Encryption
The encryption policies, methods, and software capabilities for the IBM TS4500 tape library are described in this chapter.
This chapter includes the following topics:
3.1 Tape encryption overview
The tape drives that are supported by the TS4500 tape library can encrypt data as it is written to a tape cartridge.
Encryption is performed at full line speed in the tape drive after compression. (Data is compressed more efficiently before it is encrypted.) This capability adds a strong measure of security to stored data without using processing power and without degrading performance.
3.1.1 Encryption-enabled tape drives
All of the tape drives that are supported by the TS4500 tape library are encryption-capable. Encryption capability means that they are functionally capable of performing hardware encryption, but this capability is not yet activated. To perform hardware encryption, the tape drives must be encryption-enabled. Encryption can be enabled on the tape drives through the TS4500 management graphical user interface (GUI).
|
Note: Transparent LTO Encryption FC, is required for library-managed encryption (LME) on Linear Tape-Option (LTO) tape drives. It is not required for application-managed encryption (AME). The current FC number can be found at IBM Documentation.
|
3.1.2 Encryption key management
Encryption involves the use of several kinds of keys in successive layers. How these keys are generated, maintained, controlled, and transmitted depends on the operating environment where the encrypting tape drive is installed. Specific data management applications, such as IBM Spectrum Protect (formerly called Tivoli® Storage Manager), can perform key management tasks.
For environments without such applications or environments where application-independent encryption is necessary, IBM provides a key manager to perform all necessary key management tasks. The suggested IBM Encryption Key Manager (EKM) for the TS4500 tape library and drives is IBM Security Guardium Key Lifecycle Manager (formerly called IBM Security Key Lifecycle Manager).
|
Note: Releases before Version 4.1.0 were IBM Security Key Lifecycle Manager; after Version 4.1.0, the name is IBM Security Guardium Key Lifecycle Manager.
|
IBM Security Guardium Key Lifecycle Manager is the IBM strategic platform for the storage and delivery of encryption keys to encrypt storage endpoint devices.
The IBM Security Guardium Key Lifecycle Manager can be used to provide encryption key management services for the encryption of data with encryption-capable drives. Host software has no direct knowledge of the key manager that is used.
IBM Security Guardium Key Lifecycle Manager serves data keys to the tape drive. You can use IBM Security Guardium Key Lifecycle Manager to create, back up, and manage the lifecycle of keys and certificates that an enterprise uses. You can manage encryption of symmetric keys, asymmetric key pairs, and certificates. IBM Security Guardium Key Lifecycle Manager provides a graphical user interface, command-line interface, and REST interface to manage keys and certificates.
For more information about the IBM Security Guardium Key Lifecycle Manager, see IBM Documentation.
3.2 Encryption policy
The encryption policy is the method that is used to implement encryption. It includes the rules that govern the volumes that are encrypted and the mechanism for key selection. How and where these rules are set up depends on the operating environment. For more information about each of the available methods, see 3.2.2, “Managing encryption on the TS4500” on page 176.
With the TS4500 tape library, the encryption policy is managed at the logical library level. The Logical Libraries page of the TS4500 management GUI is used to enable encryption for a logical library and modify the encryption method that is used. The Security page of the TS4500 management GUI is used to manage key servers and key labels.
|
Note: In the tape storage environment, the encryption function on tape drives (desktop, standalone, and within libraries) is configured and managed by the client. It is not configured and managed by the IBM service support representative (SSR). In certain instances, SSRs are required to enable encryption at a hardware level when service access or service password-controlled access is required. Client setup support is from a field technical sales specialist (FTSS), client documentation, and software support for encryption software problems.
|
3.2.1 Encryption methods
The encryption methods for the TS1160, TS1155, TS1150, TS1140, LTO-9, LTO-8, LTO-7, LTO-6, LTO-5, and LTO-4 tape drives differ to some extent. The differences are described next. The following sections also include a brief description of encryption methods. In these sections, the term Key Manager (KM) is used to refer to IBM Security Guardium Key Lifecycle Manager and other key managers.
Symmetric key encryption
Encryption of data by using a symmetric key and algorithm is sometimes called private key encryption or secret key, which is not to be confused with the private key in an asymmetric key system. In a symmetric key system, the cipher key that is used for encrypting data is the same as the cipher key that is used for decryption.
The encryption and decryption ciphers can be related by a simple transformation on the key, or the encryption key and the decryption key can be identical. In the IBM Tape Encryption solution IBM Security Guardium Key Lifecycle Manager, the same encryption key is used for encryption and decryption of the data. This key is protected by an asymmetric key algorithm, and it is never available in clear text.
