Encryption key management
Encryption involves the use of several kinds of keys in successive layers.
How these keys are generated, maintained, controlled, and transmitted
depends upon the operating environment where the encrypting tape drive
is installed. Some data management applications, such as Tivoli Storage
Manager, can perform key management. For environments without such
applications, or environments where application-independent encryption is
necessary, IBM provides a key manager to perform all necessary key
management tasks. Provided key managers include:
v The IBM Encryption Key Manager component for the Java
™
platform
v The IBM Security Key Lifecycle Manager (formerly the Tivoli Key
Lifecycle Manager
The “Managing encryption” provides more information.
Encryption policy
This is the method that is used to implement encryption. It includes the
rules that govern which volumes are encrypted and the mechanism for key
selection. How and where these rules are set up depends on the operating
environment. See “Managing encryption” for more information about each
of the available methods.
With the TS4500 tape library, the encryption policy is managed at the
logical library level. The Logical Libraries page of the TS4500 management
GUI is used to enable encryption for a logical library and modify the
encryption method that is being used. The Security page of the TS4500
management GUI is used to manage key servers and key labels.
Note: In the tape storage environment, the encryption function on tape drives
(desktop, stand-alone, and within libraries) is configured and managed by the
customer. It is not configured and managed by the IBM System Services
Representative (SSR). In some instances SSRs are required to enable encryption at a
hardware level when service access or service password controlled access is
required. Customer setup support is by field technical sales specialist (FTSS),
customer documentation, and software support for encryption software problems.
Customer “how to” support is also provided with the support line contract.
Managing encryption
There are two methods for managing encryption in the TS4500 tape library.
A key manager is a software program that assists IBM encryption-enabled tape
drives in generating, protecting, storing, and maintaining encryption keys. The
encryption keys encrypt information that is being written to tape media (tape and
cartridge formats), and decrypt information that is being read from tape media.
IBM currently supports the IBM Security Key Lifecycle Manager (formerly Tivoli
Key Lifecycle Manager) with the TS4500 tape library.
The key manager operates on z/OS
®
, i5/OS, AIX, Linux, HP-UX, Sun Solaris, and
Windows. It is a shared resource that is deployed in several locations within an
Enterprise. It can serve numerous IBM encrypting tape drives, regardless of where
those drives are installed (for example, in tape library subsystems, connected to
mainframe systems through various types of channel connections, or installed in
other computing systems.)
Chapter 2. Planning 111
To Next Page
Loading...
Need help?
General