HP Enterprise Secure Key Manager manual Introduction, Using an encryption key server

Page 4

1 Introduction

This document includes information about configuring and using encryption key servers with the 1/8 G2 Tape Autoloader and MSL Tape Libraries with LTO-4 and later generation tape drives. The LTO-4 and later generation tape drives include hardware capable of encrypting data while it is being written, and decrypting data when reading. Hardware encryption can be used with or without compression while maintaining the full speed and capacity of the tape drive and media.

NOTE: An LTO-4 or later generation tape drive will not write encrypted data to an LTO-3 or earlier generation tape. For additional compatibility information, see Media compatibility (page 5).

Encryption is the process of changing data into a form that cannot be read until it is deciphered with the key used to encrypt the data, protecting the data from unauthorized access and use. LTO-4 and later generation tape drives use the 256-bit version of the industry-standard AES encrypting algorithm to protect your data.

Your company policy will determine when and how to use encryption. For example, encryption may be mandatory for company confidential and financial data, but not for personal data. Company policy will also define how encryption keys should be generated and managed, how frequently they should be changed, and how passwords are managed.

Encryption is primarily designed to protect the media once it is offline and to prevent it from being accessed by unauthorized users. You will be able to read and append the encrypted media as long as a key server token containing the correct key is installed and the appropriate passwords are available.

For more information about AES encryption, encryption keys, and using hardware encryption with your HP Ultrium tape drive, see the White Papers at http://h18006.www1.hp.com/storage/ tapewhitepapers.html.

Using an encryption key server

When a key manager is enabled and properly configured, tape data will automatically be encrypted with keys delivered from the key manager. Tapes are encrypted on a key-per-tape basis. Some key managers support additional options, such as having a key per partition.

Write and append operations: The tape drive will request a key when data is written. The tape library, acting as an intermediary, may request the key manager to create a key. The library then obtains that key and delivers it to the tape drive. The key is identified by a name, which is associated with the media identifier. The key is retained in the tape drive until the tape is unloaded.

Read operations: The tape drive will request a key. The tape library, acting as an intermediary, obtains the key identifier, requests that key from the key manager, and delivers it to the tape drive. The key is retained in the tape drive until the tape is unloaded and is used for any remaining read and operations.

HP Enterprise Secure Key Manager (ESKM)

All ESKM versions support the ESKM encryption protocol, which can be used by the MSL6480 and requires an ESKM Encryption license for the library.

ESKM 4.0 and later versions also support the KMIP protocol, which can be used by the 1/8 G2 Tape Autoloader and the MSL2024, MSL4048, MSL6480, MSL8048, and MSL8096 Tape Libraries. Accessing the ESKM 4.0 with the KMIP protocol requires a KMIP Encryption license for the library.

The same ESKM 4.0 server can serve libraries configured to use the ESKM protocol and libraries configured to use the KMIP protocol at the same time. Use the protocol that corresponds with the encryption license for your library.

For configuration information, see “HP Enterprise Secure Key Manager (ESKM) integration” (page 7) or “KMIP-based key server integration” (page 12).

4Introduction

Page 3 Page 5
Image 4
Page 3 Page 5
Contents Abstract Warranty Contents Introduction Using an encryption key serverHP Enterprise Secure Key Manager Eskm Considerations for using an encryption key server Media compatibility for drives supporting encryptionLicensing KMIP-based key serversInstalling the encryption license MSL6480Using the Eskm Wizard HP Enterprise Secure Key Manager Eskm integrationHP Enterprise Secure Key Manager Eskm integration Page HP Enterprise Secure Key Manager Eskm integration Page Creating the client user name and password on the server KMIP-based key server integrationConfiguring the Kmip feature for the MSL6480 Using the Kmip Wizard Configuring the Kmip feature for the MSL6480 KMIP-based key server integration Set or enter the Kmip security password Enrolling the autoloader or library with a Kmip serverEntering the Kmip client credentials Generating the client certificate requestInstalling the signed client certificate Signing the client certificate on the server---END Certificate Configuring access to the key servers Enabling KMIP-based encryptionKMIP-based key server integration Connectivity test MSL6480Autoloader and other MSL libraries Basic encryption test Failover testPage Contacting HP Support and other resourcesTypographic conventions Documentation feedback
Top Page Image Contents