1. Manuals
  2. Brands
  3. Spectra Logic Manuals
  4. Recording Equipment
  5. Spectra BlueScale Vision
  6. User manual

Spectra Logic Spectra BlueScale Vision User Manual

Spectra logic spectra bluescale vision network cameras: user guide
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
BlueScale
Encryption

User Guide

PN 90940012 Revision E

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Spectra BlueScale Vision and is the answer not in the manual?

Questions and answers

Related Manuals for Spectra Logic Spectra BlueScale Vision

Summary of Contents for Spectra Logic Spectra BlueScale Vision

  • Page 1: User Guide

    ™ BlueScale Encryption User Guide PN 90940012 Revision E...
  • Page 2 If you do not agree to the above, do not use the Spectra library; instead, promptly contact Spectra Logic for instructions on how to return the library for a refund.

  • Page 3: Table Of Contents

    Contents Chapter 1. Introduction About This Guide ............... 7 Shipped Items .
  • Page 4 Chapter 4. Using Standard Edition in Spectra T950 and T120 Libraries Using Encryption ..............30 Configuring Encryption .
  • Page 5 Spectra T50 BlueScale Encryption Chapter 7. Installing and Activating Encryption in Spectra T50 Libraries Installing Encryption: Upgrading Your Library ..........72 Activating Encryption .
  • Page 6 Contacting Spectra Logic ........

  • Page 7: Chapter 1. Introduction

    Introduction About This Guide This guide contains information about BlueScale Encryption for Spectra T950, T120, and T50 libraries. This reviews information on the configuration and use of encryption. Note that the encryption procedures for the Spectra T950 and T120 libraries cover both library-based and drive-based encryption;...

  • Page 8: Related Publications

    • The library’s release notes provide the most up-to-date information about the library, drives, and media. The most up-to-date versions of all library documentation are available on Spectra Logic’s Web site at www.SpectraLogic.com. Conventions Used in this Guide Important information is called out as follows: Note: Provides additional points or suggestions.

  • Page 9: Shipped Items

    Shipped Items The following items are included with the purchase of BlueScale Encryption: • One encryption activation key • One software support agreement • This user guide • One t-shirt If you ordered the Endura 1. Introduction ® Decryption Utility (EDU), you also receive one EDU CD.

  • Page 10: Bluescale Encryption Overview

    BlueScale Encryption Overview...

  • Page 11: Chapter 2. Encryption Architecture & Strategies

    BlueScale Encryption Overview BlueScale Encryption is tightly integrated into your Spectra library. Encryption can be handled through the library’s encryption-enabled Quad Interface Processors (QIPs), if any are in use, and through LTO-4 drives working with LTO-4 media. BlueScale encryption key management is provided through the library’s graphical interface.
  • Page 12 BlueScale Encryption: Standard Edition vs. Professional Edition All data encrypted using BlueScale Encryption and Key Management—Standard and Professional Editions, and LTO-4 drive-based encryption—is secured by the strongest available encryption method, AES-256. Through BlueScale Encryption and Key Management, you have additional choices in defining the level of security you can implement in your data center.
  • Page 13 BlueScale Standard Edition For sites with a primary goal of securing data while it is transported to a remote site and stored there, or only for data that will be stored for a long period of time, BlueScale Standard Edition works well. For information about configuring and using BlueScale Encryption Standard Edition, see Chapter 4.
  • Page 14 Multiple Encryption Password Support The Standard Edition of BlueScale Encryption supports one encryption password. The Professional Edition of BlueScale Encryption lets you choose whether to support one encryption password, or three encryption passwords that enforce another level of security. If you choose to implement the triple-password option, then: •...

  • Page 15: Encryption Methods

    Encryption Methods Choose how to encrypt data. You can use encryption-enabled QIPs, LTO-4 drives, or both to encrypt data. With QIPs, the library handles encryption, and can encrypt data written to any tape type (such as LTO-3 and SAIT). With LTO-4 drives, the drive handles encryption, and encrypts data written to LTO-4 tapes.

  • Page 16: Best Practices

    ® Media packs. Identify: • The person to have superuser privileges on the Spectra Logic library with BlueScale Encryption. • The person to have the library’s encryption password.
  • Page 17 Processes On an organizational level, you need to identify the level of security your site requires, and the data to be encrypted—for example, you may choose to encrypt all data, or any combination of financial, identity-related information, and strategic data. Consider the following when establishing your encryption procedure: •...
  • Page 18 • Archive the Endura Decryption Utility (EDU) for emergency use, such as to recover from a disaster. Use this utility if you have no Spectra Logic libraries on hand but need to decrypt and write data, which you can then restore using backup software.
  • Page 19 Superuser Login/Encryption Passwords Passwords are standard user security that restrict access. Spectra Logic BlueScale Encryption requires that a superuser is logged in, then an encryption password is supplied. A Professional Edition feature lets you optionally require two of three different encryption passwords to be entered.

