Spectra Encryption User Guide

8/12/2019 Spectra Encryption User Guide

1/100

SpectraLogic.com

Spectra Encryption User Guide


2/100December 2012 Spectra Encryption User Guide

2

Copyright Copyright 20062012 Spectra Logic Corporation. All rights reserved. This item and theinformation contained herein are the property of Spectra Logic Corporation.

Notices Except as expressly stated herein, Spectra Logic Corporation makes its products andassociated documentation on an AS IS BASIS, WITHOUT WARRANTY OF ANYKIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TOTHE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR APARTICULAR PURPOSE, BOTH OF WHICH ARE EXPRESSLY DISCLAIMED. In no

event shall Spectra Logic be liable for any loss of profits, loss of business, loss of use ordata, interruption of business, or for indirect, special, incidental or consequentialdamages of any kind, even if Spectra Logic has been advised of the possibility of suchdamages arising from any defect or error.Information furnished in this manual is believed to be accurate and reliable. However, noresponsibility is assumed by Spectra Logic for its use. Due to continuing research anddevelopment, Spectra Logic may revise this publication from time to time without notice,and reserves the right to change any product specification at any time without notice.

Trademarks BlueScale, CarbideClean, Python, RXT, Spectra, SpectraGuard, Spectra Logic, TeraPack,T-Finity, TranScale, the CarbideClean logo and the Spectra Logic logo are registeredtrademarks. Endura, EnergyAudit, and Tape without Pain are trademarks of SpectraLogic Corporation. All rights reserved worldwide. All other trademarks and registeredtrademarks are the property of their respective owners.

Part Number 90940012 Rev. G

RevisionHistory

Note: To make sure you have the most current version of this guide check theSpectra Logic website at www.spectralogic.com/documents . To makesure you have the release notes for the most current version of theBlueScale software, log into the Spectra Logic Technical Support portal athttp://support.spectralogic.com . The release notes contain updates to theUser Guide since the last time it was revised.

Revision Date Description

A March, 2006 Initial release.

B- E Corrections and updates.

F April, 2012 New template. Update for BlueScale 12 release.

G December, 2012 Added Spectra TKLM.
http://www.spectralogic.com/documentshttp://support.spectralogic.com/http://support.spectralogic.com/http://www.spectralogic.com/documents


3/100December 2012 Spectra Encryption User Guide

3

End UserLicense

Agreement

You have acquired a Spectra Encryption User Guide that includes software owned orlicensed by Spectra Logic from one or more software licensors (Software Suppliers).Such software products, as well as associated media, printed materials and online orelectronic documentation (SOFTWARE) are protected by copyright laws andinternational copyright treaties, as well as other intellectual property laws and treaties.If you do not agree to this end user license agreement (EULA), do not use the SpectraProduct; instead, promptly contact Spectra Logic for instructions on return of the SpectraProduct for a refund. Any use of the Software, including but not limited to use on the

Spectra Product, will constitute your agreement to this EULA (or ratification of anyprevious consent).Grant of License. The Software is licensed on a non-exclusive basis, not sold. This EULAgrants you the following rights to the Software:

You may use the Software only on the Spectra Product.Not Fault Tolerant. The Software is not fault tolerant. Spectra Logic has independentlydetermined how to use the Software in the Spectra Product, and suppliers have reliedupon Spectra Logic to conduct sufficient testing to determine that the Software issuitable for such use.No Warranties for the SOFTWARE. The Software is provided AS IS and with allfaults. The entire risk as to satisfactory quality, performance, accuracy, and effort(including lack of negligence) is with you. Also, there is no warranty againstinterference with your enjoyment of the Software or against infringement. If you havereceived any warranties regarding the SOFTWARE, those warranties do not originatefrom, and are not binding on Software suppliers.Note on Java Support. The Software may contain support for programs written in Java.

