manualshive.com logo in svg

Spectra Logic BlueScale Encryption, User Manual, Page: 18 / 133

Share
Download
Spectra Logic BlueScale Encryption User Manual Download Page 18

2.  Encryption Architecture & Strategies

18

• Identify methods of tracking user passwords, key passwords and monikers. If the data is 

stored on a computer, make sure it is stored on a computer that enforces encryption and is 
not available on a network.

• Optionally, identify a primary and secondary team, so that you have redundancy in your 

encryption strategy. Although that means the information required to decrypt data is 
spread across more people, it also means that restoration of encrypted data may be much 
easier, and you may ultimately have more data protection given the extra layer of 
coverage; for example, if a user leaves, you aren’t in a position to lose data. This returns to 
your initial decisions on how tightly and in what manner to enforce security for your site.

• Run drills confirming that your data is being encrypted properly, that keys are stored 

properly, and that you can recover your data efficiently. Make sure that these drills are 
included with your overall organizational security strategy.

• Create procedures to handle encrypted data that has been, or may have been, 

compromised. For example, you may want to take all data and decrypt it, then re-encrypt it 
and store it in an alternate location. You will also need to investigate the incident 
involving compromised data, and take appropriate actions if identity-related data may 
have been exposed.

• Archive the Endura Decryption Utility (EDU) for emergency use, such as to recover from a 

disaster. Use this utility if you have no Spectra Logic libraries on hand but need to decrypt 
and write data, which you can then restore using backup software.

• If you are using Professional Edition and multiple keys, make sure that data stored to one 

tape shares a common expiration date or period (e.g., fourth quarter), regardless of the 
number of keys used to encrypt data written to the tape. This simplifies tape management 
and re-use.

• If you are using Professional Edition, make sure that critically important data is stored 

using a single key on its own tape, to simplify restoration in case of disaster recovery and 
to achieve business continuity goals.

• If you are using Professional Edition, you may want to take advantage of the M-of-N 

shares option. This lets you select the M-of-N (such as 2 of 3) option to split a single file of 
encrypted key data into multiple parts, or shares (N, which in this example is 3), and then 
requires some specified subset (M, which in this example is 2) to import the file containing 
key data. This further protects data from unauthorized use.

Summary of Contents for BlueScale Encryption

Page 1: ...BlueScale Encryption User Guide PN 90940012 Revision E...

Page 2: ...fort including lack of negligence is with you Also there is no warranty against interference with your enjoyment of the Software or against infringement If you have received any warranties regarding t...

Page 3: ...6 Site Security Example Low Security Site 20 Site Security Example Medium Security Site 21 Site Security Example High Security Site 22 Before You Begin Installation 23 Summary Mandatory Security Proce...

Page 4: ...eleting a Key 40 Restoring Data 40 Chapter 5 Using Professional Edition in Spectra T950 and T120 Libraries Using Encryption 45 Professional Edition Overview 46 Configuring Encryption 47 Creating an En...

Page 5: ...Media Recycling 80 Best Practices 81 Chapter 8 Using Standard Edition in Spectra T50 Libraries Using Encryption 85 Restoring Data 94 Recycling Encrypted Media 98 Chapter 9 Using Professional Edition...

Page 6: ...Overview 124 Requirements 124 Decrypting Data EDU Command Line 125 Using EDU to Decrypt Data One Drive 126 Using EDU to Decrypt Data Two Drives 128 Restoring Data 129 Chapter 12 Technical Support Spe...

Page 7: ...ew on page 10 reviews both encryption best practices and information on using BlueScale Encryption and key management on your site and includes a short glossary Spectra T950 and T120 BlueScale Encrypt...

Page 8: ...ion The library s release notes provide the most up to date information about the library drives and media The most up to date versions of all library documentation are available on Spectra Logic s We...

Page 9: ...ollowing items are included with the purchase of BlueScale Encryption One encryption activation key One software support agreement This user guide One t shirt If you ordered the Endura Decryption Util...

Page 10: ...BlueScale Encryption Overview...

Page 11: ...oftware through the library s graphical interface The interface displays using the library s touch screen front panel Library Controller LC It also displays from anywhere through the Web using a Web b...

