaintext data is stored on
the magnetic tape. This plaintext data is non-security-relevant user data. While
operating in this mode, only unencrypted tape cartridges will be supported for
read and write operations. An operator will be able to switch to any of the
additional FIPS-Approved modes or the Mixed mode while operating the module
in the Encryption Disabled Mode.
7 DPKM – Data Path Key Management
This document may be freely reproduced and distributed whole and intact including this Copyright notice.
© Copyright 2017 Oracle Corporation
Placing the module into
7 " label is set to
Page 12 of 51