  • Page 20: Site Security Example: Low Security Site

    Site Security Example: Low Security Site Description of organization: Small company with 75 employees. Security Considerations Security goals Protecting company from legal liability associated with unauthorized access to data stored on tape, both onsite and offsite, including transport to the offsite location. Encryption principals IT administrator, company president, corporate legal counsel.

  • Page 21: Site Security Example: Medium Security Site

    Site Security Example: Medium Security Site Description of organization: Medium-sized organization with 250 employees. Security Considerations Security goals Encryption principals Data to encrypt Level of security to implement Data sets requiring isolation from other encrypted data Key escrow method Number of copies of each key to store, and locations Key rotation plan Tracking key monikers,...

  • Page 22: Site Security Example: High Security Site

    Site Security Example: High Security Site Description of organization: Enterprise organization. Security Considerations Security goals Protecting all stored data. Encryption principals IT senior staff, chief operating officer, chief security officer, chief technology officer. Data to encrypt All. Level of security to •...

  • Page 23: Before You Begin Installation

    NIST-approved encryption algorithm that is used by the federal government and that is being broadly adopted. BlueScale: Software available on Spectra Logic libraries that supports library intelligence along with the Spectra Logic encryption solution and key management. Cleartext: Text that is not encrypted.

  • Page 24: Summary: Mandatory Security Procedures

    Summary: Mandatory Security Procedures The most important key management tasks are: • Always make two or more copies of each key. The key must be protected, but it must also be available. If you choose to store only a single copy of a key, and then something happens to the device storing the key, you’ve lost both your key and all data encrypted using the key.
  • Page 25 Spectra Logic recommends tracking the following information about every key that you create. Key Moniker: _______________________ ______ Number of key copies and location of each copy: Password(s) associated with exported copy of the moniker: Location of data stored on mobile media, which has been...

  • Page 26: Spectra T950 And T120 Bluescale Encryption

    Spectra T950 and T120 BlueScale Encryption...

  • Page 27: Installing Encryption: Upgrading Your Library

    3 Installing and Activating Encryption in Spectra T950 and T120 Libraries Installing Encryption: Upgrading If your library uses BlueScale 9.5 firmware or higher, then your library supports BlueScale Encryption that is library-based (handled by QIPs); no firmware upgrade is required for this encryption method.

  • Page 28: Activating Encryption

    3. Installing and Activating Encryption in Spectra T950 and T120 Libraries Activating Encryption Once your library has an encryption-enabled QIP installed, or an LTO-4 tape drive installed and LTO-4 media loaded, you can activate encryption with a BlueScale Encryption key. To activate encryption for the Spectra T950 and T120 libraries: Log in as superuser and then select Configuration screen displays.

  • Page 29: Next Steps

    3. Installing and Activating Encryption in Spectra T950 and T120 Libraries Next Steps Once you have activated BlueScale Encryption, you can configure and use it. Configuration Encryption configuration entails selecting an encryption mode and creating one or more encryption passwords (the number of passwords depends on if you have BlueScale Standard Edition or BlueScale Professional Edition).

  • Page 30: Chapter 4. Using Standard Edition In Spectra T950 And T120 Libraries

    4 Using Standard Edition in Spectra T950 and T120 Libraries Using Encryption Once BlueScale Encryption is configured on your library, configure your backup software so that data to be encrypted while it is backed up is sent to a partition that has encryption enabled and has been assigned an encryption key.
  • Page 31 4. Using Standard Edition in Spectra T950 and T120 Libraries Configuring Encryption From the Encryption Configuration screen, select Configure. The Encryption Settings screen displays. Configure how you want the library to be used: • Standard Mode: When the library is powered on during startup, data can be backed up to partitions that support encryption without entering an encryption password.
  • Page 32 4. Using Standard Edition in Spectra T950 and T120 Libraries In the New Encryption User Password field, type in a password, using any combination of the numbers 0-9, lower and upper case alphabetic characters (a-z and A-Z), and the at sign (@), dash (-), underscore (_), and colon (:) characters. Re-enter the password in the Retype Password field, then select OK.

  • Page 33: Creating An Encryption Key

    4. Using Standard Edition in Spectra T950 and T120 Libraries Creating an Encryption Key From the Encryption Configuration screen, select Add Key. The New Encryption Key screen displays. Enter a name in the Moniker field that has not been used for any other encryption key, and that uses any combination of the numbers 0-9, lower and upper case...
  • Page 34 4. Using Standard Edition in Spectra T950 and T120 Libraries Select OK. The Encryption Configuration screen displays, showing the key moniker, along with its creation time and date and a message reminding you to create a copy of the key for safekeeping.

