This e-Learning module is an overview on using encryption key management for the IBM®TS7700 that is connected to a physical tape library.
Encryption is a security feature that enables information to only be encoded and decoded by computers with the correct encryption key. An encryption key is kept in a keystore, and provides the information required to encrypt and decrypt data on the tape.
The TS7700 is designed for remote use and is often connected to a private network. Encryption prevents unauthorized access to electronic data that is stored on tape. Because a tape is a removable medium and can be moved outside of a secured area, tape encryption provides extra security to keep data secure. Note that this eLearning module discusses tape encryption only. For information about disk encryption, see the topics in IBM Knowledge Center.
To use encryption, you need one or more encryption-enabled tape drives and a valid encryption-policy configuration. The TS7700 requires you to set encryption at the pool level. You can modify the encryption settings for a pool by accessing the Pool Encryption Settings panel.
A key label identifies the keys used to encrypt the data in a specified pool. The encryption settings for a pool define one or two key labels, each containing up to 64 characters. This can be helpful with identifying and reusing keys, because these are the labels that you can specify when configuring a pool using the management interface. You can use identical values in both key labels, but you must define each label for each key. When using default key management, you can select a default key for one or both keys, or you can manually enter the key.
The key mode setting determines which key method you use for encryption on a specified pool. If you will be using the same keys in different locations with different names, then select hash label mode. For example, your location keystore might have a key that you call Corporate headquarters, but that another location keystore calls Austin. Because the clear label mode uses a reference, it does not recognize which key to use in the other location. The hash label mode does not reference the externally encoded data key directly. It includes the keystore within the package. That eliminates the problem of inconsistent labels, but makes it more difficult to determine which key should be used if the data is separated from its keystore.
Encryption Key Server, required to enable encryption, is a Java-based component. It is provided with the product and performs all necessary key management tasks. It generates data-encryption keys, encrypts them, and manages their transfer to and from tape devices.
The TS7700 Management Interface uses Encryption Key Server settings to identify the location of encryption and decryption keys. To enter these settings, select the Settings icon, and then select Cluster Settings. The Encryption Key Server Addresses panel appears. The location of the primary and secondary key server addresses can be changed, which might be necessary if the location of the key server changes. The address format is determined by the Internet Protocol version that is specified in the Cluster Network Settings panel.
You can test the Encryption Key Server connection using the Ping Test button. Selecting the button starts a verification process that connects to both the primary and secondary addresses to make sure that the Encryption Key Server at those locations can communicate correctly with the product.
This has been a brief overview on using encryption key management for the TS7700. For additional information, see the other topics in IBM Knowledge Center.