Sun Microsystems HP LTO4 manual Potential issue, Work-Around, Details

Page 19

KMS Operations

FIGURE 2-3Key Lifecycle

A potential issue:

That LTO4 drive firmware will not request a write key in the following scenario:

Read, Space, Write-Filemark, Write.

The drive will use the same key obtained for the Read command to encrypt the data provided for the Write command. The state of this key may be inappropriate for writing due to the policy associated with the drive (an expired key).

Work-Around:

Assign the drive’s Key Group having a key policy with a long encryption period. An encryption period of a year or longer is recommended.

Details:

The LTO-4 drive firmware will not request a write key in the following scenario: Read, Space, Write-Filemark, Write. The drive will use the key obtained from the Read command to encrypt the data provided for the Write command.

Most applications go through this sequence of operations when appending data to a tape.

The end result is that encryption keys previously used on that tape will continue to be used for write operations even if the state of the key has changed to expired or compromised.

The encryption period is a user defined policy.

An encryption period of a year or longer is recommended to mitigate the risk of write operations using an expired key. Most applications write sequentially to a tape cartridge until it is full. It is rare that a customer would not fill a tape cartridge with data within a year.

This is a low impact issue due to ability to mitigate exposure with a user defined encryption period and due to the non-disruptive nature of the error. Data encrypted with an expired key can still be accessed normally on future attempts to append or restore.

It is recommended that the customer not destroy encryption keys as a means to enforce data life-cycle management. Instead, enforce data life-cycle management by expiring volumes through the backup and archive applications.

316196601 • Revision: A

Chapter 2 Dione Card 11

Page 18 Page 20
Image 19
Page 18 Page 20
Contents Sun StorageTekTM Crypto Key Management System Page Crypto Key Management System Version USA Contents Iv KMS LTO4 Technical Brief June Revision a Chapter Use this chapter to PrefaceOrganization Related InformationPartners Site Additional InformationSun’s External Web Site Documentation and Download Web SitesIntroduction 1LTO4 Tape Drive in Drive Tray-SL8500 Drive TrayPower SpecificationsPhysical Specifications Performance SpecificationsDescription Specification SpecificationCapability Native Capacity Length Format Write Read CompatibilityPart Number Description Order NumbersLTO4 Encryption Key Marketing Number Description Part Numbers DescriptionFirmware Requirements Dione CardComponent 1Dione Card Components Dione Card ComponentsReset Switch operation Connecting to the Dione CardGreen LED operation Key Lifecycle KMS OperationsWork-Around Potential issueDetails Media Types Media Rfid Chips4KMS Manager Data Unit List Removal Removal and ReplacementReplacement Page 1shows an example of the VOP Display Virtual Operator PanelOperating System Certification Enable and disable encryptionVOP Prerequisites Computer Hardware RequirementsCustomer Using VOPService Version Document Files Posted File SizeTIP Start VOP5Commit-Passed 10.0.0.5 Diagnose Drive Tab Run LED Diagnostic Test8Run LED Diag Run Loopback TestLoad Firmware Get LogDiagnose Drive Tab KMS LTO4 Technical Brief June RevisionA Index Scsi interfaces, 1 SDP Page Headquarters
Top Page Image Contents