KMS Operations
KMS Operations
When the tape drive is
HP LTO4 tape drives have the capability of storing one (1) key while encrypting or decrypting data. Therefore; it is essential that these drives stay connected to the KMS network for communications. Failover and load balancing will also occur between the KMAs in the system (KMS).
The following is a brief description about how the drive implements encryption:
■During write operations, when the backup application starts writing, the Write command triggers the drive to request an encryption key from the Dione card.
The Dione creates a secure connection to the KMA and requests a key. The KMA provides the key.
The Dione card unwraps the key and sends it to the drive, which continues with the write operation.
■During read operations, a similar set of operations occur. The backup application sends a read request.
The drive recognizes that the data is encrypted and requests a decryption key from the Dione card.
Note: The LTO4 tape format stores the metadata (key) along with encrypted data. This gives the Dione card a method to retrieve the required key for decryption.
The Dione card verifies the Key Associated Data in the data block to determine the Key ID for that block and requests the corresponding key from the KMA.
Once the key has been received, it is sent to the drive and the read proceeds.
■During media loads and unloads the Dione card monitors tape drive and fetches the appropriate Data Unit (for loads) or clearing of the encryption status (for unloads).
Key Lifecycle
Keys undergo a lifecycle based on the key policy. The lifecycle imposed by the KMS is based on the NIST
■Encryption period the time after a key is assigned that it can be used to encrypt.
■Cryptoperiod the time period it can be used for decryption.
It is assumed the two periods start at the same time when the key is assigned.
FIGURE 2-3 shows an example of how these periods interacts.
10 KMS: LTO4 Technical Brief • June 2008 | Revision:A • 316196601 |