The encryption policies, methods, and software capabilities for the IBM TS4500 tape library are described in this chapter.

This chapter includes the following topics:

The tape drives that are supported by the TS4500 tape library can encrypt data as it is written to a tape cartridge.

Encryption is performed at full line speed in the tape drive after compression. (Data is compressed more efficiently before it is encrypted.) This capability adds a strong measure of security to stored data without using processing power and without degrading performance.

All of the tape drives that are supported by the TS4500 tape library are encryption-capable. Encryption capability means that they are functionally capable of performing hardware encryption, but this capability is not yet activated. To perform hardware encryption, the tape drives must be encryption-enabled. Encryption can be enabled on the tape drives through the TS4500 management graphical user interface (GUI).

Encryption involves the use of several kinds of keys in successive layers. How these keys are generated, maintained, controlled, and transmitted depends on the operating environment where the encrypting tape drive is installed. Certain data management applications, such as IBM Spectrum Protect, can perform key management. For environments without such applications or environments where application-independent encryption is necessary, IBM provides a key manager to perform all necessary key management tasks. The suggested IBM Encryption Key Manager (EKM) for the TS4500 tape library and drives is IBM Security Key Lifecycle Manager.

IBM Security Key Lifecycle Manager is the IBM strategic platform for the storage and delivery of encryption keys to encrypt storage endpoint devices.

The IBM Security Key Lifecycle Manager can be used to provide encryption key management services for the encryption of data with encryption-capable drives. Host software has no direct knowledge of the key manager that is used.

IBM Security Key Lifecycle Manager serves data keys to the tape drive. The first release of IBM Security Key Lifecycle Manager focuses on ease of use and provides a new GUI to help with the installation and configuration of the key manager. With IBM Security Key Lifecycle Manager, the main encryption keys (certificates) can be created and managed. If you use the IBM Tivoli® Key Lifecycle Manager, you can migrate to the new IBM Security Key Lifecycle Manager.

For more detailed information about the IBM Security Key Lifecycle Manager, see IBM Knowledge Center for IBM Security Key Lifecycle Manager:

The encryption policy is the method that is used to implement encryption. It includes the rules that govern the volumes that are encrypted and the mechanism for key selection. How and where these rules are set up depends on the operating environment. For more information about each of the available methods, see 3.2.2, “Managing encryption on the TS4500” on page 180.

With the TS4500 tape library, the encryption policy is managed at the logical library level. The Logical Libraries page of the TS4500 management GUI is used to enable encryption for a logical library and modify the encryption method that is used. The Security page of the TS4500 management GUI is used to manage key servers and key labels.

The encryption methods for the TS1160, TS1155, TS1150, TS1140, LTO-8, LTO-7, LTO-6, LTO-5, and LTO-4 tape drives differ to some extent. The differences are described next. The following sections also contain a brief description of encryption methods. In these sections, the term Key Manager (KM) is used to refer to IBM Security Key Lifecycle Manager and other key managers.

Encryption of data by using a symmetric key and algorithm is sometimes called private key encryption or secret key, which is not to be confused with the private key in an asymmetric key system. In a symmetric key system, the cipher key that is used for encrypting data is the same as the cipher key that is used for decryption.

The encryption and decryption ciphers can be related by a simple transformation on the key, or the encryption key and the decryption key can be identical. In the IBM Tape Encryption solution IBM Security Key Lifecycle Manager, the same encryption key is used for encryption and decryption of the data. This key is protected by an asymmetric key algorithm, and it is never available in clear text.

Symmetric key encryption is several orders of magnitude faster than asymmetric key encryption. Secret key algorithms can support encryption 1 bit at a time or by specified blocks of bits. The Advanced Encryption Standard (AES) supports 128-bit block sizes and key sizes of 128, 192, and 256. The IBM Tape Encryption solution uses the AES standard with a 256-bit key. Other well-known symmetric key examples are listed:

Another important method of encryption that is widely used today is referred to as public/private key encryption or asymmetric encryption. When this encryption methodology is used, ciphers are generated in pairs. The first key is used to encrypt the data. The second key is used to decrypt the data.

This technique was pioneered in the 1970s, and it represented a significant breakthrough in cryptography. The Rivest-Shamir-Adleman (RSA) algorithm is the most widely used public key technique. The power of this approach is a public key, which is used to encrypt the data.

This public key can be widely shared, and anyone who wants to send secure data to an organization can use its public key. The receiving organization then uses its private key to decrypt the data, which makes public/private key encryption useful for sharing information between organizations. This methodology is widely used on the internet today to secure transactions, including Secure Sockets Layer (SSL).

Asymmetric key encryption is much slower and more computationally intensive than symmetric key encryption. The advantage of asymmetric key encryption is the ability to share secret data without sharing the same encryption key.

A key manager is a software program that assists IBM encryption-enabled tape drives in generating, protecting, storing, and maintaining encryption keys. The encryption keys encrypt information that is being written to tape media (tape and cartridge formats), and they decrypt information that is being read from tape media.

The TS4500 tape library supports the IBM Security Key Lifecycle Manager. For more information, see the IBM Security Key Lifecycle Manager V3.0 documentation section in IBM Knowledge Center:

The key manager operates on a number of operating systems, including IBM z/OS, Linux, Sun Solaris, IBM AIX, and Microsoft Windows. It is a shared resource that is deployed in several locations within an enterprise. It can serve numerous IBM encrypting tape drives, or encrypting disk drives, regardless of where those drives are installed (for example, in tape library subsystems, which are connected to mainframe systems through various types of channel connections, or installed in other computing systems).

