Chapter 7 Encryption Key Management
Configuring Encryption Key Management on the Library
Scalar i500 User’s Guide 196
Sharing Encrypted Tape Cartridges 7
If you are using SKM, you can share encrypted tapes with other
companies and individuals who also use SKM for managing encryption
keys.
Each SKM server provides a unique encryption key for each tape
cartridge that is encrypted. To read an encrypted tape in a library that is
attached to an SKM server that is different than the server that originally
provided the encryption key, the encryption key from the originating
(i.e., source) SKM server needs to be shared with the receiving (i.e.,
destination) SKM server. The key (or list of keys, if there is more than one
tape), is exported from the source SKM server to a file, which is sent to
the destination recipient. Each key contained in the file is encrypted using
the public key of the destination SKM server. The destination SKM server
provides its public key to the source SKM server as part of a native
encryption certificate, which the source SKM server uses to wrap
(encrypt) the encryption keys for transport. Upon arrival, the file
containing the wrapped encryption keys can only be unwrapped by the
corresponding private key, which resides on the destination SKM server
and is never shared.
The process is as follows:
1 The destination administrator exports the native encryption
certificate that belongs to the destination SKM server. (The two SKM
servers in a server pair share the same native encryption certificate.)
The native encryption certificate is saved as a file to a location
specified by the administrator on a computer (see Exporting the
Native Encryption Certificate on page 197).
2 The destination administrator e-mails the native encryption
certificate file to the source administrator.
3 The source administrator saves the native encryption certificate file to
a location on a computer, and then imports it onto the source SKM
server (see Importing Encryption Certificates
on page 198).
4 The source administrator exports the data encryption keys, assigning
the destination SKM server’s native encryption certificate to wrap
(encrypt) the keys. The file containing the wrapped encryption keys
is saved to a location on a computer specified by the source
administrator. See Exporting Data Encryption Keys
on page 198.
5 The source administrator e-mails the file containing the wrapped
data encryption keys to the destination administrator.
To Next Page
Loading...
Need help?
General