HP StoreEver 1/8 G2 Tape Autoloader and MSL Tape Libraries User and Service Guide Addendum (AK378-96068, September 2013)

ManualsBrandsHP ManualsStorageHP StoreEver MSL2024 1 LTO-6 Ultrium 6250 SAS Library w/24 LTO-6 Media/TVlite

2 Using a KMIP-based key server

The autoloader and libraries now support integration with encryption key management servers

using the Key Management Interoperability Protocol (KMIP) standard. KMIP is an industry standard

protocol for communications between a key management server and an encryption system. The

KMIP specification is developed by the KMIP technical committee of the OASIS standards body

(Organization for the Advancement of Structured Information Standards).

The KMIP feature allows the tape device to obtain encryption keys from selected KMIP-compliant

key managers. These keys can be used to encrypt data as it is written to tape. Up to six key servers

can be configured for failover purposes.

Key managers

To use the KMIP feature, the autoloader or library must have access to a KMIP key manager. HP

only supports KMIP when used with a supported key manager, listed in the EBS Matrix, located

at http://www.hp.com/go/ebs.

Operation

When the KMIP feature is enabled and properly configured, tape data will automatically be

encrypted with keys delivered from the KMIP key manager. Tapes are encrypted on a key-per-tape

basis.

Write, and append operations: The tape drive will request a key when data is written. The tape

library, acting as an intermediary, may request the key manager to create a key. The library then

obtains that key and delivers it to the tape drive. The key is identified by a name, which is associated

with the media identifier. The key is not retained in the tape drive any longer than necessary to

perform encryption operations.

Read operations: The tape drive will request a key. The tape library, acting as an intermediary,

obtains the key identifier, requests that key from the key manager, and delivers it to the tape drive.

The key is not retained in the tape drive any longer than necessary to perform decryption operations.

Licensing

The KMIP feature requires that the HP StoreEver MSL2024/4048/8096 KMIP license be installed

before the feature can be enabled and configured. The 1/8 G2 Tape Autoloader also supports

KMIP integration and uses the same license as the MSL libraries.

Configuring the KMIP feature

The EBS Matrix lists the compatible KMIP server models, the server vendors, and links to primary

documents those vendors provide.

Table 1 Enrolling the autoloader or library with a KMIP server

Comment

Primary documents providing

more detailDescription of taskStep

Collect the IP address of each

server.

Server vendor’s product

documentation

Install and configure the key servers.1

Collect the filename of the CA

certificate (a file with a crt

extension).

Server vendor’s product

documentation

Create a local CA and server

certificate on the key server.

Collect the account username and

the account password.

“Creating the client user name

and password on the server”

(page 6)

Set up a new client user account for

the autoloader or library.

Key managers 5