When using Library Managed Encryption (LME) to encrypt data in library partitions, you can choose to re-use encryption keys. Each time that data is written to the beginning of a tape cartridge, a new key is retrieved from the Encryption Key Management (EKM) server with which to encrypt the data. By default, keys are not reused and a brand new encryption key is retrieved each time data is written to the beginning of the tape. In large tape libraries where tapes are over-written repeatedly, this scenario could require the maintenance of tens of thousands of encryption keys being managed for only a small fraction of that number of data tape cartridges. For example, if 10 tape cartridges are written from the beginning of tape each day, then 3650 keys would be used to encrypt 10 tapes after one year, 7300 would be used by the same 10 tapes after two years, and so on.
Key reuse allows the same encryption key to be used to re-write the same tape, once that encryption key is verified with the key server. If the tape is lost or security is compromised, a single key is associated with each tape cartridge. In addition, metadata written about the tape and associated with the barcode label can be used to easily retrieve the key. In the example above, the same 10 encryption keys can be used to encrypt the same 10 tapes for the lifetime of each tape.
See also: