Manualshelf

Virtual TapeServer 8.4 Configuration Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series
919293949596979899100
84 | Virtual TapeServer Configuration Guide
Overview of Data Encryption
When Data Encryption is enabled on a VTS server, the embedded key server can be configured to
generate keys for encrypting virtual tapes. VTS uses symmetric key encryption to secure data
written to tape. This encryption is based on Advanced Encryption Standard-Cipher Block Chaining
(AES-CBC) and uses 256-bit keys provided by a random number generator. When a key is generated,
its key ID is stored with the encrypted virtual tape. The key is stored in a key database on the
server that generated it, and each key is encrypted multiple times before being stored. When data on
a virtual tape must be decrypted, VTS uses the key ID to retrieve the key from the key database.
Storing the key ID with the tape and the key in the database ensures that the key will not be
compromised and that it resides in a central, secure location with all other keys.
The key database is backed up on the key server and on at least one other remote server to ensure
that a backup of the keys is always available in case the key server is damaged or destroyed. The
backup must complete successfully on the localhost and backup host before the keys are available for
use by VTS. This ensures that keys are backed up before data is encrypted.
Encryption and decryption during virtual tape operations
A virtual tape can be encrypted in several ways:
l It can be encrypted when it is created.
l It can be manually encrypted after it is created.
l It can be automatically encrypted when it is added to a pool that is designated as encrypted.
l It can be encrypted if the pool in which it resides is designated as encrypted.
Similarly, a virtual tape can be decrypted manually or when its pool is decrypted.
Data Encryption affects other tape operations as well:
l Mounting, reading, and writing to an encrypted virtual tape
When an encrypted tape is mounted, VTS retrieves the key ID from the tape and uses the ID to
request the key from the key server that generated it. The key is then used to decrypt the
data as it is read from the tape. (The data remains encrypted on the tape.) Also, VTS cannot
read or write to the tape without the key.
l Exporting a virtual tape (tape-to-tape export)
An encrypted virtual tape is exported as-is if SPHiNX is configured for encryption and the tape
is exported in virtual tape format. If you export a pool, the virtual tapes remain intact and
encrypted. If the physical drive supports encryption, an unencrypted virtual tape can be
encrypted by the drive.