  • Page 35: Assigning A Key To A Partition

    4. Using Standard Edition in Spectra T950 and T120 Libraries Assigning a Key to a Partition After creating a key, you can assign it to one or more library partitions when adding or editing a partition through the partition configuration wizard. The Encryption screen for partition configuration lets you enable encryption for the partition.
  • Page 36 4. Using Standard Edition in Spectra T950 and T120 Libraries • To encrypt data using the QIP, select QIP-based Encryption. Also, if you want readable (that is, non-encrypted) data at the beginning of the tape, also select Enable Clear File at BOT. –...

  • Page 37: Protecting Keys

    4. Using Standard Edition in Spectra T950 and T120 Libraries Navigate through the remaining partition configuration screens by selecting Next. Once the Save Partition screen displays, select Save. All data sent to this partition will be encrypted, using the key currently active on the library.

  • Page 38: Exporting Encryption Keys

    4. Using Standard Edition in Spectra T950 and T120 Libraries Exporting Encryption Keys To export the current encryption key: Log in as a superuser, then select Security Login screen displays. Enter the encryption password, then select OK. The Encryption Configuration screen displays.
  • Page 39 4. Using Standard Edition in Spectra T950 and T120 Libraries Note the password, which you will need to import the key. Without it, you cannot import the key, and the data encrypted using the key is lost. Select Next. • If you exported the key to a USB device: Confirm that the encrypted key copied correctly by selecting Check Key Files.

  • Page 40: Deleting A Key

    4. Using Standard Edition in Spectra T950 and T120 Libraries Deleting a Key To use a new key to encrypt data, you must first delete the existing key. Then you can create the new key and assign it to one or more partitions. Note that you will need a copy of the existing key to restore data that was encrypted with the existing key.
  • Page 41 4. Using Standard Edition in Spectra T950 and T120 Libraries Restoring Data if Required Key is Available If the right key isn’t available on the library when you need to restore encrypted data, the library prompts you with the moniker of the key that is required to decrypt the data. You can then import the key so that it is on the library as long as there isn’t already a key on it (if there is, delete the existing one first).
  • Page 42 4. Using Standard Edition in Spectra T950 and T120 Libraries Importing Keys from a USB Device and Restoring Data To import a key stored on a USB device: Log in as a superuser, then select Security Login screen displays. Enter the encryption password, then select OK. The Encryption Configuration screen displays.
  • Page 43 4. Using Standard Edition in Spectra T950 and T120 Libraries Importing Keys through the RLC and Restoring Data You can import keys using the RLC if you can access the key from your computer. To import a key using the RLC: Log in as a superuser, then select Security Login screen displays.
  • Page 44 4. Using Standard Edition in Spectra T950 and T120 Libraries Select Import key from RLC, then select Next. The RLC Encryption Key Upload screen displays. To identify the key file, either • Type in the full path and file name in the Encryption Key File field. •...

  • Page 45: Chapter 5. Using Professional Edition In Spectra T950 And T120 Libraries

    5 Using Professional Edition in Spectra T950 and T120 Libraries Using Encryption Once BlueScale Encryption is configured on your library, configure your backup software for your encrypted backups. the software sends the data to be encrypted to a partition that has encryption enabled and that has been assigned an encryption key.

  • Page 46: Professional Edition Overview

    5. Using Professional Edition in Spectra T950 and T120 Libraries Professional Edition Overview Professional Edition supports multiple keys on the library simultaneously. Each partition that is enabled for encryption uses one key to encrypt data backed up through that partition. To streamline decryption, you can further configure the system to associate multiple monikers with a single partition.

  • Page 47: Configuring Encryption

    5. Using Professional Edition in Spectra T950 and T120 Libraries Configuring Encryption Accessing Encryption Features To access encryption features: Log in as a superuser, then select Security Login screen displays. Select OK. No login or password is required the first time you log in. The Encryption Configuration screen displays.
  • Page 48 5. Using Professional Edition in Spectra T950 and T120 Libraries Configuring Encryption Features To configure encryption features: From the Encryption Configuration screen, select Configure. The Encryption Users screen displays. Select either: • Single User Mode: Requires one encryption password to access all encryption features.
  • Page 49 5. Using Professional Edition in Spectra T950 and T120 Libraries Select Next. The Encryption Settings screen displays. Note: If you selected Single User Mode, only one set of New Encryption User Password and Retype Password fields display. Configure how you want the library to be used: •...
  • Page 50 5. Using Professional Edition in Spectra T950 and T120 Libraries Enter the number of passwords requested, using any combination of the numbers 0-9, lower and upper case alphabetic characters (a-z and A-Z), and the at sign, dash, underscore, and colon characters (@-_:). Enter each password again in the Retype Password field.