Java technology is not fault tolerant and is not designed, manufactured, or intended foruse of resale as online control equipment in hazardous environments requiring fail-safeperformance, such as in the operation of nuclear facilities, aircraft navigation orcommunications systems, air traffic control, direct life support machines, or weaponssystems, in which the failure of Java technology could lead directly to death, personalinjury, or severe physical or environmental damage.No Liability for Certain Damages. Except as prohibited by law, Software suppliersshall have no liability for any indirect, special, consequential or incidental damagesarising from or in connection with the use or performance of the Software. Thislimitation shall apply even if any remedy fails of its essential purpose. In no event shall

Software suppliers, individually, be liable for any amount in excess of U.S. two hundredfifty dollars (U.S. $250.00).Limitations on Reverse Engineering, Decompilation, and Disassembly. You may notreverse engineer, decompile, or disassemble the Software, except and only to the extentthat such activity is expressly permitted by applicable law notwithstanding thislimitation.Software Transfer Allowed with Restrictions. You may permanently transfer rightsunder this EULA only as part of a permanent sale or transfer of the Spectra nTier700,and only if the recipient agrees to this EULA. If the Software is an upgrade, any transfermust also include all prior versions of the Software.Export Restrictions. Export of the Software from the United States is regulated by theExport Administration Regulations (EAR, 15 CFR 730-744) of the U.S. CommerceDepartment, Bureau of Export Administration. You agree to comply with the EAR in

the export or re-export of the Software: (i) to any country to which the U.S. hasembargoed or restricted the export of goods or services, which as May 1999 include, butare not necessarily limited to Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria, andthe Federal Republic of Yugoslavia (including Serbia, but not Montenegro), or to anynational or any such country, wherever located, who intends to transit or transport theSoftware back to such country; (ii) to any person or entity who you know or havereason to know will utilize the Software or portion thereof in the design, developmentor production of nuclear, chemical, or biological weapons; or (iii) to any person orentity who has been prohibited from participating in U.S. export transactions by anyfederal agency of the U.S. government. You warrant and represent that neither the BXAnor any other U.S. federal agency has suspended, revoked or denied your exportprivileges.


4/100


5/1005

ContentsAbout This Guide 8

INTENDED AUDIENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .RELATED INFORMATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 1 Encryption Overview and Strategies 11ENCRYPTION OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SPECTRA TKLM K EY MANAGEMENT OVERVIEW . . . . . . . . . . . . . . . . . . . . . . 13BLUESCALE K EY MANAGEMENT OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Understanding the Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Standard Edition vs. Professional Edition . . . . . . . . . . . . . . . . . . . . . . 15BEST PRACTICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Passwords and Other Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

SITE SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Low Security Site Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Medium Security Site Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23High Security Site Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

ACCESSING THE ENCRYPTION FEATURE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Log Into the Encryption Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Configure the User Mode (BlueScale Professional Only) . . . . . . . . . 26Configure the Secure Initialization Mode (BlueScale Only) . . . . . . . 27Configure the Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Chapter 2 Using Spectra TKLM EncryptionKey Management 29

SPECTRA TKLM ENCRYPTION K EY MANAGEMENT . . . . . . . . . . . . . . . . . . . . 30Configure the Spectra TKLM Server . . . . . . . . . . . . . . . . . . . . . . . . . . 31CONFIGURING A PARTITION TO USE A SPECTRA TKLM SERVER . . . . . . . . . . 35DISABLING ENCRYPTION IN A PARTITION . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37


6/100

Contents

December 2012 Spectra Encryption User Guide6

Chapter 3 Using BlueScale Encryption Key ManagementStandard Edition 38CONFIGURING BLUESCALE S TANDARD EDITION . . . . . . . . . . . . . . . . . . . . . . 39

Create an Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39ASSIGNING AN ENCRYPTION K EY TO A PARTITION . . . . . . . . . . . . . . . . . . . . . 41EXPORTING AND PROTECTING ENCRYPTION K EYS . . . . . . . . . . . . . . . . . . . . . 44

Export the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Verify the Exported Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . 48Protect the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

RESTORING ENCRYPTED DATA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Use the Key Stored in the Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Import the Required Key Into the Library . . . . . . . . . . . . . . . . . . . . . 52

DELETING AN ENCRYPTION K EY FROM THE LIBRARY . . . . . . . . . . . . . . . . . . . 56DISABLING ENCRYPTION IN A PARTITION . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Chapter 4 Using BlueScale EncryptionKey ManagementProfessional Edition 58CONFIGURING BLUESCALE PROFESSIONAL EDITION . . . . . . . . . . . . . . . . . . . 59