Symmetric key encryption is several orders of magnitude faster than asymmetric key encryption. Secret key algorithms can support encryption 1 bit at a time or by specified blocks of bits. The Advanced Encryption Standard (AES) supports 128-bit block sizes and key sizes of 128, 192, and 256. The IBM Tape Encryption solution uses the AES standard with a 256-bit key. Other well-known symmetric key examples are listed:
•Twofish
•Blowfish
•Serpent
•Cast5
•Data Encryption Standard (DES)
•Triple DES (TDES)
•International Data Encryption Algorithm (IDEA)
•Advanced Encryption Standard (AES)
Asymmetric key encryption
Another important method of encryption that is widely used today is referred to as public/private key encryption or asymmetric encryption. When this encryption methodology is used, ciphers are generated in pairs. The first key is used to encrypt the data. The second key is used to decrypt the data.
This technique was pioneered in the 1970s, and it represented a significant breakthrough in cryptography. The Rivest-Shamir-Adleman (RSA) algorithm is the most widely used public key technique. The power of this approach is a public key, which is used to encrypt the data.
This public key can be widely shared, and anyone who wants to send secure data to an organization can use its public key. The receiving organization then uses its private key to decrypt the data, which makes public/private key encryption useful for sharing information between organizations. This methodology is widely used on the internet today to secure transactions, including Secure Sockets Layer (SSL).
Asymmetric key encryption is much slower and more computationally intensive than symmetric key encryption. The advantage of asymmetric key encryption is the ability to share secret data without sharing the encryption key.
3.2.2 Managing encryption on the TS4500
A key manager is a software program that assists IBM encryption-enabled tape drives in generating, protecting, storing, and maintaining encryption keys. The encryption keys encrypt information that is being written to tape media (tape and cartridge formats), and they decrypt information that is being read from tape media.
The TS4500 tape library supports the IBM Security Guardium Key Lifecycle Manager. For more information, see the IBM Security Guardium Key Lifecycle Manager in IBM Documentation.
The key manager operates on a number of operating systems, including IBM z/OS, Linux, Sun Solaris, IBM AIX, and Microsoft Windows. It is a shared resource that is deployed in several locations within an enterprise. It can serve numerous IBM encrypting tape drives, or encrypting disk drives, regardless of where those drives are installed (for example, in tape library subsystems, which are connected to mainframe systems through various types of channel connections, or installed in other computing systems).
The key manager uses a keystore to hold the certificates and keys (or pointers to the certificates and keys) that are required for all encryption tasks. Refer to the appropriate documentation for detailed information about the key manager and the keystores that it supports.
The following methods are available to manage encryption in the TS4500 tape library:
•Application-managed encryption (AME)
•System-managed encryption (SME) for TS7700 z/OS
•Library-managed encryption (LME)
These methods differ in the following ways:
•Where the encryption policy engine resides
•Where key management occurs for your encryption solution
•How the key manager is connected to the drive
Your operating environment determines the best method for you.
Key management and the encryption policy engine can be in any of the environment layers that are shown in Figure 3-1.
Figure 3-1 Possible locations for the encryption policy engine and key management
The application layer, for example, IBM Spectrum Protect, initiates the data transfer for tape storage.
The library layer is the TS4500 tape library, which contains an internal interface to each tape drive that is installed in the library.
3.2.3 Application-managed encryption
The application-managed encryption (AME) method is best in operating environments that run an application that already can generate and manage encryption policies and keys, such as IBM Spectrum Protect. Policies that specify when encryption is to be used are defined through the application interface. The policies and keys pass through the data path between the application layer and the encryption-capable tape drives.
Encryption is the result of interaction between the application and the encryption-enabled tape drive, and it is transparent to the system and library layers. Because the application manages the encryption keys, volumes that are written and encrypted with the application method can be read only by using the application-managed tape encryption method.
|
Note: The capability to use AME is not preset. The logical library must be set to use AME.
|
Application-managed tape encryption can use either of two encryption command sets:
•The IBM encryption command set that was developed for the key manager
•The T10 command set that was defined by the International Committee for Information Technology Standards (INCITS)
3.2.4 System-managed encryption
System-managed encryption (SME) is required for TS7700 support. Tape drives that attach to the TS7700 must be configured for system-managed encryption. The TS7700 can use the drives in this mode only, and it does not support library-managed or application-managed encryption.
After the TS7700 uses drives for encrypted physical tape volumes, it will place drives that are not correctly enabled for encryption offline to the subsystem.
System-managed encryption is best where the applications that write to or read from tapes are not capable of performing the key management that is required for application-managed encryption.
