Manualshelf

Virtual TapeServer 8.0 Configuration Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series
61626364656667686970
59
Enabling and Configuring Data Encryption
Data Encryption is an optional Virtual TapeServer (VTS) licensed feature that enables VTS to
encrypt data that is stored on virtual tape. Here is how Data Encryption affects tape
operations:
When an encrypted tape is mounted, the data that is written to the tape is encrypted. You
can also instruct VTS to encrypt data that is already stored on a virtual tape if the tape is
not encrypted.
When VTS exports an encrypted virtual tape to a physical tape using tape-to-tape export,
the data remains encrypted if VTS is configured for this and all drives in the physical
library support encryption. Otherwise, VTS decrypts the data before it is exported.
When data is imported (restored) from a physical tape, the data is encrypted if the target
virtual tape is encrypted.
When VTS migrates an encrypted virtual tape to a physical tape (through the use of
Stacked Exports), the data remains encrypted as it is migrated.
Note Data Encryption protects data at rest. It does not protect or secure the VTS server.
At a glance, here is how you enable, configure, and use Data Encryption:
To enable and configure:
Enable Data Encryption licensing and then add a remote key database backup host. This
chapter provides configuration information.
To use:
Encrypt virtual tapes as described in Encrypting and decrypting virtual tapes on page 70.
Then, write data to virtual tapes from the host server.
To decrypt or restore data:
Decrypt virtual tapes as described in Encrypting and decrypting virtual tapes on page 70.
Also, data is decrypted as it is read by the host server. You can also restore a key database
or restore all Data Encryption settings from a Disaster Recovery site as described in
Restoring Data Encryption on page 172.
Overview of Data Encryption
When Data Encryption is enabled on a VTS server, the embedded key server can be
configured to generate keys for encrypting virtual tapes. VTS uses symmetric key encryption
to secure data written to tape. This encryption is based on Advanced Encryption Standard-
Cipher Block Chaining (AES-CBC) and uses 256-bit keys provided by a random number
generator. When a key is generated, its key ID is stored with the encrypted virtual tape. The
key is stored in a key database on the server that generated it, and each key is encrypted
multiple times before being stored. When data on a virtual tape must be decrypted, VTS uses
the key ID to retrieve the key from the key database. Storing the key ID with the tape and the