Page 12: ...sword Easier to manage and track Choice of either one encryption password or three More secure with the option of requiring multiple users to export and import keys etc Key Export and Import Import an...

Page 13: ...security to protect data wherever it s stored and regardless of the retention period BlueScale Encryption Professional Edition works well For information about configuring and using BlueScale Profess...

Page 14: ...ed together or if it must be isolated into sets For example your site may store financial data as one set separate from consumer identity information If all data can be encrypted together the library...

Page 15: ...pt data encrypted using an LTO 4 drive use a partition with drive based encryption Only one encryption key is allowed per LTO 4 tape Once you stop using that key you can no longer directly encrypt dat...

Page 16: ...site who are responsible for backing up data They will be responsible for encrypting data written to tape and to other portable media such as mobile RXT Media packs Identify The person to have superu...

Page 17: ...is encrypted prior to export Best practices dictate that you make copies of the key immediately following the key s creation Identify the number of copies to make of each key and note the location of...

Page 18: ...e encrypt it and store it in an alternate location You will also need to investigate the incident involving compromised data and take appropriate actions if identity related data may have been exposed...

Page 19: ...y Password Lets you import and export encryption keys This feature is only available after the superuser has logged in and the encryption password has been entered Optionally in Professional Edition y...

Page 20: ...r one with the company president one in a corporate safety deposit box Key rotation plan Create a new key every six months Tracking key monikers and passwords On a non networked computer that supports...

Page 21: ...crow method Store key copies with corporate legal counsel and a paid trusted third party escrow service Number of copies of each key to store and locations Keep three copies of each key store one with...

Page 22: ...key to store and the stored key locations Keep three copies of each key one to the main office of corporate legal counsel two to the key escrow service Key rotation plan Create a new key every month f...

Page 23: ...running the utility then use EDU to decrypt data from the encrypted tape and write the decrypted data back to tape If you have only one tape drive make sure that the Linux host has enough available di...

Page 24: ...n successfully stored prior to removing a key from the library Store keys in a location apart from the location used to store the data encrypted using one of the keys Create a list of every password a...

Page 25: ...t you create Key Moniker _______________________ Detailed Information Number of key copies ______ and location of each copy 1 2 3 Password s associated with exported copy of the moniker Location of da...

Page 26: ...Spectra T950 and T120 BlueScale Encryption...

Page 27: ...r RLC 1 Make sure that you have the appropriate library hardware installed A QIP that supports encryption such as the G3 or G5 F QIP or An LTO 4 tape drive is installed and LTO 4 media loaded or Both...

Page 28: ...yption with a BlueScale Encryption key To activate encryption for the Spectra T950 and T120 libraries 1 Log in as superuser and then select Configuration System The System Setup screen displays 2 To e...

Page 29: ...ion features the following steps are required for every session that is every time a user logs in using the library front panel or every instance of running the RLC through a Web browser A user with s...

Page 30: ...oring data is also transparent If the encryption key required to decrypt the data is not on the library the library displays the moniker of the key to import Restoring Data on page 40 contains informa...

Page 31: ...cked up to partitions that support encryption without entering an encryption password Secure Initialization Mode When the library is powered on during startup partitions dedicated to encryption are no...

Page 32: ...e numbers 0 9 lower and upper case alphabetic characters a z and A Z and the at sign dash underscore _ and colon characters 4 Re enter the password in the Retype Password field then select OK The Encr...

Page 33: ...reference the key Note that the real key value never displays and that administrators don t ever need to specify the real key value in order to encrypt data or manage keys The moniker helps to protec...

Page 34: ...ng the key and storing it safely that is away from the data encrypted using the key is extremely important to data decryption and recovery This is covered in Protecting Keys on page 37 Because the key...

Page 35: ...ional option Enable Clear File at BOT Choose this option if you want to enable all drives to be able to read the headers of encrypted tapes which is a useful option for sites with a large number of ta...

Page 36: ...t QIP based Encryption Also if you want readable that is non encrypted data at the beginning of the tape also select Enable Clear File at BOT or Select Drive based Encryption or If the data written th...

Page 37: ...ort them Protect your keys by making sure that copies of the keys reside elsewhere Two methods are available for key export copying the encrypted key to a USB device and emailing an encrypted version...