For IBM z Systems, encryption policies that specify when to use encryption can be set up in the z/OS Data Facility Storage Management Subsystem (DFSMS) or implicitly through each instance of an IBM device driver. Key generation and management are performed by an encryption key server. Policy controls and keys pass through the data path between the system layer and the encrypting tape drives. Encryption is transparent to the applications.
3.2.5 Library-managed encryption
Library-managed encryption (LME) is useful for encryption-enabled tape drives in an open-attached TS4500 tape library.
|
Note: The capability to use LME is not preset. The logical library must be set to use LME.
|
Key generation and management are performed by the key manager, which is a Java application that is running on a library-attached host. The keys pass through the library-to-drive interface. Therefore, encryption is transparent to the applications when it is used with certain applications, such as IBM Spectrum Protect.
Bar code encryption policies, which are set up through the TS4500 management GUI, can be used to specify when to use encryption. In such cases, policies are based on cartridge volume serial numbers (VOLSERs). Library-managed encryption also allows other options, such as the encryption of all volumes in a library, independently of bar codes. Key generation and management are performed by the key manager. Policy control and keys pass through the library-to-drive interface. Therefore, encryption is not apparent to the applications.
When it is used with certain applications, such as Symantec NetBackup or the EMC Legato NetWorker, library-managed encryption includes support for an internal label option. When the internal label option is configured, the encryption-enabled tape drive automatically derives the encryption policy and key information from the metadata that is written on the tape volume by the application.
Up to four library-managed encryption (LME) key paths per logical library are supported on the TS4500.
|
Note: If you use LME and IBM device drivers that run on open systems platforms (AIX, Linux, Solaris, or Windows), information for bulk rekey is available in the IBM Tape Device Drivers Installation and User’s Guide, GC27-2130.
When you use LME, an extra Ethernet cable must be attached, preferably to a different network switch. The extra cable is for redundancy and better backup job reliability.
|
The following components are required to use encryption:
• Encryption-enabled tape drive
• Keystore
• Key manager
3.2.6 Prerequisites for using encryption on the IBM TS4500 tape library
Certain hardware and software prerequisites must be met before you use encryption with the TS4500 tape library.
With the TS4500 tape library, encryption is managed at the logical library level. All encryption-enabled drives that are assigned to a logical library use the same method of encryption.
The rules for setting up encryption differ based on whether the library is installed with 3592 or LTO tape drives, and whether you use library-managed encryption (LME), application-managed encryption (AME), or system-managed encryption (SME). SME is not available for LTO drives, it is 3592 available only.
If the library contains 3592 tape drives, the following prerequisites must be met:
•IBM Security Guardium Key Lifecycle Manager is attached to the TS4500 and configured for LME.
•Tape drives are enabled for encryption from the Logical Libraries page of the TS4500 management GUI.
•If the tape drives connect to a TS7700, system-managed encryption is used.
If the library contains LTO tape drives, the following prerequisites must be met:
•Tape drives are enabled for encryption from the Logical Libraries page of the TS4500 management GUI.
•Transparent LTO Encryption is required for LTO tape drives if you use LME. For more information about the latest Feature Codes, see IBM Documentation.
•IBM Security Guardium Key Lifecycle Manager is the key manager when you use LME with LTO tape drives.
Add Encryption Key Server on the TS4500
Use the Encryption Key Servers page to manage which key servers use an encryption key.
To add an encryption key server or modify the server that is used, complete the following steps:
1. Click Settings → Security → Encryption Key Servers.
2. Select Add Encryption Key Server.
3. Enter the Server IP (if you use DNS name, ensure that you added the DNS servers in Network page) and the Port that is to be used.
4. Select the Security type: TLS1.2 or Proprietary. If TLS1.2 is selected (see Figure 3-2), a Key server certificate must be added to the TS4500 by using the folder browser. The file can contain a chain of certificates. The file also must be in base64 privacy enhanced mail (PEM) format. The maximum length is 255 characters.
Figure 3-2 TLS1.2 option
5. Click Modify.
Encryption methods on the TS4500
Encryption is managed at the logical library level. All encryption-enabled drives that are assigned to a logical library use the same method of encryption. Enable encryption, or modify the method that is used, on the Logical Libraries page, as described in 4.1, “Integrated management console” on page 186.
To enable encryption or modify the method that is used, complete the following steps:
1. Select a logical library on the Logical Libraries page.
2. Select Actions → Modify Encryption Method.
3. Choose a method from the Encryption menu on the Modify Encryption Method window and click Modify, as shown in Figure 3-3.
Figure 3-3 Modify Encryption Method window
For more information, see “Modify Encryption Method option” on page 293.
