Encryption Options
1-8 StorageTek T10000 Tape Drive Operator’s Guide
■ Mode: Zeroed
Media, device, and enabling keys missing. The drive is unusable, and must be
returned to manufacturing.
Refer to Crypto Key Management documentation for additional information:
Encryption Options
Encryption-capable T10000 tape drives support data-at-rest encryption.
Federal Information Processing Standards compliance:
■ FIPS PUB 140-2, Security Requirements for Cryptographic Modules
– Level 1: The basic level with production-grade requirements.
– Level 2: Adds requirements for physical tamper evidence and role-based
authentication.
■ With drive code level 1.40.x07 and Key Management System (KMS) 2.1, the
T10000A drive complies with FIPS Level 1.
■ With drive code level 1.40.x07 and Key Management System (KMS) 2.1, the
T10000B drive complies with FIPS Level 2.
■ The T10000C drive with code level 1.51.318 and the Oracle Key Manager provides
FIPS 140-2 Level 1 security to data on magnetic tape.
There are four encryption modes:
1. Encryption off (manufacturing default).
2. Encryption enabled (on/off switchable) with keys obtained from a KMS.
3. Encryption permanently enabled with keys obtained from a KMS (protected with
AES Key wrap). Note that encryption cannot be turned off in this mode.
4. DPKM (see "Data Path Key Management" on page 1-9).
Key Management Solutions
The StorageTek Crypto Key Management Station (KMS 1.x), StorageTek Crypto Key
Management System (KMS 2.x), and Oracle Key Management (OKM) provide
device-based encryption solutions. The tape drive is shipped from the factory
encryption-capable, but not encryption-enabled. You must explicitly enable the drive
for encryption.
Note: A drive that has not been enabled for encryption can neither
read nor append to any encrypted tape cartridge. It can, however,
overwrite an encrypted tape from the beginning of tape (BOT).
What an Encryption-Enabled T10000 Tape Drive can do:
■ Write to a tape cartridge in encrypted mode only, using its assigned write key
■ Read an encrypted tape cartridge, if it has the proper read key
■ Read non-encrypted tape cartridges—can neither write to nor append to the
cartridge
■ Format or reclaim tape cartridges
To Next Page
Loading...
Need help?
General