Create an Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59ASSIGNING AN ENCRYPTION K EY TO A PARTITION . . . . . . . . . . . . . . . . . . . . . 61EXPORTING AND PROTECTING ENCRYPTION K EYS . . . . . . . . . . . . . . . . . . . . . 65

Key Protection Features of Encryption Professional . . . . . . . . . . . . . 66Export an Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Verify the Exported Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . 71Protect the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

RESTORING ENCRYPTED DATA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Use a Key Stored in the Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Import the Required Key Into the Library . . . . . . . . . . . . . . . . . . . . . 76

DELETING AN ENCRYPTION K EY FROM THE LIBRARY . . . . . . . . . . . . . . . . . . . 81DISABLING ENCRYPTION IN A PARTITION . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Chapter 5 Recycling Encrypted Media 83


7/100

Contents


Chapter 6 Using the Endura Decryption Utility 86ENDURA DECRYPTION U TILITY OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . 86PREPARE FOR THE DECRYPTION PROCESS . . . . . . . . . . . . . . . . . . . . . . . . . . . 88RUN EDU TO DECRYPT DATA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

EDU Command Line Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Example: Using Two Drives to Decrypt and Write the Data

(Preferred Method) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Example: Using One Drive To Decrypt and Write the Data

(Not Recommended) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93RESTORE THE DATA DECRYPTED WITH ENDURA . . . . . . . . . . . . . . . . . . . . . . 95

Chapter 7 Encryption Troubleshooting 96 TROUBLESHOOTING ENCRYPTION ISSUES . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96


8/1008

About This Guide

This guide contains information about Spectra TKLM encryption keymanagement and BlueScale Encryption key management for SpectraT-Series libraries.

Spectra TKLM Encryption Key Management

Requires a purchased option key to activate, which enables libraryaccess to the Spectra TKLM server. See Using Spectra TKLMEncryption Key Management on page 29 for more information.

BlueScale Encryption Key Management

Standard Edition Included as a standard feature of the BlueScalesoftware. See Using BlueScale Encryption Key ManagementStandard Edition on page 38 for more information.

Professional Edition Requires a purchased option key to activateand provides additional security and flexibility features. See UsingBlueScale Encryption Key Management Professional Edition onpage 58 for more information.

Note: The Spectra T50e Library User Guide contains the instructions forusing encryption on the T50e library.

INTENDED AUDIENCEThis guide is intended for data center administrators and operators whomaintain and operate backup systems. This guide assumes that you arefamiliar with data backup and data protection strategies.


9/100


10/100

About This Guide Related Information


Typographical ConventionsThis document uses the following conventions to highlight importantinformation:

Note: Read notes for additional information or suggestions about thecurrent topic.

This document uses an arrow ( > ) to describe a series of menu selections.For example:

Select Configuration > Partitions > New .

means

Select Configuration , then select Partitions , and then select New.

Important Read text marked by the Important icon for information that will help youcomplete a procedure or avoid extra steps.

Caution Read text marked by the Caution icon for information you must know to avoiddamaging the library, the tape drives, or losing data.

WARNING Read text marked by the Warning icon for information you must know to avoidpersonal injury.WARNUNG Lesen Sie markierten Text durch die Warnung-Symbol fr die

Informationen, die Sie kennen mssen, um Personenschden zu vermeiden.


11/10011

CHAPTER 1

Encryption Overview and Strategies

ENCRYPTION OVERVIEW

Spectra Logic libraries can encrypt data and manage encryption keys,using either the Spectra TKLM key management system or BlueScaleEncryption key management. Spectra TKLM is a stand-alone, centralizedkey manager, while BlueScale Encryption key management is integratedwithin, and specific to, each library.

Encryption Overview page 11Spectra TKLM Key Management Overview page 13BlueScale Key Management Overview page 14

Understanding the Components page 14

Standard Edition vs. Professional Edition page 15Best Practices page 17

People page 17Processes page 17Passwords and Other Identifiers page 20

Site Security page 21Low Security Site Example page 22Medium Security Site Example page 23High Security Site Example page 24

Accessing the Encryption Feature page 25Log Into the Encryption Feature page 25Configure the User Mode (BlueScale Professional Only) page 26Configure the Secure Initialization Mode (BlueScale Only) page 27Configure the Password page 28


12/100

Chapter 1Encryption Overview and Strategies Encryption Overview


The following table shows the encryption features and functionality provided by BlueScale key management and Spectra TKLM key management.

