Virtual TapeServer 6.03.42 Installation Guide
76 | Enabling SecureVTS
A virtual tape can be encrypted in several ways:
• It can be encrypted when it is created.
• It can be manually encrypted after it is created.
• It can be automatically encrypted when it is added to a pool that is designated as
encrypted.
• It can be encrypted if the pool in which it resides is designated as encrypted.
Similarly, a virtual tape can be decrypted manually or when its pool is decrypted.
SecureVTS affects other tape operations as well:
• Mounting, reading, and writing to an encrypted virtual tape
When an encrypted tape is mounted, VTS retrieves the key ID from the tape and uses the
ID to request the key from the key server that generated it. The key is then used to
decrypt the data as it is read from the tape. (The data remains encrypted on the tape.) If
VTS cannot retrieve a key, it will not mount the requested encrypted virtual tape. Also,
VTS cannot read or write to the tape without the key.
• Exporting a virtual tape
An encrypted virtual tape is decrypted before it is exported. If you export a pool, the
virtual tapes remain intact and encrypted.
• Migrating a virtual tape
An encrypted virtual tape is migrated as-is; that is, the data remains encrypted when it is
migrated to physical tape.
• Compressing data
If enabled, compression occurs before encryption.
• Updating metadata, timestamps, and file sizes
Every virtual tape stores header information called metadata, which is used by VTS to
retain an audit trail of information about the tape. When a tape is encrypted or decrypted,
the metadata is not modified.
The following timestamps are associated with virtual tapes: modify, access, and change.
The modify timestamp is not updated when a tape is encrypted or decrypted. However,
the access and change timestamps are updated when a tape is encrypted or decrypted.
Finally, when a virtual tape is encrypted, its file size changes because the key ID and
other encryption metadata is added to the virtual tape.
The SecureVTS.log file, which resides in /usr/local/tape/log/, stores an audit trail of all
encryption operations.