Manualshelf

Virtual TapeServer 8.3 Configuration Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series
919293949596979899100
Enabling and Configuring Data Encryption | 81
l Migrating a virtual tape (stacked export)
An encrypted virtual tape is migrated as-is; that is, the data remains encrypted when it is
migrated to physical tape.
l Compressing data
If enabled, data compression occurs before encryption.
l Updating metadata, timestamps, and file sizes
Every virtual tape stores header information called metadata, which is used by VTS to retain
an audit trail of information about the tape. When a tape is encrypted, the metadata is not
encrypted. The following timestamps are associated with virtual tapes: modify, access, and
change. The modify timestamp is not updated when a tape is encrypted or decrypted.
However, the access and change timestamps are updated when a tape is encrypted or
decrypted.
Finally, when a virtual tape is encrypted, its file size changes because the key ID and other
encryption metadata is added to the virtual tape.
The SecureVTS.log file, which resides in /usr/local/tape/log/, stores an audit trail of all encryption
operations.
Multi-server considerations
Keep the following in mind when configuring and using Data Encryption in an environment with
multiple VTS servers, such as if GFS or Data Replication is configured:
l Server configuration
When configuring key servers and backup hosts for Data Encryption, it is highly recommended
that you configure only one key generator for the environment. You must also configure at
least one other server in the environment that can serve as the backup host for the key
database. See "Adding a key server" on page 83 and "Adding a key database backup host" on
page 85 for more information.
If virtual tapes are stored on a remote server, such as through the use of Data Replication,
and you need to access the data on tapes, Data Encryption must be enabled on the remote
server. This will enable the remote server to decrypt encrypted tapes when necessary.
Otherwise, the remote server cannot retrieve the key from the key server that encrypted the
tape.
l Tape operations performed on encrypted virtual tapes
VTS attempts to decrypt an encrypted tape when a tape operation, such as mounting the tape,
is performed on that tape. If Data Encryption is not enabled or the key server that was used to