Feature Spectra TKLM BlueScale

Library Integrated Server

Stand-alone Server

Supports T50e, T120, T200, T380, T680, T950, T-Finity

Multi-vendor Support (dual vendor shops)

Graphical User Interface

Command Line Interface

LTO-4 Drive Support

LTO-5 Drive Support

LTO-6 Drive Support

TS1140 Technology Drive Support (in supported libraries)

Multi-library/ Multi-site Support

AES-256 Bit Encryption

Secure Initialization Mode

Maximum Number of Encryption Keys 1,000,000+ 30

Key per Tape

M-of-N Key Shares

Symmetric Shares

Asymmetric Shares

Role-based Access Control

Key Grouping

Device Grouping

Key Group Policies

Key Rotation Policies

Key Lifecyle Status

Audit Verified Key Deletion

Certificates of Authority

Audit Trail

FIPS Certification

KMIP Compliance

IKEv2-SCSI Compliance

Configuration, Policies, & Keystore Backup

LDAP Support

MLM PostScan Media Verification


13/100

Chapter 1Encryption Overview and Strategies Spectra TKLM Key Management Overview


SPECTRA TKLM KEY MANAGEMENT OVERVIEWSpectra Tivoli Key Lifecycle Manager (Spectra TKLM) is a centralized keymanagement system that allows you to manage the lifecycle of theencryption keys and security certificates for your library. Spectra TKLMprovides role-based access control, based on user privileges, for tasks thatrange from creating and assigning encryption keys to the backup andrestoration of data.

Spectra TKLM is installed on an external server, which is connected to thelibrary by Ethernet. All administrative activities are performed on theserver, including configuration; administration of groups, users, and roles;and management of keys, key groups, and devices. Encryption isperformed at the drive level, through encryption-enabled LTO-5 and latergeneration tape drives and TS1140 technology tape drives.

After Spectra TKLM key management is enabled, the drives in anencryption-enabled partition request a key from the Spectra TKLM server.The server sends the encryption key to the drive, and the drive uses the keyto automatically encrypt data as it is backed up.

Before you configure your library to implement Spectra TKLM keymanagement, there are three required components:

Spectra TKLM Encryption-capable Drives Spectra TKLM keymanagement is only compatible with LTO-5 and later generation tapedrives and TS1140 technology tape drives.

Spectra TKLM Option Key Purchase and install the Spectra TKLMoption key to activate Spectra TKLM key management. For moreinformation on how to install the option key on your library, see yourlibrarys User Guide.

Spectra TKLM Server Install and configure Spectra TKLM on your server.Spectra TKLM is available for either Linux or Windows. For additionalinformation that can assist you during the installation and configuration ofyour server, see the following websites:

IBM Tivoli Key Lifecycle Manager Information Centerhttp://spectra.cc/eHe

Tivoli Key Lifecycle Manager Installation and Configuration Guidehttp://spectra.cc/iyy

Note: Spectra TKLM key management is not compatible withBlueScale Encryption key management. Data encrypted usingSpectra TKLM key management cannot be decrypted usingBlueScale Encryption key management, and vice versa.
http://spectra.cc/eHehttp://spectra.cc/iyyhttp://spectra.cc/eHehttp://spectra.cc/iyy


14/100

Chapter 1Encryption Overview and Strategies BlueScale Key Management Overview


BLUESCALE KEY MANAGEMENT OVERVIEWBlueScale Encryption key management is tightly integrated into yourSpectra library. Encryption is handled through encryption-enabled LTO-4and later generation drives or through encryption-enabled F-QIPs, if anyare in use. BlueScale Encryption key management is provided through thelibrarys user interface.

Understanding the Components

The BlueScale Encryption key management system has two majorcomponents which together implement the strongest encryption available,as recognized by the United States Federal Government: AES encryptionusing a 256-bit key.

