Configuring Partition Encryption

The Setup - Encryption Partition Configuration screen allows you to change the encryption method for each partition in the library. In order to enable library managed encryption the following conditions apply:

You must have an Encryption Key Management (EKM) license installed on the library (see Applying a License Key).
Your EKM servers must be installed, configured on the library, and be operational. See the configured EKM server type in the Type column.
All tape drives in the partition must be supported by the EKM server type you are using (see About Library Managed Encryption for more information).
In order for data to be encrypted via library managed encryption, the media must be blank or have been written to using Library Managed Encryption at the first write operation at the beginning of tape (BOT). If the media was previously written in a non-encrypted format, all data subsequently appended to it will continue to be non-encrypted.

Encryption Methods, Details, and Restrictions

The following encryption methods are available on the library:

Library Managed Encryption (Enabled) — Enables library managed encryption support via a connected EKM key server for all tape drives and encryption-capable media assigned to the partition.

Library Managed Encryption (Disabled) — Disables library managed encryption support and enables all encryption-capable tape drives in the partition for application-managed encryption allowing an external backup application to provide encryption support to all encryption-capable tape drives and media within the partition. The library will NOT communicate with the EKM key server on this partition. This is the default setting if you have encryption-capable tape drives in the partition. This option should remain selected unless you are connecting the library to an external EKM server.

Changing the Encryption Method

NOTE: This operation should not be performed concurrently by multiple administrators logged in from different locations. You can access the appropriate screens, but you cannot apply changes while another administrator is performing the same operation.

You need administrator privileges to configure partition encryption settings.

Unload cartridges from all tape drives in the partition whose encryption method you want to change. If cartridges are loaded in the tape drives, you cannot change the encryption method.

From the Setup menu, select Encryption > Partition Configuration.

The Setup - Encryption Partition Configuration screen displays. A list of all your partitions displays, along with check boxes that indicate whether Library Managed Encryption is enabled, and if so, whether Key Reuse and FIPS are enabled or disabled. These settings apply to all encryption-capable tape drives and media in that partition.

NOTE: When data is written to tape cartridges in a partition that is enabled for Library Managed Encryption, those tape cartridges must be also be read by a partition enabled for Library Managed Encryption. Ensure Library Managed Encryption is enabled for partitions reading tape cartridges that were written using Library Managed Encryption.

For any library partition, enable or disable the encryption method by clicking (checking or unchecking) the Library Managed Encryption check box.

NOTE: SKM server configuration requires that encryption keys be pre-generated. To generate encryption keys, you must change a partition's encryption method to Library Managed Encryption enabled. The library checks to see if encryption keys are needed and, if so, triggers the SKM server to create them. If the partition is are already set to Library Managed Encryption enabled, you need to change it to disabled using the process described below, and then change it back to Library Managed Encryption enabled.

CAUTION: Avoid generating keys on more than five libraries simultaneously as the key generation process is resource-intensive on the server. Generating keys manually on more than five libraries at once could result in a failure to complete the key generation operation, or interfere with key retrieval operations. If a failure does occur during key generation, wait 10 minutes, then try to start it again. The key generation process will resume from where the error was encountered.

For more information, see About Library Managed Encryption.

To enable Key Reuse: Select the Key Reuse check box to enable encryption keys to be re-used each time the same tape cartridges are re-written. To use a unique encryption key each time a tape cartridge is re-written, clear the Key Reuse check box. See About Key Reuse for more information.
To enable FIPS: Select the FIPS check box to enable FIPS mode for an SKM or KMIP partition. To disable FIPS, clear the FIPS check box. See About FIPS for additional information.

Click Apply. The Progress Window displays. The Progress Window contains information on the action, elapsed time, and status of the requested operation.

Do one of the following:

If Success displays in the Progress Window, the partition encryption settings were successfully configured. Click Close to close the Progress Window.
If Failure displays in the Progress Window, the partition encryption settings were not successfully configured. Follow the instructions listed in the Progress Window to resolve any issues that occurred during the operation.

NOTE: When you change the encryption method on a partition, the partition is taken offline. When the change completes, the partition comes back online automatically. (If the operation does not complete successfully, the partition remains offline until you turn it back online manually or restart the library. See Changing the Partition Mode.)

Save the library configuration.
For instructions on how and why to save the library configuration, see Saving the Configuration.

You may also access the EKM Path Diagnostics from this screen to test EKM server connectivity and operation. For more information, see Encryption Key Manager Path Diagnostics.

See also: