Requirements for using the encryption kit – HP StoreEver MSL Tape Libraries User Manual
Page 6
To read encrypted data, you must have a key server token with the key for the tape and the
password for the key server token. The association between the encryption key and the tape is not
stored on either the key server token or the tape.
CAUTION:
If you lose the key server tokens and token backup files associated with a tape, neither
you nor HP will be able to recover the encryption keys that were stored on the tokens. HP
recommends that a backup of the encryption keys be stored off site in a secure location.
If you lose the password to the key server token, neither you nor HP will be able to recover or reset
the password to access the encryption keys. Without the password you will not be able to recover
the data from tapes using the encryption keys on the token. HP recommends that you keep the
password in a secure location, and that at least one copy of the password be kept off site in a
secure location.
If the key server token is removed or becomes dislodged from the USB port on the back of the
autoloader or library, the tape drive will not be able to read or write encrypted data. This could
cause your backup or other data operation to fail.
Reading encrypted data from a tape cartridge requires the tape cartridge, a key server token with
the encryption key for the tape, the password for the key server token, and the security password
for the MSL6480 library or the administrator password for the autoloader or libraries. To prevent
unauthorized access to your data, HP recommends keeping these items in safe and secure locations.
LTO-4 and later generation tape drives and encryption
The LTO-4 and later generation tape drives include hardware capable of encrypting data while
writing data, and decrypting data when reading. Hardware encryption can be used with or without
compression while maintaining the full speed and capacity of the tape drive and media.
NOTE:
An LTO-4 or later generation tape drive will not write encrypted data to an LTO-3 or
earlier generation tape. For additional compatibility information, see
Encryption is the process of changing data into a form that cannot be read until it is deciphered
with key used to encrypt the data, protecting the data from unauthorized access and use. LTO-4
and later generation tape drives use the 256-bit version of the industry-standard AES encrypting
algorithm to protect your data.
Your company policy will determine when and how to use encryption. For example, encryption
may be mandatory for company confidential and financial data, but not for personal data. Company
policy will also define how encryption keys should be generated and managed, how frequently
they should be changed, and how passwords are managed.
Encryption is primarily designed to protect the media once it is offline and to prevent it from being
accessed by unauthorized users. You will be able to read and append the encrypted media as
long as a key server token containing the correct key is installed and the appropriate passwords
are available.
For more information about AES encryption, encryption keys, and using hardware encryption with
your HP Ultrium tape drive, see the White Papers at
NOTE:
Some earlier LTO-4 tape drive firmware revisions might not support the encryption kit
functionality. Before enabling encryption, verify that the tape drive has firmware that supports the
encryption kit. See
“Tape drive and drive firmware requirements” (page 7)
and update the
firmware if necessary.
Requirements for using the encryption kit
Using the encryption kit requires support from the autoloader or library firmware and the tape
drive firmware, as well as access to the USB port on the back of the autoloader or library.
6
Features and overview