Chapter 9. Tape data encryption 111
Basically, encryption is similar for any type of tape drive. However, there are some significant
differences in how the encryption keys are handled in the TS1120 compared to LTO4.
EKM uses both symmetric and asymmetric encryption to encrypt the data when writing and
reading to a TS1120 encryption-enabled tape drive. Figure 9-5 shows a summary of the
Figure 9-5 TS1120 encryption process
The process is:
1. When a scratch tape is first mounted, the tape drive communicates with the EKM to obtain
the key necessary to encrypt the data.
2. EKM generates a random symmetric data encryption key. This is a secret key. It is also
data key (DK) in EKM terminology. AES 256-bit encryption is used. The DK is
used to encrypt the clear text to and form cipher text.
Key labels or aliases are associated with each tape drive that uses EKM. These key labels
are linked to public key certificates stored within the keystore.
4. The DK is wrapped with the
public key that is associated with the tape drive’s key label.
This public key is also called the
key encryption key (KEK). The wrapped data key, along
with key label information about which the private key is required to unwrap the symmetric
key, forms a digital envelope called an
externally encrypted data key (EEDK) structure.
5. Both the EEDK and the
wrapped DK are stored on the tape.
The same encryption key (also known as the data key or DK) is used if more data is later
appended to the same tape. It is then first read from the tape and used to encrypt the
Note: EKM code is required for enabling LME and SME with IBM TS1120 and LTO 4 Tape
Drives. At the time of writing, in order to run the Encryption Key Manager with HP-UX, Sun
Solaris, and Microsoft Window, the IBM TotalStorage Productivity Center - Limited Edition
(TPC-LE) licensed program product 5608-VC6 is required.
TPC-LE is no longer available after February 8, 2008. It is replaced by IBM TotalStorage
Productivity Center - Basic Edition, licensed program product 5608-B01. TPC Basic
Edition includes the Encryption Key Manager code for HP-UX, Sun Solaris, and Microsoft
Windows. However, note that TPC Basic Edition is a
chargeable program product,
whereas TPC-LE is a
no-charge offering. Make sure to order TPC Basic Edition if you will
run EKM on HP-UX, Solaris, or Windows.