  • Page 51: Creating An Encryption Key

    5. Using Professional Edition in Spectra T950 and T120 Libraries Creating an Encryption Key From the Encryption Configuration screen, select Add Key. The New Encryption Key screen displays. Enter a name in the Moniker field that has not been used for any other encryption key, and that uses any combination of the numbers 0-9, lower and upper case alphabetic characters (a-z and A-Z), and the at sign (@), dash (-), underscore (_), and colon (:) characters.
  • Page 52 5. Using Professional Edition in Spectra T950 and T120 Libraries Select OK. The Encryption Configuration screen displays, showing the key moniker, along with its creation time and date and a message reminding you to create a copy of the key for safekeeping.

  • Page 53: Assigning A Key To A Partition

    5. Using Professional Edition in Spectra T950 and T120 Libraries Assigning a Key to a Partition After creating keys, you can assign one primary encryption key to each library partition. You can also specify multiple decryption-only keys. Displaying the Partition Configuration Encryption Screen You can assign keys to a library partition when adding the partition or editing its settings through the partition configuration wizard.
  • Page 54 5. Using Professional Edition in Spectra T950 and T120 Libraries Associating Keys with a Partition If the partition can support encryption, the encryption choices that display and are available depend on the hardware for the partition. The content of the Encryption screen varies accordingly.
  • Page 55 5. Using Professional Edition in Spectra T950 and T120 Libraries – or – • Drive-based Encryption — to encrypt data using the drives. – or – If the data written through this partition does not need encryption, make sure that you select the No Encryption option.
  • Page 56 5. Using Professional Edition in Spectra T950 and T120 Libraries When you display the Security assignment are listed. In this example, the key Bob is used as the active (primary) encryption key for both Partition 1 and Partition 2. The key Jeff is kept available for rapid data decryption for data restored using library partitions one and two.

  • Page 57: Protecting Keys

    5. Using Professional Edition in Spectra T950 and T120 Libraries Protecting Keys Protect encryption keys by: • Making copies of every key through Key Export • Storing the keys in a secure location • Tracking the location of the keys and the passwords required to import them. Protect your keys by making sure that copies of the keys reside elsewhere.
  • Page 58 5. Using Professional Edition in Spectra T950 and T120 Libraries For your site, select one of these as your M-of-N shares: • 2-of-3 • 2-of-4 • 3-of-4 • 2-of-5 • 3-of-5 • 4-of-5 For example, if you choose 2 of 3, then the encrypted key, already encrypted using a key-specific password, is split into three shares (i.e., files).
  • Page 59 5. Using Professional Edition in Spectra T950 and T120 Libraries Exporting Encryption Keys To export the current encryption key: Log in as superuser, then select Security screen displays. Enter the encryption password, then select OK. The Encryption Configuration screen displays. Select Export Key.
  • Page 60 5. Using Professional Edition in Spectra T950 and T120 Libraries Select to export the key as a single file or as M-of-N shares to either USB or email. Export Method Export Single File to USB (Standard and Professional Editions) Email Exported Key (Standard and Professional Editions) Export M-of-N Shares to USB Email M-of-N Shares...
  • Page 61 5. Using Professional Edition in Spectra T950 and T120 Libraries Enter a password twice, then select Next. This password is used to encrypt the key, and needs to be available before you can import and use the key. The key encrypted with this password is copied to one or more USB devices or attached in an email to one or more users •...
  • Page 62 5. Using Professional Edition in Spectra T950 and T120 Libraries Note the password, which you will need to import the key. Without it, you cannot import the key and the data encrypted using the key is lost. Caution: Track where you have stored the key or who received an email message with the key, in conformance with your security plan.

  • Page 63: Restoring Data

    5. Using Professional Edition in Spectra T950 and T120 Libraries Restoring Data Restoring encrypted data from tape follows the standard data restore processes that you use with your backup software. The only difference is that the key used to encrypt the data being restored needs to be on the library and assigned to the partition with the tape, so the data can be decrypted.
  • Page 64 5. Using Professional Edition in Spectra T950 and T120 Libraries Importing Keys from a USB Device To import a key stored on a USB device: Log in as a superuser. > Select Security Enter the password, then select OK. The Encryption Configuration screen displays. Select Import Key.
  • Page 65 5. Using Professional Edition in Spectra T950 and T120 Libraries Importing Keys through the RLC As long as you are importing a single key, not one split into M-of-N shares, you can upload it through the RLC. To do so, you must be able to access the key from your computer. To import a key using the RLC: Log in as a superuser, then select Security Login screen displays.
  • Page 66 5. Using Professional Edition in Spectra T950 and T120 Libraries Select Import key from RLC, then select Next. The RLC Encryption Key Upload screen displays. To identify the key, either: • Type the path for the key in the Encryption Key File field. •...

  • Page 67: Deleting A Key

    5. Using Professional Edition in Spectra T950 and T120 Libraries Deleting a Key To delete a key: Log in as a superuser. > Select Security Enter the password, then select OK. The Encryption Configuration screen displays. Export at least one copy of the key you will be deleting or you will never be able to access data encrypted using that key.

