Encryption Options
Mode: Zeroed
■
Media, device, and enabling keys missing. The drive is unusable, and must be
returned to manufacturing.
Refer to Crypto Key Management documentation for additional information:
Encryption Options
Encryption-capable T10000 tape drives support data-at-rest encryption.
Federal Information Processing Standards compliance:
FIPS PUB 140-2, Security Requirements for Cryptographic Modules
■
–
–
With drive code level 1.40.x07 and Key Management System (KMS) 2.1, the
■
T10000A drive complies with FIPS Level 1.
With drive code level 1.40.x07 and Key Management System (KMS) 2.1, the
■
T10000B drive complies with FIPS Level 2.
The T10000C drive with code level 1.51.318 and the Oracle Key Manager provides
■
FIPS 140-2 Level 1 security to data on magnetic tape.
There are four encryption modes:
Encryption off (manufacturing default).
1.
Encryption enabled (on/off switchable) with keys obtained from a KMS.
2.
Encryption permanently enabled with keys obtained from a KMS (protected with
3.
AES Key wrap). Note that encryption cannot be turned off in this mode.
DPKM (see
4.
Key Management Solutions
The StorageTek Crypto Key Management Station (KMS 1.x), StorageTek Crypto Key
Management System (KMS 2.x), and Oracle Key Management (OKM) provide
device-based encryption solutions. The tape drive is shipped from the factory
encryption-capable, but not encryption-enabled. You must explicitly enable the drive
for encryption.
What an Encryption-Enabled T10000 Tape Drive can do:
Write to a tape cartridge in encrypted mode only, using its assigned write key
■
Read an encrypted tape cartridge, if it has the proper read key
■
Read non-encrypted tape cartridges—can neither write to nor append to the
■
cartridge
Format or reclaim tape cartridges
■
1-8 StorageTek T10000 Tape Drive Operator's Guide
Level 1: The basic level with production-grade requirements.
Level 2: Adds requirements for physical tamper evidence and role-based
authentication.
"Data Path Key Management"
A drive that has not been enabled for encryption can neither
Note:
read nor append to any encrypted tape cartridge. It can, however,
overwrite an encrypted tape from the beginning of tape (BOT).
on page 1-9).