BackBox H4.00 Tape Encryption Option
Configuration
10 BackBox H4.00 Tape Encryption
• Usage of encryption is not restricted to LTO 4 media type. LTO 3 and
CART3480 can also be used.
• VTC Client will use KeyPerTape method when requesting a new key even VLE
the key generation policy KeyPerDevice is used for VLE managed LTO 4
devices.
A VTC Client can be assigned to an ESKM or KMIP Key manager ID when the Client
type is set to “VTC ONLY”:
• In this mode, BackPak key naming convention would be used:
BBOX_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX_AAAAAAAAAAAA
• Access to encrypted virtual volume can be made across any type of NonStop
node.
• VTC Client can be used by any available virtual tape drive. Virtual tape drive
are not dedicated to encryption (except LTO 4 configured for VLE.)
• Usage of encryption is not restricted to LTO 4 media type. LTO 3 and
CART3480 can also be used.
• When data retention date expired for specific volume, encrypted data still
remain on it. A simple way to make sure expired encrypted data can’t be
recoverable is to delete the encryption key associate to it from the Key
Manager server. Doing so, privacy of the data will remain even expired data
could be found in several copy (on a DR site, vault in Backup Enterprise,
etc…) The VTC Client can help automate deletion of encryption key when data
expired. VTC Client can request Key Manager server to delete old key when
virtual tape volume is SCRATCHED by rewriting data or when freeing expired
volume when running the daily cleanup job (OBB017.) See the job description
in the “Operations” section in this manual
• It is also possible to virtualize and encrypt data of unencrypted legacy
physical tape media.
• Each virtual volume will be encrypt with a different key and will be rotate
each time the volume is rewritten (same has VLE KeyPerTape.)