316196601 • Revision: A
Chapter 2 Dione Card
11
KMS Operations
A potential issue:
That LTO4 drive firmware will not request a write key in the following scenario:
Read, Space, Write-Filemark, Write.
The drive will use the same key obtained for the Read command to encrypt the
data provided for the Write command. The state of this key may be inappropriate
for writing due to the policy associated with the drive (an expired key).
Work-Around:
Assign the drive’s Key Group having a key policy with a long encryption period.
An encryption period of a year or longer is recommended.
Details:
The LTO-4 drive firmware will not request a write key in the following scenario:
Read, Space, Write-Filemark, Write. The drive will use the key obtained from the
Read command to encrypt the data provided for the Write command.
Most applications go through this sequence of operations when
appending data to a tape.
The end result is that encryption keys previously used on that tape will continue to
be used for write operations even if the state of the key has changed to expired or
compromised.
The encryption period is a user defined policy.
An encryption period of a year or longer is recommended to mitigate the risk of
write operations using an expired key. Most applications write sequentially to a
tape cartridge until it is full. It is rare that a customer would not fill a tape
cartridge with data within a year.
This is a low impact issue due to ability to mitigate exposure with a user defined
encryption period and due to the non-disruptive nature of the error. Data
encrypted with an expired key can still be accessed normally on future attempts to
append or restore.
It is recommended that the customer
not destroy encryption keys
as a means to
enforce data life-cycle management. Instead, enforce data life-cycle management
by expiring volumes through the backup and archive applications.
FIGURE 2-3
Key Lifecycle