With AME, policies that specify when encryption is to be used are defined through
the application interface. The policies and keys pass through the data path between
the application layer and the encrypting tape drives. Encryption is the result of
interaction between the application and the encryption-enabled tape drive, and
does not require any changes to the system and library layers. Because the
application manages the encryption keys, data volumes that are written and
encrypted using the application-managed encryption method can be read only by
the same software application that wrote them. A key manager is not required by,
or used with, application-managed tape encryption.
Note: The capability to use AME is not pre-set. The logical library must be set to
use AME.
Application-managed tape encryption can use either of two encryption command
sets:
v The IBM encryption command set developed for the key manager
v The T10 command set defined by the InterNational Committee for Information
Technology Standards (INCITS)
For more information about setting up application-managed encryption for Tivoli
Storage Manager, visit the IBM Tivoli Storage Manager page in the IBM
Knowledge Center.
Planning for library-managed encryption
Library-managed encryption (LME) is useful for encryption-enabled tape drives in
an open-attached TS4500 tape library.
Note: The capability to use LME is not pre-set. The logical library must be set to
use LME.
Bar code encryption policies, which are set up through the TS4500 management
GUI, can be used to specify when to use encryption. In such cases, policies are
based on cartridge volume serial numbers. Library-managed encryption also allows
other options, such as encryption of all volumes in a library, independent of bar
codes. Key generation and management are performed by the key manager. Policy
control and keys pass through the library-to-drive interface, therefore encryption is
not apparent to the applications.
Library-managed encryption, when used with certain applications such as
Symantec Netbackup or the EMC Legato NetWorker, includes support for an
internal label option. When the internal label option is configured, the
encryption-enabled tape drive automatically derives the encryption policy and key
information from the metadata that is written on the tape volume by the
application.
Notes:
v If you use LME and IBM device drivers that run on Open Systems platforms
(AIX, Linux, Solaris, Windows), information for bulk rekey is available in the
IBM Tape Device Drivers Installation and User's Guide.
v When you use LME, an extra Ethernet cable must be attached, preferably to a
different network switch. The extra cable is for redundancy and better backup
job reliability.
v When you use LME with LTO 5 or later LTO tape drives, the IBM Security Key
Lifecycle Manager (formerly the Tivoli Key Lifecycle Manager) is required as the
key manager.
Chapter 2. Planning 113
To Next Page
Loading...
Need help?
General