Verifying the kmip encryption feature is working, Basic encryption – HP StoreEver ESL G3 Tape Libraries User Manual

b.

Enable encryption on one or more partitions of the ESL G3.

KMIP encryption may be enabled on a per-partition basis. When enabled, encryption is enabled
on all drives in the partition. Encryption is always key-per-tape.
When the Library Managed Encryption (LME) box is checked for a partition, encryption keys are
managed by the ESL G3 tape library and the KMIP server. Backup applications are not allowed
to manage LTO drive encryption keys on any drive in that partition.
When the box is un-checked, the library does not manage encryption on that partition. If a backup
application is configured to managed LTO drive keys, it is permitted to do.

Verifying the KMIP encryption feature is working

HP recommends you verify the encryption process is working before placing the library into
production. This is often called an end-to-end verification test.
The following steps describe how an end-to-end verification test may be conducted. Since some
of the steps occur on the server, HP cannot provide specific details of how that occurs. However,
the server vendor's Quick Start Guide for HP ESL G3 may contain information in this regard.
Otherwise, contact your server vendor for assistance.
Basic encryption test: Verifies encryption is working on partitions configured for encryption.
Failover test: Verifies keys may be retrieved from another server. If the server is currently in use, it
becomes unavailable.

Basic encryption

1.

Using your backup software, load a scratch tape into a drive in a partition configured for
KMIP encryption.

2.

Rewind, then initialize the tape. This will overwrite any previous contents with an encrypted
header. If all is configured correctly, the backup application will report successful media
initialization.
a.

Login to the key managers, and confirm a new key was created.
Refer to your server documentation for details on how to do this.

b.

Login to other servers in the cluster, and confirm the key is replicated to each server.

3.

Using your backup software, unload the media to a slot.

4.

From the KMIP server find the key that was created in step 2, and temporarily disable it's
ability to be exported.
Refer to your server documentation for how to do this.

Verifying the KMIP encryption feature is working 229