  • Page 68: Recycling Media

    Spectra T950 and T120 Libraries Recycling Media LTO-4 drives require that all data encrypted and written to a single tape is encrypted using the same key—that is, a single key is associated with each tape storing encrypted data. Once the encrypted data is written to a tape, the drive won't overwrite the encrypted data to re-use the tape until you recycle the tape through BlueScale Encryption.
  • Page 69 6. Recycling Encrypted LTO-4 Media in Spectra T950 and T120 Libraries Select the partition with the media from the Partition drop-down list, then select Next. The Select Media to Recycle screen displays.
  • Page 70 6. Recycling Encrypted LTO-4 Media in Spectra T950 and T120 Libraries Select the media to recycle from the Available Media list, then select Add Media. The items appear in the Media to Recycle list. To narrow down the media choices in the Available Media list, enter a partial or entire bar code in the Find by Barcode field and select Find.
  • Page 71 Spectra T50 BlueScale Encryption...

  • Page 72: Chapter 7. Installing And Activating Encryption In Spectra T50 Libraries

    Warning: Do not turn off the library once you begin the firmware upgrade. Have on hand the Spectra Logic activation key code that came with your BlueScale Encryption package to enable encryption features and key management on your library.

  • Page 73: Activating Encryption

    7. Installing and Activating Encryption in Spectra T50 Libraries Activating Encryption Once your library has at least one LTO-4 tape drive installed and LTO-4 media loaded, you can activate the encryption option with a BlueScale Encryption key. To activate BlueScale encryption: Have the option key(s) on hand.
  • Page 74 7. Installing and Activating Encryption in Spectra T50 Libraries Select New. The New Option Key screen displays. Enter the activation key then select Save. Enter your activation key in the Enter Key field. Select Save. The LC goes through a short series of progress screens, then refreshes to again show the Option Keys screen.

  • Page 75: Next Steps

    7. Installing and Activating Encryption in Spectra T50 Libraries Next Steps Once you have activated BlueScale Encryption, you can configure and use it. Configuration Encryption configuration entails selecting an encryption mode and creating one or more encryption passwords (the number of passwords depends on if you have BlueScale Standard Edition or BlueScale Professional Edition).

  • Page 76: Encryption Icon

    7. Installing and Activating Encryption in Spectra T50 Libraries Encryption Icon Use the encryption icon, displayed by selecting the Security menu, to access library encryption features such as encryption configuration and key generation. Encryption icon...

  • Page 77: Bluescale Encryption Editions

    7. Installing and Activating Encryption in Spectra T50 Libraries BlueScale Encryption Editions BlueScale Standard Edition: For sites with a primary goal of securing data while it is transported to a remote site and stored there, or only for data that will be stored for a long period of time, BlueScale Standard Edition works well.
  • Page 78 7. Installing and Activating Encryption in Spectra T50 Libraries Security on Initialization Both editions of BlueScale Encryption give you security options at library startup. You can choose whether to start the library: • In standard mode, so that at library startup, data is encrypted with no further action required.

  • Page 79: Data To Encrypt

    7. Installing and Activating Encryption in Spectra T50 Libraries Data to Encrypt When you implement BlueScale Encryption, decide whether to encrypt all data or a subset; then determine if the encrypted data can be grouped together or if it must be isolated into sets.

  • Page 80: Getting Started

    7. Installing and Activating Encryption in Spectra T50 Libraries Getting Started Activate BlueScale Encryption and key management; then you can configure and use it. Configuring Encryption: Configuration procedures are different for the two editions. If you are using Standard Edition, refer to Configuring Encryption on page 85. If you are using Professional Edition, refer to Configuring Encryption on page 102.

  • Page 81: Best Practices

    Identify the people at your site who are responsible for backing up data. They will be responsible for encrypting data written to tape and to other portable media. Identify: • The person to have superuser privileges on the Spectra Logic library with BlueScale Encryption.
  • Page 82 7. Installing and Activating Encryption in Spectra T50 Libraries Processes On an organizational level, identify the level of security your site requires, and the data to be encrypted—for example, you may choose to encrypt all data, or any combination of financial, identity-related information, and strategic data.
  • Page 83 • Archive the Endura Decryption Utility (EDU) for emergency use, such as recovering from a disaster. Use this utility if you have no Spectra Logic libraries on hand but need to decrypt and write data, which you can then restore using backup software. See Chapter 11. Endura Decryption Utility for information on EDU.
  • Page 84 7. Installing and Activating Encryption in Spectra T50 Libraries • Import/Export Key password: Lets you import and export encryption keys. This feature is only available after the superuser has logged in and the encryption password has been entered. Optionally, in Professional Edition, you can require two different passwords prior to importing and exporting keys.

