Sun Microsystems HP LTO4 manual KMS Operations, Key Lifecycle

Page 18

KMS Operations

KMS Operations

When the tape drive is powered-on, the Dione card communicates to the drive over the serial port to take control of drive encryption and decryption.

HP LTO4 tape drives have the capability of storing one (1) key while encrypting or decrypting data. Therefore; it is essential that these drives stay connected to the KMS network for communications. Failover and load balancing will also occur between the KMAs in the system (KMS).

The following is a brief description about how the drive implements encryption:

During write operations, when the backup application starts writing, the Write command triggers the drive to request an encryption key from the Dione card.

The Dione creates a secure connection to the KMA and requests a key. The KMA provides the key.

The Dione card unwraps the key and sends it to the drive, which continues with the write operation.

During read operations, a similar set of operations occur. The backup application sends a read request.

The drive recognizes that the data is encrypted and requests a decryption key from the Dione card.

Note: The LTO4 tape format stores the metadata (key) along with encrypted data. This gives the Dione card a method to retrieve the required key for decryption.

The Dione card verifies the Key Associated Data in the data block to determine the Key ID for that block and requests the corresponding key from the KMA.

Once the key has been received, it is sent to the drive and the read proceeds.

During media loads and unloads the Dione card monitors tape drive and fetches the appropriate Data Unit (for loads) or clearing of the encryption status (for unloads).

Key Lifecycle

Keys undergo a lifecycle based on the key policy. The lifecycle imposed by the KMS is based on the NIST 800-57 guidelines and has two time periods:

Encryption period the time after a key is assigned that it can be used to encrypt.

Cryptoperiod the time period it can be used for decryption.

It is assumed the two periods start at the same time when the key is assigned.

FIGURE 2-3shows an example of how these periods interacts.

10 KMS: LTO4 Technical Brief • June 2008

Revision:A • 316196601

Image 18
Contents Sun StorageTekTM Crypto Key Management System Page Crypto Key Management System Version USA Contents Iv KMS LTO4 Technical Brief June Revision a Related Information PrefaceOrganization Chapter Use this chapter toDocumentation and Download Web Sites Additional InformationSun’s External Web Site Partners SiteIntroduction Drive Tray 1LTO4 Tape Drive in Drive Tray-SL8500Performance Specifications SpecificationsPhysical Specifications PowerSpecification Description SpecificationCompatibility Capability Native Capacity Length Format Write ReadPart Numbers Description Order NumbersLTO4 Encryption Key Marketing Number Description Part Number DescriptionDione Card Firmware RequirementsComponent Dione Card Components 1Dione Card ComponentsConnecting to the Dione Card Reset Switch operationGreen LED operation KMS Operations Key LifecyclePotential issue Work-AroundDetails Media Rfid Chips Media Types4KMS Manager Data Unit List Removal and Replacement RemovalReplacement Page Virtual Operator Panel 1shows an example of the VOP DisplayComputer Hardware Requirements Enable and disable encryptionVOP Prerequisites Operating System CertificationVersion Document Files Posted File Size Using VOPService CustomerStart VOP TIP5Commit-Passed 10.0.0.5 Run LED Diagnostic Test Diagnose Drive TabRun Loopback Test 8Run LED DiagGet Log Load FirmwareDiagnose Drive Tab KMS LTO4 Technical Brief June RevisionA Index Scsi interfaces, 1 SDP Page Headquarters