Manualshelf

Nonstop Volume Level Encryption Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series
51525354555657585960
it to the drive. The CLIM does not perform the encryption or decryption of tape data. Tape encryption
always uses the GCM-AES algorithm with key size 256.
Tape encryption keys may be generated per drive (KEYPERDRIVE) or per tape media (KEYPERTAPE).
KEYPERDRIVE means that all tapes that are written by the tape drive will use the same encryption
key. KEYPERTAPE means that each tape that is written by the tape drive will use a unique encryption
key. An encrypted tape drive can read tapes that were written with either key generation policy.
An encrypted tape drive can read non-encrypted tapes. A non-encrypted tape drive can only read
non-encrypted tapes.
This table shows whether encryption can be performed on different tape drives and media:
LTO-5LTO-4LTO-4LTO-3Tape Drive
LTO-4/LTO-5LTO-4LTO-3LTO-2/LTO-3Tape Media
Read/Write, no
encryption
Read/Write, no
encryption
Read/Write, no
encryption
Read/Write, no
encryption
Unencrypted
CLIM
Read/Write, encryptionRead/Write, encryptionRead/Write, no
encryption
Read/Write, no
encryption
Encrypted CLIM
Encrypting tape data
To encrypt tape data, follow these procedures:
1. Use the SCF STOP TAPE command to stop the drive.
2. Use the ALTER TAPE, KEYGENPOLICY key-gen-policy command to set the key generation
policy to KEYPERTAPE or KEYPERDRIVE.
3. Issue a START TAPE command to start the drive.
4. Issue the STATUS TAPE, ENCRYPTION command and verify that the disk is encrypted:
1-> STATUS $VJTP1, ENCRYPTION
STORAGE Status TAPE \JUN01.$VJTP1, ENCRTYPTION
Media
Not present or encryption status unknown
Drive
MasterKeyName.... N500110A00102EF9E
KeyAlgorithm..... GCM-AES
KeySize.......... 256
KenGenPolicy..... KeyPerTape
Verify that the key generation policy is the expected value and that KeyAccess is OK.
Changing tape drive keys
To create a new encryption key for a drive whose KEYGENPOLICY is set to KEYPERDRIVE, follow
these procedures:
1. Use the SCF STOP TAPE command to stop the drive.
2. Use the ALTER TAPE, NEWENCRYPTKEY command. The next tapes written will use the new
key.
3. Issue a START TAPE command to start the drive.
Moving tape drives
If you want to move encrypted tape drives between two systems with different ESKM clusters (for
instance, from a test system to a production system), you must export the tape drive's key and move
it to the other cluster. Use the Backup and Restore method to move the key. Keys are not
synchronized with cluster members. You must restore the key on each of the ESKM members within
the cluster, or you can do a “Synchronize Cluster” operation to propagate the key to the other
members of the cluster.
Encrypting data on tape drives 51