212 Implementing IBM Tape in i5/OS
Two sets of keys can be stored on a 3592 tape cartridge, so you can specify your partner’s
public key certificate as the second key label. Depending on your encryption policy, you
specify it either in your EKM configuration file if using default key labels, in the drive table
entries, or in your Barcode Encryption Policy defined on the TS3500 or 3494 library. In this
way, you enable only your selected partner who owns the corresponding private key to read
your 3592 cartridges newly written with encryption from beginning of tape (BOT).
To share already encrypted 3592 cartridges with existing data, they can be
re-keyed via the
IBM Tape Library Specialist Web GUI as described in “Re-keying encrypted 3592 cartridges”
on page 255.
To export certificates for redundancy or disaster recovery from an i5/OS keystore to an EKM
keystore on a platform other than i5/OS, consider that the i5/OS DCM exports certificates in
the PKCS 12 version 3 file format. Therefore, the target keystore must support the same
format, or the exported certificate file has to be converted, for example, by using the
OpenSSL open-source utility.
Sharing encrypted LTO4 tape cartridges
The single-layer symmetric encryption algorithm used for LTO4 tape drive encryption limits
the possibilities for sharing encrypted LTO4 cartridges.
You can always provide the partner the symmetric key certificate that was used for a specific
encrypted LTO4 cartridge. The EKM audit metadata XML file specified in the EKM
configuration file provides the information about which symmetric key was used for a specific
cartridge volume serial number (see “Example of the EKM audit metadata XML file” on
However, sharing your symmetric data key implies the security risk that anyone else getting
hold of it would be able to read your LTO4 cartridges that were encrypted with this same data
key. It is possible to create a set of symmetric keys in the EKM keystore to be used across the
pool of LTO4 cartridges. However, this rather serves for increased security than for sharing
cartridges with partners, because there is no control over which key alias from this set is used
for a specific LTO4 cartridge serial number.
With the IBM TS3500 Tape Library, a feasible work-around to prevent sharing your own
symmetric data keys might be, to define a dedicated data key within a Barcode Encryption
Policy for a LTO4 cartridge serial number range to be shared with the partner. Then you use a
tool to send the symmetric key to your partner using asymmetric keys. The partner sends the
certificate and public key to you, and you use the public key to encrypt the symmetric data
7.2.7 Implementation prerequisites
Before starting with the implementation steps described in detail in 7.3, “Installing the
Encryption Key Manager on i5/OS” on page 213 and 7.4, “Setup and usage of tape
encryption with i5/OS” on page 217, make sure that the following conditions are true:
All hardware and software prerequisites described in 7.2.1, “Hardware prerequisites” on
page 206 and 7.2.2, “Software prerequisites” on page 207 are met.
Note: Existing encrypted 3592 tape cartridges continue to use their EEDK1 and EEDK2
originally stored with the first write on the cartridge even if the EKM encryption policy is