Backing up the initial key – HP StoreEver MSL Tape Libraries User Manual
Page 24
NOTE:
The library uses the same write encryption key (the Current key) for all partitions with
encryption enabled. If the library is writing an encrypted tape when you change the security
configuration, the new configuration will take effect for the next tape loaded into an LTO-4 or later
generation tape drive.
Backing up the initial key
The key server token contains the keys used to encrypt and decrypt your tapes. HP strongly
recommends that you back up the keys on the token to allow you to access your data if a token is
lost or damaged. When backing up the key server token data, the token data is saved to a
password-protected file. You can then back up that file with a file backup process, archive it on
other media, such as a USB flash drive or CD, and restore it to the second key server token. For
more information about creating a process for backing up the key server token data, see
up the key server token data” (page 14)
CAUTION:
When a new key is created, HP recommends that you always back up the token data
and store the backup in a safe place. You will not be able to restore data from your encrypted
tapes without a token containing the encryption key used to write the tape and the token PIN.
Neither you nor HP can recover the key used to write a tape without a token containing the key
and the token PIN.
If the token data is saved to a file, you can create a token from the file at any time if you know the
file password, even if the original token is not available.
To back up the information on the key server token to a file:
1.
Verify that the token to be backed up is in the USB port on the back of the autoloader or
library.
2.
Navigate to the Configuration > Encryption > USB — MSL Encryption Kit screen Key
Management area.
3.
Enter a new password to be used to protect access to the contents of the backup file in the
Enter Token Backup File Password and Repeat Token Backup File Password fields. For increased
security, do not use the token PIN.
The backup file password must be between eight and 16 characters, containing at least one
capital letter, one lower case letter, and at least two digits.
NOTE:
Some firmware versions limit the backup file password to 15 characters. For optimal
interoperability, limit the length of the backup file password to 15 characters.
4.
Click Save and follow the instructions as they appear on the screen to specify a location for
the token backup file.
NOTE:
If your browser has a pop-up blocker enabled, the file dialog box may not appear.
Turn off your pop-up blocker before clicking Save.
5.
Save the token backup file to removable media or a location where it will be backed up by
your file backup process, if applicable. Store the removable media with the token backup file
in a secure location.
NOTE:
If your file backup process backs up encrypted files to an autoloader or a library
using the encryption kit, keep another copy of the file on removable media, such as a USB
flash drive or CD, or on the second token. If the first token is lost or damaged you will not be
able to restore the token backup file from an encrypted tape to create a replacement token.
If your token data backup policy is to back up the token data on the second token, to do so:
1.
Insert the second token into the USB port on the back of the autoloader or library.
2.
Set the PIN and token name, as you did for the first token.
24
Installing and configuring the encryption kit