Exporting Encryption Keys

Each SKM server provides a unique encryption key for each tape cartridge that is encrypted. In order for another (i.e., destination) SKM server to read tapes encrypted by your SKM server, you need to export the encryption keys used to encrypt those tapes and send them to the destination server.

NOTE: This function is available to Administrators and only applies to SKM servers. Both SKM servers must be connected and operational in order to export encryption keys.

To export encryption keys:

1. Before starting this process, read and follow the sequence of steps outlined in Sharing Encrypted Tape Cartridges.
2. From the Tools menu, select EKM Management > Encryption Key > Export.
   
   The Tools - SKM Encryption Key Export screen displays.
   
3. Assign the encryption certificate with which you will "wrap" (encrypt) the keys by selecting it from the Certificate Name Used For Export drop-down list. Choose the certificate that belongs to the server to which the keys will be imported.
   
   

   NOTE: The owner of that server should have sent you the certificate and you should have imported it (see Sharing Encrypted Tape Cartridges and Importing Encryption Certificates). The drop-down list contains all of the encryption certificates that you have ever imported onto your SKM server (indicated by the word “imported” in the list), as well as the certificate belonging to your SKM server pair (indicated by the word “native” in the list).

4. Select which SKM encryption keys to export from the following options:
   • Export Used — Exports all the keys that have ever been used to encrypt tape cartridges in the library performing this export. Also exports all keys that were imported onto the key server, via a "key import" operation, from any library.
   • Export Current — Exports all the keys that were used to encrypt the tape cartridges that are currently in the library performing this export. This includes storage slots, I/E stations, and tape drives. If a tape cartridge is no longer in the library, the key used to encrypt it will not be exported. If a tape cartridge is missing its label, the key used to encrypt it will not be exported.
   • Export Selective — Exports only the key(s) associated with a string of characters that you type into the text box. Each key is associated with its encrypted tape cartridge, identified by the tape cartridge barcode. You can type in all or part of a tape cartridge barcode, and any keys that are associated with that string will be exported. This is helpful if you only want to export a single key associated with a particular tape cartridge.
5. Click Apply.
   
   All the exported keys are saved to a single encryption key file.

   The Progress Window displays. The Progress Window contains information on the action, elapsed time, and status of the requested operation. Do one of the following:

   • If Success displays in the Progress Window, the encryption keys were exported successfully. Close the Progress Window and go to next step.
   • If Failure displays in the Progress Window, the encryption keys were not exported successfully. Follow the instructions listed in the Progress Window to resolve any issues that occurred during the operation.
6. A Save As dialog box opens allowing you to save the encryption key file to a location on your computer. Choose a location and click Save.

See also:

• About Library Managed Encryption
• Sharing Encrypted Tape Cartridges
• Importing Encryption Certificates
• Importing Encryption Keys
• Exporting Encryption Certificates