Page 38: ...USB or Email Exported Key If you select Export Single File to USB plug a USB device into the USB library port see the library documentation for information about the location of this port Then select...

Page 39: ...lete all data from the USB device so that no trace of the failed key attachment remains then use another USB device and start again with Step 2 above If you exported the key using email Confirm the re...

Page 40: ...plays 3 Confirm that at least one copy of the key has been exported and stored safely 4 Select Delete Key and respond to the confirmation screens to delete the key Restoring Data Restoring encrypted d...

Page 41: ...he key the key and the command line encryption utility described in Chapter 11 Endura Decryption Utility along with a Linux computer to run the utility To restore data 1 Load the tape to be decrypted...

Page 42: ...ays 3 Insert the USB device into the library s USB port 4 Select Import Key The Import Key Selection screen displays 5 Choose the key to import from the Key List field then select Next The Import Pass...

Page 43: ...uter To import a key using the RLC 1 Log in as a superuser then select Security Encryption The Encryption User Login screen displays 2 Enter the encryption password then select OK The Encryption Confi...

Page 44: ...cate and select the key then select Open The path for the key displays in the Encryption Key File field 6 Select Next The Import Password screen displays 7 Enter the password that was used to encrypt...

Page 45: ...and that has been assigned an encryption key Encryption during backup is transparent it happens automatically Restoring data is also transparent If the encryption key required to decrypt the data is n...

Page 46: ...the moniker of the key it needs to decrypt and restore the data For example a single tape or RXT pack may contain data encrypted using multiple keys that is during Week 1 the data is encrypted with Ke...

Page 47: ...ryption Accessing Encryption Features To access encryption features 1 Log in as a superuser then select Security Encryption The Encryption User Login screen displays 2 Select OK No login or password i...

Page 48: ...on password to access all encryption features Multi User Mode Requires three unique encryption passwords Once you have set up the three passwords use them as follows Enter any one of the three to perm...

Page 49: ...brary is powered on data can be backed up to partitions that support encryption without entering an encryption password Secure Initialization Mode When the library is powered on partitions dedicated t...

Page 50: ...using any combination of the numbers 0 9 lower and upper case alphabetic characters a z and A Z and the at sign dash underscore and colon characters _ 6 Enter each password again in the Retype Passwo...

Page 51: ...racters This name references the key The real key value never displays and administrators don t need to specify the real key value to encrypt data or manage keys The moniker protects encrypted data by...

Page 52: ...afekeeping If the key is lost data cannot be recovered so copying the key and storing it safely is extremely important to data decryption and recovery Because the key identified by its moniker isn t y...

Page 53: ...reen No encryption QIP based encryption LTO 4 drive based encryption Partitions with encryption enabled QIPs offer additional options Enable Compression and Enable Clear File at BOT Choose compression...

Page 54: ...ociate a different encryption key with a partition you must first scratch tapes encrypted with the previous key to re use them Refer to Chapter 6 Recycling Encrypted LTO 4 Media in Spectra T950 and T1...

Page 55: ...key to use to encrypt data Only one key can be assigned as the active encryption key 3 From the list of keys at the bottom of the screen select none one or more keys to be associated with this partiti...

Page 56: ...n this example the key Bob is used as the active primary encryption key for both Partition 1 and Partition 2 The key Jeff is kept available for rapid data decryption for data restored using library pa...

Page 57: ...the three encryption passwords option so that two of three different passwords must be entered to access export and import key functions Review Configuring Encryption Features on page 48 for informat...

Page 58: ...n split into shares can only be imported using USB devices they cannot be uploaded through the RLC To restore data that has been sent through email copy the attachment to a USB device Building on this...

Page 59: ...The Encryption User Login screen displays 2 Enter the encryption password then select OK The Encryption Configuration screen displays 3 Select Export Key If you selected multi user mode and supplied o...

Page 60: ...ser first create the email recipient see the library s user guide Select Next Export M of N Shares to USB A screen displays that asks you to select the minimum shares required to restore the encrypted...

Page 61: ...of the failed key attachment remains then start again with Step 2 of this procedure If you selected the option to split the key across M of N shares on multiple USB devices eject the USB device after...