The key manager uses a keystore to hold the certificates and keys (or pointers to the certificates and keys) that are required for all encryption tasks. Refer to the appropriate documentation for detailed information about the key manager and the keystores that it supports.

The following methods are available to manage encryption in the TS4500 tape library:

These methods differ in the following ways:

Your operating environment determines the best method for you.

Key management and the encryption policy engine can be in any of the environment layers that are shown in Figure 3-1.

The application layer, for example, IBM Spectrum Protect, initiates the data transfer for tape storage.

The library layer is the TS4500 tape library, which contains an internal interface to each tape drive that is installed in the library.

The application-managed tape encryption method is best in operating environments that run an application that already can generate and manage encryption policies and keys, such as IBM Spectrum Protect. Policies that specify when encryption is to be used are defined through the application interface. The policies and keys pass through the data path between the application layer and the encryption-capable tape drives.

Encryption is the result of interaction between the application and the encryption-enabled tape drive, and it is transparent to the system and library layers. Because the application manages the encryption keys, volumes that are written and encrypted with the application method can be read only by using the application-managed tape encryption method.

Application-managed tape encryption can use either of two encryption command sets:

System-managed encryption is required for TS7700 support. Tape drives that attach to the TS7700 must be configured for system-managed encryption. The TS7700 can use the drives in this mode only, and it does not support library-managed or application-managed encryption.

After the TS7700 uses drives for encrypted physical tape volumes, it will place drives that are not correctly enabled for encryption offline to the subsystem.

System-managed encryption is best where the applications that write to or read from tapes are not capable of performing the key management that is required for application-managed encryption.

For IBM z Systems, encryption policies that specify when to use encryption can be set up in the z/OS Data Facility Storage Management Subsystem (DFSMS) or implicitly through each instance of an IBM device driver. Key generation and management are performed by an encryption key server. Policy controls and keys pass through the data path between the system layer and the encrypting tape drives. Encryption is transparent to the applications.

Library-managed encryption (LME) is useful for encryption-enabled tape drives in an open-attached TS4500 tape library.

Key generation and management are performed by the key manager, which is a Java application that is running on a library-attached host. The keys pass through the library-to-drive interface. Therefore, encryption is transparent to the applications when it is used with certain applications, such as IBM Spectrum Protect.

Bar code encryption policies, which are set up through the TS4500 management GUI, can be used to specify when to use encryption. In such cases, policies are based on cartridge volume serial numbers (VOLSERs). Library-managed encryption also allows other options, such as the encryption of all volumes in a library, independently of bar codes. Key generation and management are performed by the key manager. Policy control and keys pass through the library-to-drive interface. Therefore, encryption is not apparent to the applications.

When it is used with certain applications, such as Symantec NetBackup or the EMC Legato NetWorker, library-managed encryption includes support for an internal label option. When the internal label option is configured, the encryption-enabled tape drive automatically derives the encryption policy and key information from the metadata that is written on the tape volume by the application.

Up to four library-managed encryption (LME) key paths per logical library are supported on the TS4500.

The following components are required to use encryption:

Certain hardware and software prerequisites must be met before you use encryption with the TS4500 tape library.

With the TS4500 tape library, encryption is managed at the logical library level. All encryption-enabled drives that are assigned to a logical library use the same method of encryption.

The rules for setting up encryption differ based on whether the library is installed with 3592 or LTO tape drives, and whether you use library-managed encryption (LME), system-managed encryption (SME), or application-managed encryption (AME).

If the library contains 3592 tape drives, the following prerequisites apply:

If the library contains LTO tape drives, the following prerequisites apply:

Encryption is managed at the logical library level. All encryption-enabled drives that are assigned to a logical library use the same method of encryption. Enable encryption, or modify the method that is used, on the Logical Libraries page, which is shown in more detail in 4.1, “Integrated management console” on page 188.

To enable encryption or modify the method that is used, complete the following steps:

For more information about this topic, see “Modify Encryption Method” on page 293.

The following methods can be used for encryption.

Use this method if the application generates and manages encryption policies and keys. Applications, such as IBM Spectrum Protect, can manage encryption.

Select this method of encryption if the library is attached to a TS7700 z/OS.

Use this method to use the default key that is specified by the key manager for all VOLSER ranges. The encryption policy is specified based on cartridge volume serial numbers.

Use this method if you use Symantec NetBackup or the EMC Legato NetWorker. This encryption method encrypts cartridges with pool identifiers from 1500 - 9999 (inclusive) by using keys that are specific to each pool.

Labels for these keys are generated by the tape drive based on the pool identifier. For instance, key label INTERNAL_LABEL_NBU_1505_A is generated for a cartridge in pool 1505. Go to Settings → Security → Encryption Internal Label and select the Create mapping tab to map these generated labels to the key-encrypting key labels that you want in the keystore of the Encryption Key Manager (EKM). All other cartridges remain unencrypted.

Encrypt All Mode allows NetBackup to always request encryption and to specify the key labels to use. Certain ranges indicate that the default EKM key labels must be used and other ranges indicate that one or two key labels need to be constructed based on the pool ID.

For NetWorker, Encrypt All Mode allows NetWorker to request encryption for all but two cases. The mode is the same as the Selective Encryption Mode, except where the Encryption Control Field (ECF) is invalid, out of range, or not provided. In this case, the drive generates a special “NOTAG” key label or labels. If the keystore has keys with this label, encryption occurs. However, the intended use of the “NOTAG” key label is to flag jobs that did not update their ECF for encryption. If the “NOTAG” key is not in the keystore, the write fails and the job fails. This function allows the client to flag all jobs that were not altered for encryption.