HP Command View for Tape Libraries Software User Manual

Page 159

Advertising
background image

a unique media identifier, and the media barcode. This metadata is used to create a unique key
name. The library then requests a key from the SKM or ESKM, based on the key generation policy
for that library or partition. The library obtains its key generation policies (one per partition) from
the SKM or ESKM when it logs in. The available policies are Key per Tape, Key per Partition, and
No Encryption. The SKM or ESKM returns the key to the library over an SSL connection. The key,
and the key name, are forwarded to the LTO4 and later tape drive. This key is used on all
subsequent write operations, until the cartridge is unloaded. The key retrieval occurs in a very short
period of time, and the entire process is transparent to the backup application. If a later backup
session appends data to the tape, the same key will be retrieved and used to encrypt the appended
data.

The LTO4 and later tape drive compresses the data prior to encrypting it. Encryption does not
increase the size of the data on the tape. Furthermore, encryption does not affect the performance
of the drive. All encryption is performed using AES-256 keys.

During a read operation, the library retrieves the key name from the tape, and requests that key
from the SKM or ESKM. The key is returned over SSL, forwarded to the LTO4 and later tape drive,
and is used on all subsequent read operations until the cartridge is unloaded.

Figure 18 Data encryption process

2. Backup clients

1. Backup domain server

4. Read/write request

3. Backup media server

6. LTO4 and later tape cartridges

5. LTO4 and later tape drives

8. Metadata

7. ETLA library

10. LAN

9. Encrypted key

12. SKM or ESKM

11. SSL socket

NOTE:

When encryption is enabled, HP strongly recommends that all cartridges have high quality

barcodes, and the tape library is configured to enable a barcode length of 6 or more characters.
The cartridge barcode is useful for later matching an encryption key with a cartridge. For example,
if a tape is lost then the barcode can be used to identify the key associated with that cartridge.

Encrypting data with the HP StorageWorks Secure Key Manager (SKM) or HP Enterprise Secure Key Manager (ESKM)

159

Advertising
This manual is related to the following products:

StoreEver ESL G3 Tape Libraries, ESL E-series Tape Libraries, StoreEver MSL Tape Libraries, EML E-series Tape Libraries

Popular Brands
Popular manuals