The BlueScale key management software The key managementfeature is accessed through the librarys user interface, either using theoperator panel or a remote connection through the BlueScale webinterface. Optionally, you can secure the web browser using SSL.Spectra BlueScale key management is available in Standard andProfessional Editions to meet your site security requirements (seeStandard Edition vs. Professional Edition on page 15 ).

The encryption chip in the LTO-4 or later drives or in encryption-enabled F-QIPs Using hardware encryption makes encryptionextremely fast and places no burden on your network. The data isencrypted as it is written to tape. After encryption is enabled, data isautomatically encrypted as it is backed up.

Notes: LTO-3 and earlier generation tape drives do not supportdrive-based encryption and cannot be used in a partitionconfigured to use drive-based encryption. However, you canuse F-QIP-based encryption with these drives.

Encryption-enabled LTO drives use the same encryptionalgorithm, ensuring that tapes encrypted by one LTO drivegeneration can be read by another generation of drive as longas the tape itself is compatible with the drive.

Libraries that do not have one or more F-QIPs installed canonly use drive-based encryption.

You can only use one type of encryption in a partition.

The encryption performed by encryption-enabled LTO drivesis not compatible with the encryption performed by anencryption-enabled F-QIP.

If encryption-enabled F-QIPs and encryption-enableddrives are both installed and are configured in differentpartitions, both can be used for encryption.


15/100



If a single partition includes both an encryption-enabledF-QIP and encryption-enabled LTO drives, Spectra Logicrecommends that you choose drive-based encryption forcompatibility with libraries that do not have F-QIPs.

BlueScale Encryption key management is not compatiblewith Spectra TKLM key management. Data encrypted using

Spectra TKLM key management cannot be decrypted usingBlueScale Encryption key management, and vice versa.

Standard Edition vs. Professional Edition

To determine a BlueScale Encryption key management strategyappropriate for your site and your data, decide on the security levelrequired for your site, and the amount and kinds of data to encrypt. SeeBest Practices on page 17 for things to consider when determining yourencryption requirements and processes. After you decide on theappropriate security level and whether data sets need to be isolated, youcan decide which edition of BlueScale Encryption meets your needs.

BlueScale Encryption Standard Edition Standard Edition is included as astandard feature on the library. It is suitable for sites with a primary goal ofsecuring data while it is transported to a remote location and stored therefor long-term archival. See Low Security Site Example on page 22 for anexample of setting up encryption using BlueScale Encryption StandardEdition.

For information about configuring and using BlueScale EncryptionStandard Edition, see Chapter 3 Using BlueScale Encryption Key

Management Standard Edition , beginning on page 38 .BlueScale Encryption Professional Edition Professional Edition providesadditional choices for defining the level of security you implement in yourdata center. It is suitable for sites that want the added security of multi-password access to the encryption configuration controls and forimporting and exporting encryption keys, and the added flexibility ofstoring up to 30 encryption keys on the library. See Medium Security SiteExample on page 23 and High Security Site Example on page 24 forexamples of setting up encryption using BlueScale Encryption ProfessionalEdition.

For information about configuring and using BlueScale ProfessionalEdition, see Chapter 4 Using BlueScale Encryption Key ManagementProfessional Edition , beginning on page 58 .


16/100



The following table compares the major differences between the Standardand Professional Editions.

Feature Standard Edition Professional Edition

Availability Included as a standard feature onthe library.

Requires a purchased option key toactivate.

Encryption LoginPasswords Single encryption passwordaccesses all encryption features. Choice of using one or three passwordsto access all encryption features. Usingthe three-password option requires thefollowing:

Three unique encryption passwordsmust be configured.Any one of the three passwords must be entered to enable encryption whenthe library is in Secure Initializationmode.Any one of the three passwords must

be entered to access encryption keymanagement and configurationoptions, excluding key import andexport.Two of the three passwords must beentered to import and export keys.

Keys (Data SetIsolation)

Single encryption key stored onthe library at a time.The same key is used for allpartitions configured to useencryption.

Up to 30 encryption keys stored on thelibrary.Separate encryption keys can beassigned to each data partition toisolate data sets.

Key Export andImport

A single password is used whenexporting and importing theencryption key. The encryption keyis exported in a single file.

Choice of using one or M-of-N shareswith multiple passwords to export andimport keys. With the M-of-N sharesoption, a single file of encrypted key datais split into multiple parts, or shares (N),and some specified subset (M) is requiredto import the file containing the key data.

