BackBox H4.00 Tape Encryption Option
Configuration
12 BackBox H4.00 Tape Encryption
The Key manager ID is a logical identifier that becomes important when there are
more than one operational Key Manager server in a site and for D/R operations
where three duplications are to be managed:
• The replication of encrypted virtual volumes
• The replication of catalogs (BackPak, DSM/TC and TMF catalogs).
Notice the Key Manager ID that is an arbitrary BackPak ID, is part of the
BackPak replicated catalogue; Key Manager IDs must be planned from an
enterprise point of view.
• The replication of keys from Key Manager server of the primary to Key
Manager server on the secondary site
Once the system is configured, encryption functionality is totally transparent and
automated. Upon a NonStop tape mount request to mount a volume from an
encrypted Volume Group is recognized, the BackPak Domain will find a free virtual
tape drive connected to this NonStop system that allowed to received the encryption
key from the Key Manager server (via the appropriate Key Manager client) and
access the storage location of the virtual volume.
When the virtual device is found, the BackPak Domain will request it to load the
volume and put it online. Once volume online, a request will be emit, over a secure
TLS/SLL session between the Key Manager server/client, to obtain the encryption
key (identify by the Encryption Key ID) needed by the virtual tape device to encrypt
or decrypt the virtual tape volume data.
Note: When error related to encryption happen, any attempt to use the drives will
fail with Error 101 (“tape is write protected”) and descriptive message should be log
into EMS. In such case, refer to the BackPak Troubleshooting and Messages
Manual and the Guardian Procedure Errors and Messages Manual HP Part
Number: 522628.
It is possible to see that encryption/decryption is occurring while a tape is being
written/read by looking at the BackBox UI status page, which contains a column that
displays Encryption/Decryption status for each drive.