3. If no alias is specified in the request and no alias is specified in the drive table,
Encryption Key Manager selects an alias from the set of aliases or the key
group in the keyAliasList.
4. Encryption Key Manager fetches a corresponding DK from the keystore.
5. Encryption Key Manager converts the alias to a DKi and wraps the DK with a
key the drive can decrypt
6. Encryption Key Manager sends the DK and DKi to the tape drive
7. Tape drive unwraps the DK and writes encrypted data and DKi to tape
Figure 2-2 shows how keys are processed for encrypted read operation.
1. Tape drive receives read request and sends DKi to Encryption Key Manager
2. Encryption Key Manager verifies tape device in Drive Table
3. Encryption Key Manager translates DKi to alias and fetches corresponding DK
from keystore
4. Encryption Key Manager wraps the DK with a key the drive can decrypt
5. Encryption Key Manager sends the wrapped DK to tape drive
6. Tape drive unwraps the DK and uses it to decrypt the data
Backing up Keystore Data
Note: Due to the critical nature of the keys in your keystore, it is vital that you
back up this data on a non-encrypted device so that you can recover it as
needed and be able to read the tapes that were encrypted using those
certificates associated with that tape drive or library. Failure to backup
your keystore properly will result in irrevocably losing all access to your
encrypted data.
There are many ways to backup this keystore information. Each keystore type has
it own unique characteristics. These general guidelines apply to all:
v Keep a copy of all certificates loaded into the keystore (usually a PKCS12 format
file).
v Use system backup capabilities (such as RACF) to create a backup copy of the
keystore information (be careful not to encrypt this copy using the encrypting
tape drives as it would impossible to decrypt it for recovery).
Config
File
Key
store
Drive
Table
Key Manager
1
2
4
5
6
3
DKi Alias
DK
Figure 2-2. LTO 4 or LTO 5 Tape Drive Request for Encryption Read Operation
Chapter 2. Planning Your Encryption Key Manager Environment 2-5
|
To Next Page
Loading...
Need help?
General