Virtual TapeServer 8.3 Configuration Guide

Enabling and Configuring Data Encryption

Data Encryption is an optional Virtual TapeServer (VTS) licensed feature that enables VTS to encrypt

data that is stored on virtual tape. Note that Data Encryption protects data at rest. It does not

protect or secure the VTS server.

Here is how Data Encryption affects tape operations:

l When an encrypted tape is mounted, the data that is written to the tape is encrypted. You can

also instruct VTS to encrypt data that is already stored on a virtual tape if the tape is not

encrypted.

l When VTS exports an encrypted virtual tape to a physical tape using tape-to-tape export, the

data remains encrypted if VTS is configured for this and all drives in the physical library

support encryption. Otherwise, VTS decrypts the data before it is exported.

l When data is imported (restored) from a physical tape, the data is encrypted if the target

virtual tape is encrypted.

l When VTS migrates an encrypted virtual tape to a physical tape (through the use of Stacked

Exports), the data remains encrypted as it is migrated.

Note If you need to restore Data Encryption as part of disaster recovery, see "Reinstalling and

Restoring VTS" on page 215 for details.

Steps to enable, configure, and use Data Encryption

1. Enable Data Encryption licensing as described in "Enabling Licensed Features" on page 19.

2. Add a key server as described in this chapter.

3. Add a remote key database backup host as described in this chapter.

4. Encrypt virtual tapes as described in "Encrypting and decrypting virtual tapes" on page 100.

Then, write data to virtual tapes from the host server.

Decrypt virtual tapes as described in "Encrypting and decrypting virtual tapes" on page 100. Also,

data is decrypted as it is read by the host server. You can also restore a key database or restore all

Data Encryption settings from a Disaster Recovery site as described in "Restoring Data Encryption"

on page 218.