Application-managed tape encryption on TS1120, LTO Ultrium 4, and newer tape
drives can use either of two encryption command sets:
v The IBM encryption command set developed for the key manager
v The T10 command set defined by the InterNational Committee for Information
Technology Standards (INCITS)
For more information about setting up application-managed encryption for Tivoli
Storage Manager, see your Tivoli Storage Manager documentation or visit
http://publib.boulder.ibm.com/infocenter/tivihelp/v1r1/index.jsp.
Planning for system-managed encryption
This topic explains system-managed encryption (SME).
This method is best for encryption on TS1120, LTO Ultrium 4, and newer tape
drives in System z operating environments.
Open systems
Encryption policies specifying when to use encryption are set up in the IBM tape
device driver. System-managed tape encryption and library-managed tape
encryption interoperate with one another. In other words, a tape encrypted using
system-managed encryption may be decrypted using library-managed encryption,
and vice versa, provided they both have access to the same keys and certificates.
Otherwise, this may not be feasible.
For details on setting up system-managed encryption on tape drives in an AIX,
Linux, Windows, or Solaris environment, see the IBM Tape Device Drivers
Installation and User's Guide and the IBM System Storage TS3500 Tape Library with
ALMS Operator Guide.
System z
Encryption policies specifying when to use encryption are set up in z/OS DFSMS
(Data Facility Storage Management Subsystem) or implicitly through each instance
of IBM device driver. Additional software products such as IBM Integrated
Cryptographic Service Facility (ICSF) and IBM Resource Access Control Facility
(RACF
®
) may also be used. Key generation and management is performed by the
key manager running on the host or externally on another host. Policy controls and
keys pass through the data path between the system layer and the encrypting tape
drives. Encryption is transparent to the applications.
For TS1120 and newer 3592 tape drives connected to an IBM TS7700 Virtualization
Engine (VE), encryption key labels are assigned on a per-storage pool basis using
the TS7700 Management Interface. DFSMS storage constructs are used by z/OS to
control the use of storage pools for logical volumes, resulting in an indirect form of
encryption policy management. For more information, see the white paper, IBM
Virtualization Engine TS7700 Series Encryption Overview, available at
http://www.ibm.com/support/docview.wss?&uid=ssg1S4000504.
For details on setting up system-managed encryption on TS1120 and newer 3592
tape drives in a System z platform environment, see z/OS DFSMS Software Support
for IBM System Storage TS1130 and TS1120 Tape Drives (3592).
218 IBM System Storage TS3500 Tape Library with ALMS: Introduction and Planning Guide
To Next Page
Loading...
Need help?
General