2 creating your key management processes, When to create a new encryption key, Enabling automatic generation of new keys – HP StoreEver MSL Tape Libraries User Manual
Page 14: Backing up the key server token data
2 Creating your key management processes
The encryption kit provides encryption key generation and secure storage of the keys, and is
intended to be used within a key management process. Processes should be developed to manage
your encryption keys, tokens, and passwords before configuring encryption on the autoloader or
library.
The key management processes may be based on your company's security and audit policies.
Following are recommendations if your company does not have security policies or the security
policies do not address areas needed for the key management processes. If you have highly
sensitive data or are unsure about using encryption, HP recommends that you consult with a security
expert to develop policies appropriate to your situation.
When to create a new encryption key
HP recommends that a new encryption key be created at least annually and at most weekly when
using the encryption kit. The token can hold up to 100 keys. Once the key server token is full,
additional key server tokens must be purchased. Keys can never be deleted from a key server
token.
Your organization's backup and audit policies may specify when and how often to create a new
key. If your organization's policies do not address creating new keys but include a frequency for
replacing or archiving tapes, that policy could be basis for determining when and how often to
create a new key.
NOTE:
When initializing a token, you must create the first key manually. See
.
Enabling automatic generation of new keys
You can enable the autoloader or library to periodically generate a new encryption key and specify
the number of weeks to use each key, as well as the day and time for generating new keys.
If you advance the autoloader or library time past a time when a new key would have been
generated, the new key will not be generated. For example, if the automatic key generation policy
is to generate a new key on Monday mornings and on Sunday the autoloader or library time is
updated to a time on Tuesday, a new key will not be generated. When advancing the autoloader
or library time, check the automatic key generation policy and manually generate a new key if
necessary.
If the autoloader or library is powered off during a time when the automatic key generation policy
would have generated a new key, a new key will be generated when the autoloader or library is
powered on and the PIN is entered. Only one new key is generated, even if the autoloader or
library was powered off for a time when multiple keys would have been generated had the
autoloader or library been left on.
NOTE:
Automatic key generation will not occur if media is loaded in any drive. When using
automatic key generation, ensure that media is unloaded from the drives when keys are generated.
Backing up the key server token data
HP recommends that you back up the key server token data after a new key is created and before
the new key is used to write tapes. The key server token data can be backed up to a
password-protected file from the RMI. The backup process will save all of the keys, but not the
token name or PIN.
The encryption kit includes two key server tokens. One token is intended to be installed in the
autoloader or library to encrypt and decrypt tapes. If the first token is lost or damaged, the second
token can be used in its place. The second token can also be used to read tapes with encrypted
14
Creating your key management processes