The following methods can be used for encryption:
•Application-managed encryption (AME)
Use this method if the application generates and manages encryption policies and keys. Applications, such as IBM Spectrum Protect, can manage encryption.
•System-managed encryption (SME)
Select this method of encryption if the library is attached to a TS7700 z/OS.
•Library-managed encryption (LME) by bar code
Use this method to use the default key that is specified by the key manager for all VOLSER ranges. The encryption policy is specified based on cartridge volume serial numbers.
•Library-managed encryption (LME) by internal label selective encryption
Use this method if you use Symantec NetBackup or the EMC Legato NetWorker. This encryption method encrypts cartridges with pool identifiers 1500 - 9999 (inclusive) by using keys that are specific to each pool.
Labels for these keys are generated by the tape drive based on the pool identifier. For instance, key label INTERNAL_LABEL_NBU_1505_A is generated for a cartridge in pool 1505. Go to Settings → Security → Encryption Internal Label and select the Create mapping tab to map these generated labels to the key-encrypting key labels that you want in the keystore of the Encryption Key Manager (EKM). All other cartridges remain unencrypted.
•Library-managed encryption (LME) by internal label all encryption
Encrypt All Mode allows NetBackup to always request encryption and to specify the key labels to use. Certain ranges indicate that the default EKM key labels must be used and other ranges indicate that one or two key labels need to be constructed based on the pool ID.
For NetWorker, Encrypt All Mode allows NetWorker to request encryption for all but two cases. The mode is the same as the Selective Encryption Mode, except where the Encryption Control Field (ECF) is invalid, out of range, or not provided. In this case, the drive generates a special “NOTAG” key label or labels. If the keystore has keys with this label, encryption occurs. However, the intended use of the “NOTAG” key label is to flag jobs that did not update their ECF for encryption.
If the “NOTAG” key is not in the keystore, the write fails and the job fails. This function allows the client to flag all jobs that were not altered for encryption.
Advanced Encryption Settings (For Service Use Only)
Advanced Encryption Settings allows only IBM Support personnel (under direction of the drive development team) to provide a work-around for an unforeseen problem or support a unique configuration. In some cases, this workaround can be done by using a PFE version of drive firmware without also creating a library firmware version.
This option is not intended for the customer to use without the guidance of IBM Support.
The settings are a full menu of potential operating modes for the drive that might override the behavior that is established by the method that is selected.Based on the use of these advanced encryption settings, attempting to match the method to the equivalent advanced setting is not needed. It is a library/drive firmware relationship that is not intended to be established.
Enabling Advanced Encryption Settings (Always encrypt) for a logical library on the TS4500
The following minimum code versions required:
• TS4500 Library Code: 1801-B00
• TS4500 CLI Tool: 1.8.0.1
If the logical library does not have encryption enabled, follow the steps tat are described in next. If the logical library has encryption enabled, see Step 3, on page 183.
Enable Library Managed Encryption for the Logical Library
Using TS4500 Web User Interface, complete the following steps from the Logical Libraries page:
1. Right-click the logical library and select Modify Encryption. The Modify Encryption Method menu opens (see Figure 3-4).
Figure 3-4 Logical Libraries Encryption Method options
2. In the Modify Encryption Method menu, select Library Managed (Barcode) and at least one key server to use with this logical library. Click Modify to save the settings, as shown in Figure 3-5.
Figure 3-5 Modify Encryption Method for Library window
3. Set the advanced encryption (Always encrypt) for the logical library by using TS4500 CLI Tool v1.8.0.1:
java -jar TS4500CLI.jar --ip address -u user -p pwd --modifyAdvancedEncSettings Library1,TRUE,5,0,1
Use the following advanced encryption settings:
– Address is the IP address of the TS4500
– User is a valid login for the TS4500 with Administrator role
– User password for user is pwd
– Library1 is the name of the logical library
– TRUE sets advanced encryption settings
– 5 is the advanced-policy (always encrypt)
– 0 is the density code (No advanced setting)
– 1 is the keypath (No advanced setting)
4. Use the TS4500 CLI Tool and TS4500 Web User Interface to verify that the advanced encryption policy was configured.
5. Run the following CLI Tool command to verify advanced encryption settings for the logical library:
java -jar TS4500CLI.jar --ip address_ip -u user -p pwd --viewAdvancedEncryptionSettings Library1
An example of expected settings is shown in Figure 3-6.
Figure 3-6 Example of expected settings
6. On the Logical Libraries page, verify that the encryption method for the logical library is Library managed (Always encrypt) (see Figure 3-7).
Figure 3-7 Verifying that the Encryption Method is Library managed (Always encrypt)
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.