1 features and overview, Considerations for using the encryption kit – HP StoreEver MSL Tape Libraries User Manual
Page 5
1 Features and overview
IMPORTANT:
The encryption kit provides secure encryption of your data using key server tokens
and passwords. A thorough understanding and proper use of the encryption kit operation will
maintain the security of your data and ensure that only qualified persons have access to the data.
Managing your key server tokens and passwords is critical for preventing unauthorized data access
and for avoiding the inability of qualified personnel to access data from tapes. Read and understand
this encryption kit user guide before enabling encryption.
The encryption kit provides secure generation and storage of encryption keys. The encryption kit
may be used with any HP StoreEver 1/8 G2 Tape Autoloader or the MSL2024, MSL4048,
MSL6480, MSL8048 and MSL8096 Tape Library with at least one LTO-4 or later generation tape
drive. The encryption kit is incompatible with the MSL6000.
The encryption kit includes two USB key server tokens. One key server token is available for use
as a backup for the other.
To use the encryption kit, a key server token is inserted in the USB port on the back of the used
with an autoloader or library, and encryption is enabled and configured from the remote
management interface (RMI).
The encryption kit supports your manual security policies and procedures by providing secure
storage for encryption keys. Access to the key server tokens and their backup files is protected with
user-specified passwords. You will need to create processes to protect the tokens and secure the
passwords.
The encryption kit requires support from the autoloader or library firmware and the tape drive
firmware. See
“Autoloader or library firmware requirements” (page 7)
and
firmware requirements” (page 7)
. You can download autoloader or library firmware files from
the HP Support website at
.
IMPORTANT:
When encryption is enabled with the encryption kit, the autoloader or library will
not use encryption keys from other sources, such as a key management system or application
software. Disable encryption in applications writing to the autoloader or library when encryption
is enabled with the encryption kit. Applications that attempt to control encryption while encryption
is enabled with the encryption kit will not be able to do so, which can cause backups or other
write operations to fail.
Considerations for using the encryption kit
The purpose of encryption is to protect data from unauthorized access and use. For LTO-4 and
later generation tape drives, the encryption algorithm is based on encryption keys. With the
encryption kit, the encryption keys are stored on the key server token and access to the keys is
protected by a password.
To enable, disable, and configure encryption on the MSL6480 library, you must be logged into
the library RMI as the security user. For the autoloader or other libraries, you must be logged into
the autoloader or library RMI using the administrator password.
To write encrypted data, you must have the key server token and the password for the key server
token. Only one encryption key is used on a tape cartridge. If the tape cartridge contains
previously-encrypted data, a key server token with the key for the tape must be in the autoloader
or library.
Considerations for using the encryption kit
5