  • Page 85: Using Encryption

    Libraries Using Encryption Once BlueScale Encryption Standard Edition is configured on your library, configure your backup software so that data to be encrypted during backup is sent to a partition that has encryption enabled and has been assigned an encryption key. Restoring data is also transparent.
  • Page 86 8. Using Standard Edition in Spectra T50 Libraries Select Configure. The Encryption Settings screen displays. Configure how you want the library to be used: • Standard Mode: When the library is powered on during startup, data can be backed up to partitions that support encryption without entering an encryption password. To use Standard Mode, make sure that Enable Secure Initialization is not selected.
  • Page 87 8. Using Standard Edition in Spectra T50 Libraries Re-enter the password in the Confirm field, then select OK. The Encryption Configuration screen again displays. At this point, no encryption key has been created, so no key moniker displays, as illustrated in the screen at right.
  • Page 88 8. Using Standard Edition in Spectra T50 Libraries Important Notes on Creating Passwords and Monikers • Each moniker must be a unique string of characters, independent of case. • Monikers entered with the same name but with alphabetical characters in different cases may display as entered using upper and lower case.

  • Page 89: Assigning A Key To A Partition

    8. Using Standard Edition in Spectra T50 Libraries Assigning a Key to a Partition After creating a key, you can assign it to one or more library partitions. Assign it by selecting the option to enable encryption in this partition, when adding or editing a partition through the partition configuration wizard.

  • Page 90: Protecting Keys

    8. Using Standard Edition in Spectra T50 Libraries Protecting Keys Data cannot be recovered without the encryption key used to encrypt the data, so protecting encryption keys is extremely important to data decryption and recovery. Protect encryption keys by: • Making copies of every key through Key Export •...
  • Page 91 8. Using Standard Edition in Spectra T50 Libraries Exporting Keys To export the current encryption key: Log in as a superuser, then select Security --> Encryption. The Encryption User Login screen displays. Enter the encryption password, then select OK. The Encryption Configuration screen displays.
  • Page 92 8. Using Standard Edition in Spectra T50 Libraries Enter a password, which is used to encrypt the key. Note the password, which you will need to import the key. Without it, you cannot import the key, and the data encrypted using the key is lost. Select Next.

  • Page 93: Deleting A Key

    8. Using Standard Edition in Spectra T50 Libraries Deleting a Key To use a new key to encrypt data, you must first delete the existing key. Then you can create the new key and assign it to one or more partitions. Note that you will need a copy of the existing key to restore data that was encrypted with the existing key.

  • Page 94: Restoring Data

    8. Using Standard Edition in Spectra T50 Libraries Restoring Data Restoring data is transparent. If the encryption key required to decrypt the data is not on the library, the library displays the moniker of the key to import. Restoring encrypted data from tape follows the standard data restore processes that you use with your backup software.
  • Page 95 8. Using Standard Edition in Spectra T50 Libraries Importing Keys If the key is not available on the library, you can import it from a USB device or through the RLC. The RLC option only displays if you are logged in remotely. Importing Keys from a USB Device To import keys from a USB device to restore data: Log in as a superuser, then select Security -->...
  • Page 96 8. Using Standard Edition in Spectra T50 Libraries Importing Keys through the RLC You can import keys using the RLC if you can access the key from your computer. To import a key using the RLC: Log in as a superuser, then select Security --> Encryption. The Encryption User Login screen displays.
  • Page 97 8. Using Standard Edition in Spectra T50 Libraries To specify the key file, you can: • Type in the full path and file name in the Encryption Key File field. • Select Browse, then locate and select the key. Select Open. The path for the key displays in the Encryption Key File field.

  • Page 98: Recycling Encrypted Media

    8. Using Standard Edition in Spectra T50 Libraries Recycling Encrypted Media LTO-4 drives require that all data encrypted and written to a single tape be encrypted using the same key (that is, a single key is associated with each tape storing encrypted data). Once the encrypted data is written to a tape, the drive won't overwrite the encrypted data to re-use the tape until you scratch the tape through BlueScale Encryption.
  • Page 99 8. Using Standard Edition in Spectra T50 Libraries Select Recycle. The Select Tapes screen displays. Select a tape to recycle, then select Add. The Tapes to Recycle screen appears with the tape displayed in the list. To add other tapes to recycle: •...
  • Page 100 8. Using Standard Edition in Spectra T50 Libraries Select Next in the Tapes to Recycle screen once you have selected all of the tapes that you want to recycle. The Select Drive screen displays. Choose the drive that you want to use to scratch the media, then select Next. The Summary screen displays.

  • Page 101: Chapter 9. Using Professional Edition In Spectra T50 Libraries

    9 Using Professional Edition in Spectra T50 Libraries Using Encryption Once BlueScale Encryption Professional Edition is configured on your library, configure your backup software so that data to be encrypted is sent to a partition that has encryption enabled and has been assigned an encryption key. Encryption during backup is transparent—it happens automatically.