Page 62: ...the key Without it you cannot import the key and the data encrypted using the key is lost Caution Track where you have stored the key or who received an email message with the key in conformance with...

Page 63: ...it Endura Decryption Utility EDU is an optional safeguard providing a method that lets you restore data without a library Review information about the command line encryption utility in Chapter 11 En...

Page 64: ...key into the library s USB port The Import Key Selection screen displays Note You must use a USB device to import a key if it has been split into M of N shares If attachments with the shares of the e...

Page 65: ...do so you must be able to access the key from your computer To import a key using the RLC 1 Log in as a superuser then select Security Encryption The Encryption User Login screen displays 2 Enter the...

Page 66: ...and select the key and select Open The path for the key displays in the Encryption Key File field 6 Select Next The Import Password screen displays 7 Enter the password that was used to encrypt the ke...

Page 67: ...ity Encryption The Encryption User Login screen displays 3 Enter the password then select OK The Encryption Configuration screen displays 4 Export at least one copy of the key you will be deleting or...

Page 68: ...rite the encrypted data to re use the tape until you recycle the tape through BlueScale Encryption This option is available on the Import Export screen that displays only in partitions using drive bas...

Page 69: ...Recycling Encrypted LTO 4 Media in Spectra T950 and T120 Libraries 69 3 Select the partition with the media from the Partition drop down list then select Next The Select Media to Recycle screen displa...

Page 70: ...Available Media list enter a partial or entire bar code in the Find by Barcode field and select Find The list displays media with bar codes that match the values that you entered 5 Select Next The Se...

Page 71: ...Spectra T50 BlueScale Encryption...

Page 72: ...BlueScale 10 0 if it is not already installed Check with SpectraGuard Support to see if further upgrades to this firmware should be installed for your library Encryption is handled through the LTO 4...

Page 73: ...ast one LTO 4 tape drive installed and LTO 4 media loaded you can activate the encryption option with a BlueScale Encryption key To activate BlueScale encryption 1 Have the option key s on hand 2 Log...

Page 74: ...screen displays 5 Enter the activation key then select Save 6 Enter your activation key in the Enter Key field 7 Select Save The LC goes through a short series of progress screens then refreshes to a...

Page 75: ...eatures the following steps are required for every session that is every time a user logs in using the library front panel or every instance of running the RLC through a Web browser A user with superu...

Page 76: ...Encryption in Spectra T50 Libraries 76 Encryption Icon Use the encryption icon displayed by selecting the Security menu to access library encryption features such as encryption configuration and key...

Page 77: ...The table below provides a brief comparison between the two versions of BlueScale Encryption Feature Standard Edition Professional Edition Keys Single encryption key on a library at a time Easier to m...

Page 78: ...rd is entered Multiple Encryption Password Support To access the Standard Edition of BlueScale Encryption create and use a single encryption password To access the Professional Edition of BlueScale En...

Page 79: ...a key for each additional partition and enter the key to activate the partition Further note that the T50 permits only one partition per drive Users with Professional Edition typically set up multipl...

Page 80: ...features after configuration complete the following steps Make sure a user with superuser privileges logs in and selects Security Encryption The Encryption User Login screen displays Have a user who...

Page 81: ...y will be responsible for encrypting data written to tape and to other portable media Identify The person to have superuser privileges on the Spectra Logic library with BlueScale Encryption The person...

Page 82: ...fy the number of copies to make of each key and note the location of each key copy Consider storing multiple copies of keys that you then track carefully storing the copies away from the data encrypte...

Page 83: ...a Decryption Utility for information on EDU If you are using Professional Edition you may want to take advantage of the M of N shares option This lets you select the M of N such as 2 of 3 option to sp...

Page 84: ...key you ve lost both your key and all data encrypted using the key To emphasize if you lose the key your data is unrecoverable You need to balance the number of copies of the key to store to guarantee...

Page 85: ...oring data is also transparent If the encryption key required to decrypt the data is not on the library the library displays the moniker of the key to import Restoring Data on page 94 contains informa...

Page 86: ...make sure that Enable Secure Initialization is not selected Secure Initialization Mode When the library is powered on during startup partitions dedicated to encryption are not available so backups sen...

