Manualshelf

BackBox H4.00 Tape Encryption Option

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series
12345678910
Configuration
3 BackBox H4.00 Tape Encryption
BackBox VTC encryption characteristics
The BackBox VTC tape emulation performs block level encryption. Block level
encryption permits compression of each clear block of data before encrypting it. This
improves the utilization of the storage while keeping the data-at-rest secure.
The BackBox tape emulation implements IEEE P1619.1 standard for tape-based
encryption using the Advanced Encryption Standard algorithm and the Galois
Counter Mode (known as AES-GCM) algorithm.
The AES encryption algorithm uses a secret key. It is suitable for block mode
encryption and has optional key lengths of 164, 192, and 256 bits. BackBox tape
emulation encryption implementation uses a 256-bit key.
The GCM provides an authentication algorithm that allows computing 16 bytes MAC
for each tape block encrypted. This gives strong authentication that ensures block
integrity.
The BackBox tape emulation software encryption can take advantage of Intel
processor AES-NI instruction set, when available, to accelerate execution of the AES
algorithm and reduces the CPU load when encrypting/decrypting data.
Key Manager Server
As mentioned above, BackBox tape emulation encryption implementation uses a 256
bit key to encrypt or decrypt data. The key must be secured in a Key Manager server
and must be available for the lifetime of the data stored in the virtual media.
The privacy of the data depends on the security of the key.The Key Manager server
protects access to keys by allowing only authenticated users. Once both server and
user digital certificate are authenticated by a certificate authority (CA), a secure
communication channel (using TLS/SSL) is established between the server and the
client making any exchange private.
The Key Manager server can take care of huge number of keys. This permits sharing
the key management infrastructure between NonStop systems and other platforms
to take advantage of infrastructure investment and minimize management costs,
since they would be shared. There is no need for a separate infrastructure to
generate, store and protect tape volume keys for BackBox.
BackBox currently supports these two kinds of Key Manager servers:
the HP Enterprise Security Key Manager (ESKM)
any Key Manager server compatible to the OASIS Key Management
Interoperability Protocol (KMIP) standard
In the BackBox configuration, Key Managers server can be defined as distinct logical
views with different configurations depending on the type of client interfacing the
Key Manager.
Each view is identified by an arbitrary Key Manager ID used by the BackPak
domains. A view contains:
general information such as the server type (ESKM or KMIP), its IP port and
address(es), common Clients attributes such as the possible connected Client
type and the Local group