Planning for library-managed encryption
This topic explains library-managed encryption (LME).
This method is best for TS1120, LTO Ultrium 4, and newer tape drives in an
open-attached TS3500 Tape Library. Barcode encryption policies, which are set up
through the Tape Library Specialist Web interface, can be used to specify when to
use encryption. In such cases, policies are based on cartridge volume serial
numbers. Library-managed encryption also allows other options, such as
encryption of all volumes in a library, independent of bar codes. Key generation
and management is performed by the key manager. Policy control and keys pass
through the library-to-drive interface, therefore encryption is transparent to the
applications.
Library-managed encryption, when used with certain applications such as
Symantec Netbackup
â„¢
or the EMC Legato NetWorker, includes support for an
internal label option. When the internal label option is configured, the
encryption-enabled tape drive automatically derives the encryption policy and key
information from the metadata written on the tape volume by the application.
Refer to the appropriate section of the IBM System Storage TS3500 Tape Library with
ALMS Operator Guide for more information.
Notes:
v If you use library-managed encryption and IBM tape and changer drivers
running on Open Systems platforms (AIX, HP-UX, Linux, Solaris, Windows),
information for bulk rekey is available in the IBM Tape Device Drivers Installation
and User's Guide, available on the Web: http://www-01.ibm.com/support/
docview.wss?rs=577&uid=ssg1S7002972 .
v When using LME, an additional Ethernet cable should be attached, preferably to
a different network switch. This is for redundancy and better backup job
reliability.
v When using LME with Ultrium 5 tape drives, the Tivoli Key Lifecycle Manager
(TKLM) is required as the key manager.
System-managed encryption and library-managed encryption interoperate with one
another. In other words, a tape encrypted using system-managed encryption may
be decrypted using library-managed encryption, and vice versa, provided they
both have access to the same keys and certificates. Otherwise, this may not be
feasible.
In order to perform encryption the following is required:
v Encryption-capable tape drive(s) (TS1120, LTO Ultrium 4, or newer tape drives)
v Keystore
v Key manager
Configuration prerequisites for encryption
This topic provides an overview of the library configuration prerequisites for using
encryption in the TS3500 Tape Library.
Before you can use the encryption capability of encryption-capable tape drives, you
must ensure that certain hardware and software requirements are met. The
following information provides an overview of the library configuration
prerequisites for ensuring successful implementation of encryption in a TS3500
Tape Library.
Chapter 8. Tape encryption overview 219
To Next Page
Loading...
Need help?
General