Encryption is the process of changing data into a form that cannot be read until it is deciphered
with the key used to encrypt the data, protecting the data from unauthorized access and use.
LTO tape drives use the 256-bit version of the industry-standard AES encrypting algorithm to
protect your data.
To use this feature you need:
•
The 1/8 G2 & MSL Encryption Kit or a KMIP-based key server or a backup application that
supports hardware encryption.
•
LTO-4 or later generation media; no encryption will be performed when writing LTO-3 and
earlier generations of tape.
Your company policy will determine when you need to use encryption. For example, your company
could require encryption of company confidential and financial data, but not for personal data.
Company policy will also define how encryption keys should be generated and managed. Backup
applications that support encryption will generate a key for you or allow you to enter a key
manually.
For information about using the encryption kit, see
“HPE StoreEver 1/8 G2 Tape Autoloader and
MSL Tape Libraries Encryption Kit” (page 14)
.
Using a KMIP-based key server
The tape library supports integration with encryption key management servers using the Key
Management Interoperability Protocol (KMIP) standard. KMIP is an industry standard protocol
for communications between a key management server and an encryption system. The KMIP
specification is developed by the KMIP technical committee of the OASIS standards body
(Organization for the Advancement of Structured Information Standards).
The KMIP feature allows the tape device to obtain encryption keys from selected KMIP-compliant
key managers. These keys can be used to encrypt data as it is written to tape. Up to six key
servers can be configured for failover purposes.
For instructions on configuring the KMIP feature, see the
HPE StoreEver MSL Tape Libraries
Encryption Key Server Configuration Guide
, available from the Enterprise Information Library at
http://www.hpe.com/info/storage/docs
.
Key managers
To use the KMIP feature, the tape library must have access to a KMIP key manager. Hewlett
Packard Enterprise only supports KMIP when used with a supported key manager, listed in the
BURA Data Agile Compatibility Matrix, located at
http://www.hpe.com/info/ebs
.
Operation
When the KMIP feature is enabled and properly configured, tape data will automatically be
encrypted with keys delivered from the KMIP key manager. Tapes are encrypted on a key-per-tape
basis.
Write, and append operations
: The tape drive will request a key when data is written. The tape
library, acting as an intermediary, can request the key manager to create a key. The library then
obtains that key and delivers it to the tape drive. The key is identified by a name, which is
associated with the media identifier. The key is not retained in the tape drive any longer than
necessary to perform encryption operations.
Read operations
: The tape drive will request a key. The tape library, acting as an intermediary,
obtains the key identifier, requests that key from the key manager, and delivers it to the tape
drive. The key is not retained in the tape drive any longer than necessary to perform decryption
operations.
LTO-4 and later generation tape drives and encryption
17