110 IBM Tivoli Storage Manager Versions 5.4 and 5.5 Technical Guide
Begin Reclaim Period:
End Reclaim Period:
Drive Encryption Key Manager: Tivoli Storage Manager
7. You can also verify the status of the tape from the Tape Library Specialist. Select Monitor
Library Inventory and expand the Cartridge details panel for the magazine where
your tape is located. The panel shown in Figure 9-4 confirms that our tape volume is
Figure 9-4 Inventory details confirming tape is encrypted in TS3200
9.4 Install and configure EKM
EKM is a Java-based application for performing key management. It is used for cryptographic
key management when the backup application is not performing this function within the actual
application. That is, EKM is required for IBM tape encryption using SME and LME, but not for
At the time of writing, a small list of vendors is offering applications that can work with LME,
SME, or both encryption methods. For details, see the independent software vendor (ISV)
matrix for LTO referenced in the introduction.
We describe the encryption methods with EKM using Tivoli Storage Manager.
Encryption Key Manager (EKM) software
EKM can be downloaded from:
At the time of writing, EKM is supported on z/OS, i5/OS, AIX, Linux, HP-UX, Sun Solaris, and
Windows. You will find downloadable versions for all operating systems at this Web site. You
can also obtain information relating to prerequisites and dependencies at the Web site.
Note: With AME, the data keys that pertain to encrypted tapes are stored within the Tivoli
Storage Manager database. It is important to keep the Tivoli Storage Manager database in
a secure environment. Ideally, Tivoli Storage Manager database backup tapes also need
to be kept separately from the data tapes, so that data is not compromised even if the
Tivoli Storage Manager database is stolen. See IBM Tivoli Storage Manager: Building a
Secure Environment, SG24-7505, for more information about security considerations.
Chapter 9. Tape data encryption 111
Basically, encryption is similar for any type of tape drive. However, there are some significant
differences in how the encryption keys are handled in the TS1120 compared to LTO4.
EKM uses both symmetric and asymmetric encryption to encrypt the data when writing and
reading to a TS1120 encryption-enabled tape drive. Figure 9-5 shows a summary of the
Figure 9-5 TS1120 encryption process
The process is:
1. When a scratch tape is first mounted, the tape drive communicates with the EKM to obtain
the key necessary to encrypt the data.
2. EKM generates a random symmetric data encryption key. This is a secret key. It is also
data key (DK) in EKM terminology. AES 256-bit encryption is used. The DK is
used to encrypt the clear text to and form cipher text.
Key labels or aliases are associated with each tape drive that uses EKM. These key labels
are linked to public key certificates stored within the keystore.
4. The DK is wrapped with the
public key that is associated with the tape drive’s key label.
This public key is also called the
key encryption key (KEK). The wrapped data key, along
with key label information about which the private key is required to unwrap the symmetric
key, forms a digital envelope called an
externally encrypted data key (EEDK) structure.
5. Both the EEDK and the
wrapped DK are stored on the tape.
The same encryption key (also known as the data key or DK) is used if more data is later
appended to the same tape. It is then first read from the tape and used to encrypt the
Note: EKM code is required for enabling LME and SME with IBM TS1120 and LTO 4 Tape
Drives. At the time of writing, in order to run the Encryption Key Manager with HP-UX, Sun
Solaris, and Microsoft Window, the IBM TotalStorage Productivity Center - Limited Edition
(TPC-LE) licensed program product 5608-VC6 is required.
TPC-LE is no longer available after February 8, 2008. It is replaced by IBM TotalStorage
Productivity Center - Basic Edition, licensed program product 5608-B01. TPC Basic
Edition includes the Encryption Key Manager code for HP-UX, Sun Solaris, and Microsoft
Windows. However, note that TPC Basic Edition is a
chargeable program product,
whereas TPC-LE is a
no-charge offering. Make sure to order TPC Basic Edition if you will
run EKM on HP-UX, Solaris, or Windows.