Virtual TapeServer 8.0 Configuration Guide

64 | Enabling and Configuring Data Encryption

Prerequisites for configuration

Before you begin, ensure the connection between the host and VTS servers is secure, and then

ensure the connection between the VTS server and the physical drive or library is secure if

you want to export encrypted virtual tapes. You may also want to gather the following

information to expedite the configuration process:

• Username and password of a VTS user account that belongs to the Administration group.

• If multiple VTS servers are installed, gather the following:

• Hostname or IP address, username, and password of the VTS server that will be

configured as the key generator, which will generate keys when virtual tapes and

pools need to be encrypted and decrypted.

• Hostname or IP address, port, username, and password for configuring a backup host

that will be used by the key generator to store a backup of the key database; this host

must support the Secure Copy (SCP) protocol, through the use of the scp or scp2

program.

Adding a key server

A key server is embedded in every VTS server and, by default, each VTS server is configured

to generate keys. This type of key server is referred to as a “key generator”. When a key is

generated, the key ID is stored with the encrypted virtual tape and the key is stored in a key

database on the key generator. If a key generator is reconfigured to no longer generate keys, it

is then referred to as a “non-key generator”. The key database remains on the non-key

generator but that server no longer creates keys. When a virtual tape needs to be decrypted,

VTS retrieves the encryption key from the key server that generated the key. If the key

generator was reconfigured as a non-key generator, VTS must still have access to that key

server.

If there are multiple VTS servers in your environment, it is recommended that you designate

only one server as the key generator. You must reconfigure the localhost entry on all other

servers as a non-key generator so that each VTS server can continue to access its key

database. (You can remove a key generator instead of reconfiguring it if it was never used to

create keys.) See

Using Data Encryption in a multi-server environment on page 62 for an

example.

Any time a key is stored in the key database, the database is backed up locally and on a

backup host, which must be configured in a separate step (see

Adding a key database backup

host on page 65). In general, the key database (and its backup) remains small, typically

around 10MB when storing thousands of keys.

Requires Administration group membership

To add a key server

1. Click Configuration→Data Encryption on the navigation pane.

2. If necessary, log in using an account that is a member of the Administration group. Click

the Log In button at the top of the page and enter a username and password.