Compression Drive-based compression only. Drive- or F-QIP-based compression.

Compatibilitybetween Software

Editions

Data encrypted using either software edition (Standard or Professional) can bedecrypted by a library running the other edition.


17/100

Chapter 1Encryption Overview and Strategies Best Practices


BEST PRACTICESTo effectively use encryption and to ensure data security, create anencryption strategy and back it up with the appropriate staff and customstrategies based on your security requirements.

People

Identify the key people who will be responsible for managing theencryption of data written to tape.

Superuser One or more people who have superuser privileges on thelibrary. Only a superuser can access and configure the encryption features.See User Security in the User Guide for your library for information aboutthe three types of user groups and what types of privileges each has.

Encryption Password Holder One or more superusers who have thelibrarys encryption password(s).When determining the number of superusers and encryption passwordholders, balance the needs for security and availability for the encrypteddata. It may be wise to have more than a single user familiar withpasswords, depending on the size of your organization, so that if oneperson is not available, another can take over.

Processes

Consider the following when establishing your encryption procedures:

Startup SecurityDevelop procedures for tracking user names and passwords. Make sureonly the authorized users know the encryption passwords, and that thepasswords themselves are secure. Refer to Passwords and OtherIdentifiers on page 20 for more information on setting up passwords.

Optionally, identify a primary and secondary encryption team, so thatyou have redundancy in your encryption strategy. Although that meansthe information required to decrypt data is spread across more people,

it also means that restoration of encrypted data may be much easier,and you may ultimately have more data protection given the extra layerof coverage; for example, if a user leaves, you are not in a position tolose data.


18/100



Determine the level of security to use at startup. Both editions ofBlueScale encryption permit a standard mode and a secureinitialization mode. In standard mode, data is encrypted and restoredas soon as the library is started with no further action required. Insecure initialization mode, the partitions configured to use encryptionare not accessible for backup or restore operations until a user withsuperuser privileges has logged into the library and entered theencryption password. (Spectra TKLM does not use the secureinitialization mode.)

Data to EncryptDecide whether to encrypt all data or a subset. If all of the sites data isto be encrypted on backup, then a single partition could be sufficient. If,however, you are backing up some data without encryption, create apartition dedicated to encrypted data, and another for non-encrypteddata.

Determine whether the encrypted data can be grouped together or if itmust be isolated into sets. If sets of encrypted data need to be isolatedfrom each other, create several encrypted data partitions, each using adifferent encryption key. For example, your site may store financialdata as one set and consumer identity information as a separate set.

BlueScale Encryption Key ProtectionBlueScale Encryption uses AES-256 encryption, which is a symmetric,private key encryption method. BlueScale Encryption identifies each key by the moniker (nickname) used to generate the key; the key itself is neverdisplayed. In addition, keys are encrypted before they are exported and thefile containing the key is password-protected.

Best practices dictate that you make copies of the key immediatelyfollowing the keys creation. To ensure security, make sure that you trackeach copy of an encryption key.

Decide on the number of copies to make of each key and keep a recordof each copy's location. Consider storing multiple copies of keys, thatyou then track carefully, storing the copies in separate places and awayfrom the data encrypted using those keys.

Caution As a matter of best practice, Spectra Logic recommends exporting encryption keysto a USB drive instead of using email.Although emailing encryption keys is supported by the library, using emailpresents security issues, including the following:

Copies of encryption keys may be left on the email servers used for sending andreceiving email and are thus subject to compromise. The difficulty in verifying where all the copies of emailed encryption keys maybe located can make security audits more challenging.


19/100



Establish a key rotation plan that specifies how often to create and usenew keys. The rotation plan may be a simple schedule such as changingkeys once every six months, and destroying the keys only after the lastset of data encrypted using that key is overwritten or destroyed.

BlueScale Encryption Standard Edition stores one key on the library ata time; you must delete the key currently on the library before you can

create or import another key. Professional Edition permits multiplekeys per library, with one key per encryption-enabled partition.

Establish a procedure for tracking monikers. Make sure you track theinformation required to access and identify keys, along with thelocation of stored data that uses each encryption key. Make sure thisinformation is not stored with the encrypted data. Keep it on a systemor in an archive that is not available on a network. For additionalsecurity, encrypt this information as well.

