Encryption Options; Key Management Solutions - Oracle StorageTek T10000 Operator's Manual

Hide thumbs Also See for StorageTek T10000:

Reference manual (310 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

page of 132

/ 132
Contents
Table of Contents
Bookmarks

Table of Contents

Encryption Options

Mode: Zeroed

■

Media, device, and enabling keys missing. The drive is unusable, and must be

returned to manufacturing.

Refer to Crypto Key Management documentation for additional information:

Encryption Options

Encryption-capable T10000 tape drives support data-at-rest encryption.

Federal Information Processing Standards compliance:

FIPS PUB 140-2, Security Requirements for Cryptographic Modules

■

–

With drive code level 1.40.x07 and Key Management System (KMS) 2.1, the

■

T10000A drive complies with FIPS Level 1.

With drive code level 1.40.x07 and Key Management System (KMS) 2.1, the

■

T10000B drive complies with FIPS Level 2.

The T10000C drive with code level 1.51.318 and the Oracle Key Manager provides

■

FIPS 140-2 Level 1 security to data on magnetic tape.

There are four encryption modes:

Encryption off (manufacturing default).

Encryption enabled (on/off switchable) with keys obtained from a KMS.

Encryption permanently enabled with keys obtained from a KMS (protected with

AES Key wrap). Note that encryption cannot be turned off in this mode.

DPKM (see

Key Management Solutions

The StorageTek Crypto Key Management Station (KMS 1.x), StorageTek Crypto Key

Management System (KMS 2.x), and Oracle Key Management (OKM) provide

device-based encryption solutions. The tape drive is shipped from the factory

encryption-capable, but not encryption-enabled. You must explicitly enable the drive

for encryption.

What an Encryption-Enabled T10000 Tape Drive can do:

Write to a tape cartridge in encrypted mode only, using its assigned write key

■

Read an encrypted tape cartridge, if it has the proper read key

■

Read non-encrypted tape cartridges—can neither write to nor append to the

■

cartridge

Format or reclaim tape cartridges

■

1-8 StorageTek T10000 Tape Drive Operator's Guide

Level 1: The basic level with production-grade requirements.

Level 2: Adds requirements for physical tamper evidence and role-based

authentication.

"Data Path Key Management"

A drive that has not been enabled for encryption can neither

Note:

read nor append to any encrypted tape cartridge. It can, however,

overwrite an encrypted tape from the beginning of tape (BOT).

on page 1-9).

Table of Contents

Encryption Options; Key Management Solutions - Oracle StorageTek T10000 Operator's Manual

Encryption Options

Key Management Solutions

Related Manuals for Oracle StorageTek T10000

Related Content for Oracle StorageTek T10000

Table of Contents