Page 87: ...displays 2 Enter a name in the Moniker field that has not been used for any other encryption key and that uses any combination of alphanumeric characters and the at sign dash and underscore _ characte...

Page 88: ...lso because BlueScale Standard Edition only supports using one key the Import Key and Add Key selections no longer display If you delete the key they display again Important Notes on Creating Password...

Page 89: ...he tapes that are loaded Only one encryption key is allowed per tape If you replace the encryption key for a partition you must first scratch tapes encrypted with the previous key to re use them Refer...

Page 90: ...t copying the encrypted key to a USB device and emailing an encrypted version of the key as an attachment to a user who has been configured as a mail user through the library Best practices recommend...

Page 91: ...to USB or Email Exported Key If you select Export Single File to USB plug a USB device into the USB library port see the library s user guide for information about the location of this port If you sel...

Page 92: ...g Check Key Files If you are not sure delete all data from the USB device so that no trace of the failed key attachment remains then use another USB device and start again with Step 2 above If you exp...

Page 93: ...TO 4 tape To use a tape encrypted with a deleted encryption key you must first scratch the tape through BlueScale Encryption This procedure is described in Recycling Encrypted Media on page 98 To dele...

Page 94: ...ary If you choose to purchase the command line encryption utility review information in Chapter 11 Endura Decryption Utility Restoring Data if Required Key is Available If the right key isn t availabl...

Page 95: ...ter the encryption password then select OK The Encryption Configuration screen displays 3 Insert the USB device into the library s USB port 4 Select Import Key The Import Key Selection screen displays...

Page 96: ...hen select Security Encryption The Encryption User Login screen displays 2 Enter the encryption password then select OK The Encryption Configuration screen displays showing Import Key and Add Key 3 Se...

Page 97: ...e path for the key displays in the Encryption Key File field 6 Select Next The Import Password screen displays 7 Enter the password that was used to encrypt the key when it was being exported then sel...

Page 98: ...h the tape through BlueScale Encryption Note that this option is available on the Import Export screen that displays only in partitions using encryption To recycle encrypted media 1 From the toolbar m...

Page 99: ...To add other tapes to recycle Select Add Tape The Select Tapes screen displays Repeat Step 4 to add the tape Repeat the entire procedure to add further tapes To delete tapes from the list of tapes to...

Page 100: ...ave selected all of the tapes that you want to recycle The Select Drive screen displays 7 Choose the drive that you want to use to scratch the media then select Next The Summary screen displays 8 Veri...

Page 101: ...page 115 contains information about data restoration Professional Edition Overview Professional Edition supports multiple keys on the library simultaneously Each partition that is enabled for encrypti...

Page 102: ...required the first time you log in The Encryption Configuration screen displays 3 Select Configure The Encryption Users screen displays 4 Select either Single User Mode Requires the creation of one en...

Page 103: ...ional Edition in Spectra T50 Libraries 103 5 Select Next The Encryption Settings screen displays Note If you selected Single User Mode only one set of New Encryption User Password and Retype Password...

Page 104: ...is powered on during startup partitions dedicated to encryption are not available so backups sent to them cannot run To initialize the encryption partitions someone must log in as a superuser then en...

Page 105: ...hat you will use to reference the key Note Note that the real key value never displays and that administrators don t ever need to specify the real key value in order to encrypt data or manage keys The...

Page 106: ...te a copy of the key for safekeeping If the key is lost data cannot be recovered so promptly copying the key and storing it safely that is away from the data encrypted using the key is extremely impor...

Page 107: ...tion configuration wizard The Encryption screen for partition configuration lets you enable encryption for the partition and associate keys with it It only displays if the encryption password has been...

Page 108: ...llow the procedure in Displaying the Partition Configuration Encryption Screen on page 107 to display the Encryption screen 2 Select Enable Encryption 3 If you have more than one encryption key select...

Page 109: ...rotecting Keys Protect encryption keys by Making copies of every key through Key Export Storing the keys in a secure location Tracking the location of the keys and the passwords required to import the...

Page 110: ...that number M required to access the encrypted key file protected using this method For your site select one of these as your M of N shares For example if you choose 2 of 3 then the encrypted key alr...