  • Page 102: Configuring Encryption

    9. Using Professional Edition in Spectra T50 Libraries Configuring Encryption Once BlueScale Encryption Professional Edition is configured on your library, configure your backup software so that data to be encrypted during backup is sent to an encryption-enabled partition that has been assigned an encryption key. To configure BlueScale Encryption Professional Edition: Log in as a superuser, then select Security -->...
  • Page 103 9. Using Professional Edition in Spectra T50 Libraries Select Next. The Encryption Settings screen displays. Note: If you selected Single User Mode, only one set of New Encryption User Password and Retype Password fields display.
  • Page 104 9. Using Professional Edition in Spectra T50 Libraries In the Encryption setting screen, configure how you want the library to be used: • Standard Mode: When the library is powered on during startup, data can be backed up to partitions that support encryption without entering an encryption password. To use Standard Mode, make sure that Enable Secure Initialization is not selected.

  • Page 105: Creating An Encryption Key

    9. Using Professional Edition in Spectra T50 Libraries Creating an Encryption Key To create an encryption key: From the Encryption Configuration screen, select Add Key. The New Encryption Key screen displays. Enter a name in the Moniker field that has not been used for any other encryption key, and that uses any combination of alphanumeric...
  • Page 106 9. Using Professional Edition in Spectra T50 Libraries Select OK. The Encryption Configuration screen displays, showing the key moniker, its creation time and date, and a message reminding you to create a copy of the key for safekeeping. If the key is lost, data cannot be recovered, so promptly copying the key and storing it safely...

  • Page 107: Assigning A Key To A Partition

    9. Using Professional Edition in Spectra T50 Libraries Assigning a Key to a Partition After creating keys, you can assign one primary encryption key to each library partition. You can also specify multiple decryption-only keys. When you assign a new encryption key to a partition, or replace the existing one, BlueScale Encryption uses the new key the next time that the library loads a tape for the partition.
  • Page 108 9. Using Professional Edition in Spectra T50 Libraries Associating Keys with a Partition Only one encryption key is allowed per tape. If you replace the encryption key for a partition, you must first scratch tapes encrypted with the previous key to re-use them. Refer to Recycling Encrypted Media on page 98 for more information.
  • Page 109 9. Using Professional Edition in Spectra T50 Libraries Select Next. Navigate through the remaining partition configuration screens by selecting Next. Once the Summary screen displays, select Save. All data sent to this partition will be encrypted, using the key currently active on the library.
  • Page 110 9. Using Professional Edition in Spectra T50 Libraries Methods of Securing Keys You can add another layer of key protection by using the three encryption passwords option, so that two of three different passwords must be entered to access export and import key functions.
  • Page 111 9. Using Professional Edition in Spectra T50 Libraries Storing Exported Keys Best practices recommends storing keys offsite in a location other than the site used for media storage. Make sure that the key has been sent and can be accessed, is stored correctly on the USB device, or both, before deleting the key from your system.
  • Page 112 9. Using Professional Edition in Spectra T50 Libraries Select Export. • If you selected multi-user mode and supplied only one encryption password, a prompt asks you to enter another password. Enter it, then select Next. The Export Type screen displays. •...
  • Page 113 9. Using Professional Edition in Spectra T50 Libraries Export Method Export Single File to USB (Standard or Professional Edition) Email Exported Key (Standard or Professional Edition) Export M-of-N Shares to USB Email M-of-N Shares Steps to Follow - Select this option, then put a USB device into the library’s USB port. See the library’s user guide for information on using the USB and about the location of this port.
  • Page 114 9. Using Professional Edition in Spectra T50 Libraries Enter a password twice in the Export Password screen, then select Next. The Encryption Configuration screen displays. This password is used to encrypt the key, and needs to be available before you can import and use the key.

  • Page 115: Restoring Data

    9. Using Professional Edition in Spectra T50 Libraries Restoring Data Restoring encrypted data from tape follows the standard data restore processes that you use with your backup software. The only difference is that the key used to encrypt the data being restored needs to be on the library and assigned to the partition with the tape, so the data can be decrypted.
  • Page 116 9. Using Professional Edition in Spectra T50 Libraries Importing Keys from a USB Device If the key is stored on a USB device, import it by following this procedure. To import keys from a USB device to restore data: Log in as a superuser, then select Security > Encryption. The Encryption User Login screen displays.
  • Page 117 9. Using Professional Edition in Spectra T50 Libraries Importing Keys through the RLC As long as you are importing a single key, not one split into M-of-N shares, you can upload it through the RLC. If you are using the RLC and can access the key from your computer, import it by following this procedure.
  • Page 118 9. Using Professional Edition in Spectra T50 Libraries Enter the password that was used to encrypt the key when it was being exported in both fields, then select Next. The Encryption Configuration screen displays, showing the moniker of the newly imported key.

