Cryptographic Algorithms; Passphrase - HP BB118BV - StorageWorks Data Protector Express Package User's Manual & Technical Reference

If your business requires you to use encryption, Data Protector Express allows you to set the required
encryption types and levels. This chapter contains important information about data encryption.
Installation
The Data Protector Express encryption service is installed automatically with the software. Each
implemented encryption algorithm is delivered as a separate module that is treated exactly as other
agents and drivers in the product. The modules are installed and started automatically during normal
product installation.
Default encryption state
Encryption is turned off by default. The user enables encryption as part of a backup job's properties and,
at the same time as selecting an encryption level, provides a passphrase for the media with a minimum of
8 characters for deciphering the data. Data Protector Express stores the passphrases in the Data Protector
Express catalog. The user is able to read and append to the encrypted media without being prompted
for a passphrase as long as the media information is in the Data Protector Express catalog. In this way,
Data Protector Express provides the highest level of security for offline media.

Cryptographic Algorithms

Cryptographic algorithms are the basic components of cryptographic applications. It is important to
understand that as you increase the complexity of the encryption the information gets closer to impossible
to read and the load on your machine, for software-based encryption, will increase.
Software Three cryptographic algorithms are provided. These three settings provide three levels of
resistance which require progressively more CPU time to convert the same amount of data. The three
options are for the software encryption mode only.
• Low – DES 56-bit
• Medium – AES 128-bit
• High – AES 256-bit
Hardware The cryptographic algorithm provided by hardware devices that provide this feature is not
under Data Protector Express control. The hardware provides configuration and operating parameters
via a special encryption command. The device driver adjusts its crypto session settings from this input.
Hardware encryption is an on/off feature, you do not have the ability to adjust the encryption level
through the Data Protector Express interface. By default Data Protector Express will attempt to use the
highest encryption algorithm supported on the device, if the device supports multiple algorithms. If the
device does not support encryption, the user will be prompted with an alert telling them that the device
cannot be used since it does not support hardware encryption.

Passphrase

The passphrase is a series of characters that must be provided by the user for input to the cryptographic
key generation process.
• Passphrases must be no less than 8 logical characters. They may be created by the user or
randomly generated by a separate application.
• If created by the user, the passphrase should be difficult to guess and should contain a mix of
lowercase/uppercase letters, digits and special characters.
• The passphrase is one of the components Data Protector Express uses to generate the encryption
key. A longer or random passphrase will increase the strength of the encryption key even more.
• To aid the user in remembering the passphrase, the user may enter a hint message. The use of
this field is optional and provided to the user as prompt for remembering the passphrase.
• If a backup job spans multiple media, the same passphrase will be used for all media in the set.
Passphrases and Data Protector Express catalog
Protector Express catalog. This means the user is able to read and append to the encrypted media
without being prompted for a passphrase as long as it is being accessed by the instance of Data
Protector Express that first encrypted it
104
Backup Jobs
Passphrases for the media are stored in the Data