Page 111: ...ce or both before deleting the key from your system You may want to make two copies of a key storing each in a secure location Note the location of these keys so that you can easily find the key when...

Page 112: ...one encryption password a prompt asks you to enter another password Enter it then select Next The Export Type screen displays Otherwise the Export Type screen immediately displays 4 Select either an...

Page 113: ...e library s user guide Select Next The Export Password screen displays Export M of N Shares to USB A screen displays that asks you to select the minimum shares required to restore the encrypted key al...

Page 114: ...evices eject the USB device after a share has been written to it and at every prompt insert another USB device After the shares have been written insert each USB device into the library one by one and...

Page 115: ...a Decryption Utility EDU is an optional safeguard providing a method that lets you restore data without a library Review information about the command line encryption utility in Chapter 11 Endura Decr...

Page 116: ...Selection screen displays If you selected multi user mode and only one encryption password has been supplied a prompt asks you to enter another password Enter it then select Next 5 Choose the key to...

Page 117: ...r Login screen displays 2 Enter the encryption password then select OK The Encryption Configuration screen displays 3 Select Import Key The Encryption Key Files Source screen displays Note that this s...

Page 118: ...a Key Only one key is allowed per LTO 4 tape To use a tape encrypted with a deleted encryption key you must first scratch the tape through BlueScale Encryption This procedure is described in Recyclin...

Page 119: ...associated with each tape storing encrypted data Once the encrypted data is written to a tape the drive won t overwrite the encrypted data to re use the tape until you recycle the tape through BlueSc...

Page 120: ...he information for the selected partition displayed If you only have one partition the drop down menu does not appear on this screen 3 Select Recycle The Select Tapes screen displays 4 Select a tape t...

Page 121: ...rocedure as many times as necessary to add even more tapes To delete tapes from the list of tapes to recycle proceed to Deleting Tapes from the List below 4 Proceed to Finishing the Tape Recycling on...

Page 122: ...tape recycling 1 When the list shows all of the tapes you want to recycle select Next in the Tapes to Recycle screen The Select Drive screen displays 2 Choose the drive to scratch the media then selec...

Page 123: ...EDU and BlueScale Encryption Support...

Page 124: ...with the backup software used to back up the data Requirements To decrypt data assemble the following Tapes with encrypted data Tape s to hold decrypted data optional but recommended The key or keys...

Page 125: ...ed to write the data to tape Decrypting Data EDU Command Line Review the command line arguments for EDU Arguments edu i drive_w_encryptape o drive_w_blank_tape n number of keys i dev nst0 indicating t...

Page 126: ...he maximum data capacity of the tape to be decrypted or if you know the amount of data on the tape the equivalent amount of disk space For LTO 4 make sure tmp has 800 GB of space free 4 Log in as a us...

Page 127: ...ays along with a request for the password Type it in then press Enter 3 The system then prompts for the full path and file name of the key Type it in then press Enter 4 The system begins copying the d...

Page 128: ...ring the encrypted data Note EDU restores data that has been encrypted through the Spectra library using QIP based encryption 4 Insert the write protected tape into a drive Note the device name this e...

Page 129: ...e of the key then press Enter 3 The system begins decrypting data and writing it to the empty tape Messages display as the data is decrypted The system indicates when the decryption is complete 4 Remo...

Page 130: ...ironment is rapidly evolving New features developed for BlueScale Encryption will be made available for locations with BlueScale encryption support Troubleshooting We will help you deal with encryptio...

Page 131: ...ustralia and New Zealand Phone Email 1 303 449 6400 sales spectralogic com Europe Africa and Middle East Phone Email 44 0 870 112 2150 eurosales spectralogic com United States and Canada Phone Email 1...

Page 132: ...ommand line utility edu 125 configuring encryption BlueScale Encryption Professional Edition 102 BlueScale Encryption Standard Edition 85 contacting Spectra Logic sales 2 131 creating an encryption ke...

Page 133: ...L library software license 2 license library software 2 LTO 4 drives encryption support 15 LTO 4 media recycling 15 M media recycling 68 98 119 122 M of N shares 110 moniker definition of 23 monikers...

Reviews:

No comments