Manualshelf

BackBox H4.00 Tape Encryption Option

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series
12345678910
Configuration
8 BackBox H4.00 Tape Encryption
The illustrations above show examples of drive status of media backup with current
Drive key context. Below are examples for the same media after renewal of the drive
encryption key.
Since media are usually written, read and rewritten by different tape drives
(especially true for virtual media) a Media Key Name will always be generated to
identify the encryption key of the media, regardless of which key generation policy
was used. Key management actions such export, delete or query should be
performed using the Media Key Name.
KeyPerTape vs KeyPerDrive
The nature of tape media use is to hold different generations of data, such as
backups, for specific periods of time (retention.)
The fact that KeyPerTape policy generates a new key when a virtual tape is rewritten
makes its usage more secure. If a virtual volume is tampered with, only the data on
that virtual volume would be compromised. The ESKM administrator can delete the
key to avoid a security breach. Also key renewal is performed automatically and
doesn’t require manual intervention at the TAPE device level (i.e. no need to STOP
and ALTER the device.)
The KeyPerDrive policy is less secure (but not insecure), since multiple virtual
volumes will be all encrypted using the same key. Having one virtual volume
tampered with would be more critical. Data on all virtual volumes encrypted with
that key could be compromised. But deleting that key would affect much more data,
since none of the other virtual volumes encrypted with that key would be retrievable
thereafter.
We strongly recommend using the policy with less exposure: KeyPerTape policy.
STORAGE - Status TAPE \NSBLDE4.$VTE400, ENCRYPTION
Media
KeyName.......... N7566B3CCLAB035D873833A969D0008_BBBBBBBB_1911112113
KeyAlgorithm..... GCM-AES
KeySize.......... 256
Drive
MasterKeyName.... N2108001086022114_S066666C1002541
KeyName.......... N2108001086022114_20111118134512
KeyAlgorithm..... GCM-AES
KeySize.......... 256
KeyGenPolicy..... KeyPerDrive