BackBox H4.00 Tape Encryption Option
Configuration
5 BackBox H4.00 Tape Encryption
The HP ESKM server generates and stores the keys, usually in a cluster of ESKM
servers replicating each other the keys. The ESKM clusters could be split across
multiple sites for site diversity.
Each Storage CLIM with the VLE option implements an ESKM client that obtains keys
from the HP ESKM and forwards them to the devices through the T10 SCSI Security
Protocol command set that manages “encryption aware” tape devices
The BackBox tape emulation implements the T10 SCSI Security Protocol command
set to integrate enterprise-class key management appliances. When emulating LTO 4
tape drives, BackBox virtual tape devices notify the CLIM that it can be used for
encryption.
In the BackBox configuration, CLIM and LTO 4 tapes emulation configured for VLE
usage are named VLE-CLIM client and must be assigned to an ESKM Key manager ID
with Client type set to “VLE INTEROPERABILITY”.
All LTO 4 virtual tape device configured for VLE are dedicated to
encryption/decryption purpose. Only LTO 4 media type can be presented to the
Storage CLIM and $ZSRV server in VLE encryption mode.
When attaching a VLE-CLIM Client to a Key Manager ID, we must identify the list of
CLIMs that can be used to reach the ESKM server.
Encryption key rotation frequency is based on the VLE key generation policy
(KeyPerTape or KeyPerDrive) set in SCF.
VLE key generation policy
When an LTO 4 tape drive is configured as an encryption device, VLE records a Drive
encryption context for it. This context holds information as the MasterKeyName (that
identifies the tape drive by the tape drive identifier and the CLIM number it connects
to), the encryption algorithm used by the tape drive, the key size need by the tape
drive and the key generation policy: KeyPerTape or KeyPerDrive.
To work with VLE, most of the BackBox encryption configuration consist making
LTO 4 tape drives available to NonStop systems and enabling VLE in the NonStop
environment.