Before you delete a key from the library, make sure that at least onecopy has been exported and stored securely. It is important to make

sure that at least one copy of each key is secure and readable (that is,uncorrupted), to ensure that you can restore your data.

Keeping a copy of an exported key is essential; after a key is deletedfrom the library, it is not recoverable. Once the key is gone, the data isinaccessible; for legal and practical purposes the data is typicallyconsidered to have been deleted.

Process Testing and Exception HandlingRun drills to confirm that your data is being encrypted properly, thatkeys are stored properly, and that you can recover your data. Make surethat these drills are included with your overall organizational securitystrategy.

Create procedures to handle encrypted data that has been, or may have been, compromised. Make sure you can identify the data associatedwith any compromised key or keys. You may want to take allcompromised data and decrypt it and then re-encrypt it and store it inan alternate location to minimize the potential for unauthorized access.You will also need to investigate the incident involving compromiseddata and take appropriate actions if identity-related data may have been exposed.

Archive a copy of Spectra Logics Endura Decryption Utility (EDU) foremergency use, such as to recover from a disaster. Use this utility if youhave no Spectra Logic libraries on hand but need to decrypt and writedata, which you can then restore using backup software.

Caution The current version (Revision 2) of EDU does not support recovering data that isencrypted using an F-QIP. If you need to recover data that was encrypted using anF-QIP contact Spectra Logic Technical Support for assistance (see ContactingSpectra Logic on page 4 ).


20/100



Special Considerations When Using BlueScale EncryptionProfessional Edition

Drive-based encryption only allows one encryption key per cartridge,regardless of the number of keys stored on the library.

To simplify data restoration in case of disaster recovery and to achieve

business continuity goals, make sure that critically important data isstored on a separate, well-identified cartridge and that only one key isused for encrypting all of the data on the cartridge.

You may want to take advantage of the M-of-N shares option. Thisoption lets you split an exported encryption key into multiple files, orshares, each stored on a separate USB drive or emailed to separate mailrecipients. Some specified subset of the shares is required to import theencryption key into the library. Splitting an exported key into multipleshares further protects data from unauthorized access.

For example, if you choose the 2-of-3 shares option, the exported

encryption key is split into three shares (M). In order to import theencryption key into the library, emailed encryption key files need to betransferred to separate USB drives and two of the shares (N), each on aseparate USB drive, must be present.

Passwords and Other Identifiers

BlueScale Encryption requires you to supply passwords and monikers (keynames) when configuring and using the encryption feature. Your site maywant to consider implementing specific rules that govern how these arecreated.

Superuser Login/Encryption Passwords BlueScale encryption requires aseparate password from the one used to log into the library in order toaccess the librarys encryption features. This password must be enteredafter a user with superuser privileges logs into the library.

If you are using Professional Edition, you have the option to set threeseparate encryption passwords. If you choose to use this option, two of thethree encryption passwords must be entered in order to import BlueScaleencryption keys into the library or export them from the library.

The following passwords are required with both editions of BlueScale

Encryption:Superuser Password Only a user logged into the library withsuperuser privileges can access the Encryption User Login screen.

Encryption Password Lets you access encryption features. Thispassword must be entered after the superuser login.


21/100

Chapter 1Encryption Overview and Strategies Site Security


Password(s) for Key Import and Export Passwords are also used to encryptkeys for export and when importing previously exported keys. Your sitemay consider whether to create different rules for these passwords, such asrequiring that these passwords are longer than the encryption accesspassword(s), and therefore more secure. Optionally, in ProfessionalEdition, you can require two different passwords in order to import andexport keys.

Monikers A moniker is an alphanumeric identifier that is tied to thenever-revealed true key value, which is a 256-bit encryption key. Thelibrary uses monikers to generate unique encryption keys. The librarydisplays the moniker, not the encryption key itself, whenever it referencesthe encryption key. The actual value of an encryption key is never displayed. The moniker helps to protect data encrypted using the key byeliminating the need to display or type the actual key value.

Your site may want to create rules governing naming conventions for keymonikers to ensure that each key is unique.