  • Page 119: Chapter 10. Recycling Encrypted Media In Spectra T50 Libraries

    T50 Libraries Recycling Encrypted Media LTO-4 drives require that all data encrypted and written to a single tape be encrypted using the same key (that is, a single key is associated with each tape storing encrypted data). Once the encrypted data is written to a tape, the drive won't overwrite the encrypted data to re-use the tape until you recycle the tape through BlueScale Encryption.
  • Page 120 10. Recycling Encrypted Media in Spectra T50 Libraries If your library has more than one partition, use the Import/Export drop-down menu to select the partition with the media to be recycled, then select Go. The Import/Export screen refreshes with the information for the selected partition displayed. If you only have one partition, the drop-down menu does not appear on this screen.
  • Page 121 10. Recycling Encrypted Media in Spectra T50 Libraries Adding More Tapes to Recycle To add other tapes to recycle: From the Tapes to Recycle screen, select Add Tape. The Select Tapes screen redisplays. Repeat Step 4 and Step 5 on page 120. Repeat this procedure as many times as necessary to add even more tapes.
  • Page 122 10. Recycling Encrypted Media in Spectra T50 Libraries Finishing the Tape Recycling To finish the tape recycling When the list shows all of the tapes you want to recycle, select Next in the Tapes to Recycle screen. The Select Drive screen displays. Choose the drive to scratch the media, then select Next.
  • Page 123 BlueScale Encryption Support...

  • Page 124: Chapter 11. Endura Decryption Utility

    Endura Decryption Utility Overview The optional Endura Decryption Utility (EDU) lets you restore data with a minimum of equipment, which may be important in recovering data following a crisis or disaster. Use this command-line utility on a host that is running Linux and has one or more tape drives connected and online.

  • Page 125: Decrypting Data: Edu Command Line

    Note: If only one drive is available, confirm that the host has enough available disk space in /tmp to store the contents of the tape. If you don’t know the exact amount of data on the tape, make sure the disk space is large enough to hold the maximum amount of data that can be stored on the tape.

  • Page 126: Using Edu To Decrypt Data: One Drive

    Using EDU to Decrypt Data: One Drive Preparing to Decrypt Data to Tape Make sure the system is set up as follows: Make sure Linux is running on the hardware and one SCSI-attach drive is mounted. Make sure the host is using a file system that can support files equal to the maximum data capacity of the tape to be decrypted.
  • Page 127 Copy the key file from the USB device that contains the encrypted key or keys to the system. Note the full path and filename for each key. Also have on hand the key’s password in human readable form Running EDU to Decrypt Data To run EDU to decrypt data: At the command line, enter the command, specifying the drive: In this example, only one key is required.

  • Page 128: Using Edu To Decrypt Data: Two Drives

    Using EDU to Decrypt Data: Two Drives Preparing to Decrypt Data to Tape With two stand-alone SCSI drives mounted on the host: Make sure Linux is running on the hardware and has two SCSI-attach drives are mounted. Log in as a user with permissions to write to drive. For example, you may need to log in as a superuser to access them.

  • Page 129: Restoring Data

    Running EDU to Decrypt Data At a system prompt, enter the command, making sure: • the input drive has loaded the write-protected tape with encrypted data • the output drive has an empty tape loaded In this example, only one key is required. This example assumes you have copied the EDU binary to /root/decrypt/edufile1.3.3—enter the command at a system prompt: /root/decrypt/edufile1.3.3 -i /dev/nst1- o/dev/nst2 -n1 then press enter.

  • Page 130: Chapter 12. Technical Support & Spectra Logic Contact Information

    Contact Information BlueScale Encryption Support Spectra Logic BlueScale Encryption Support is available for one, two, or three years at sites located in North America and the European Union. For sites outside North America and the European Union, please contact your local Spectra Logic sales representative.

  • Page 131: Contacting Spectra Logic

    12. Technical Support & Spectra Logic Contact Information Contacting Spectra Logic Sales United States and Canada Mexico, Central America, South America, Asia, Australia, and New Zealand Europe, Africa, and Middle East SpectraGuard Technical Support United States and Canada Mexico, Central America,...

  • Page 132: Index

    23 command-line utility, edu 125 configuring encryption BlueScale Encryption Professional Edition 102 BlueScale Encryption Standard Edition 85 contacting Spectra Logic sales 2, 131 creating an encryption key 33, 51 BlueScale Encryption Professional Edition 105 BlueScale Encryption Standard Edition 87...
  • Page 133 NIST, definition of 23 overview, Endura Decryption Utility 124 Index partition, definition of 23 partition, encryption-enabled 14 phone Spectra Logic sales 131 protecting encryption keys 90 protecting keys 37, 57 Recycling Encrypted LTO-4 Media 68 recycling encrypted LTO-4 media 15...

This manual is also suitable for:

Bluescale encryption

Table of Contents