Recommended Make a habit of using a single case (all upper or all lower)for monikers. After the encryption key is created and exported, the libraryignores the case used in the moniker.

For example, the library interprets Spectra1, spectra1, and SPECTRA1 asthe same moniker when importing a key. However, the key generated byeach variation is unique.

Password and Moniker Standards Create standards to govern passwordsand moniker names based on your sites security requirements. Forexample, if your site requires a high level of security for access toencryption partitions, your passwords and monikers may need toincorporate some combination of the following requirements:

Use a minimum number of characters.Use both alphabetic and numeric characters.Use both uppercase and lowercase letters for passwords.Do not use words found in a dictionary.

Change the passwords at regularly scheduled intervals.

SITE SECURITYThe following sections provide examples of different security scenarios.

Important If you create two monikers that are identical except for case, you may not be able toretrieve your data after importing a key that was created using a different variationof the moniker.


22/100



Low Security Site Example

The following table describes the security considerations and the suggestedencryption configuration for a small company with 75 employees.

SecurityConsideration

Strategy

Security goals Protecting company from legal liability associated with unauthorized access todata stored on tape, both onsite and offsite, including transport to the offsitelocation.

Encryptionprincipals

IT administrator, company president, corporate legal counsel.

Data to encrypt Financial and consumer identity data.

Level of security toimplement

BlueScale Standard Edition: single key per library is sufficient.Standard initialization mode: encryption partitions are enabled at start-up.

Data sets requiringisolation None. A single partition for encrypted data is sufficient.

Key escrowmethod

Staff at company will escrow keys at a site remote from the data storagelocation.

Copies of each keyto store and theirlocations

Keep three copies of each key: one with the senior IT administrator, one withthe company president, one in a corporate safety deposit box.

Key rotation plan Create a new key every six months.

Tracking keymonikers andpasswords

On a non-networked computer that supports encryption, create one or morecharts or lists with this data, including key monikers, dates used, encryptionand superuser passwords, and passwords used to encrypt exported keys. Foradditional security, you may want to avoid tracking the relationship betweenmonikers and the encrypted cartridges. The library prompts for the requiredmoniker when you restore encrypted data from a cartridge.

Multipleencryption teams(optional)

Configure a separate set of users who are responsible for managing encrypteddata. These users may be the same as those identified as the encryptionprincipals.

Decrypt andrestore encrypteddata

Regularly review data encryption and decryption procedures to make sure that backups and restores are working properly. Run tests to ensure that encrypteddata can be decrypted and restored when needed.

Passwords Require passwords with a minimum of 12 characters, including at least onenumber and one letter, to access the encryption features.Require passwords with a minimum of 30 characters, including at least onenumber and one letter, to export and import encryption keys.


23/100



Medium Security Site Example

The following table describes the security considerations and the suggestedencryption configuration for a medium-sized organization with250 employees.

SecurityConsiderations

Strategy

Security goals Protecting company from legal liability associated with unauthorized access todata stored on tape onsite and offsite, including transport to the offsite location.


IT senior staff, chief operating officer.

Data to encrypt Intellectual property, financial, customer, and inventory data.


BlueScale Professional Edition, with multiple keysStandard initialization mode: encryption partitions are enabled at start-upMulti-user mode, with three encryption passwords

Data sets requiringisolation from otherencrypted data

Separate partitions and keys for these data sets: financial data, inventory data,customer data, and intellectual property data. With this requirement, the sitemust use a minimum of four encryption-enabled partitions, along withpartition(s) for non-encrypted data.

Key escrowmethod

Store key copies with corporate legal counsel and a paid, trusted, third-partyescrow service.

Number of copiesof each key to store,and locations

Keep three copies of each key: store one with corporate legal counsel, two withthe key escrow service.

Key rotation plan Create a new key every quarter for each partition dedicated to encryption.Tracking keymonikers, exportedkey passwords, andpassword to permitaccess toencryption features

Send to key escrow service an encrypted document that includes the passwordused to access encryption features, superuser password, and all passwordsnecessary to import encryption keys. This file cannot be created or stored on anetworked computer. Delete the file from the computer after the document orfile is transmitted securely to the key escrow service.


Three IT administrators, along with the senior IT admin and the COO.

Schedule and rundrills

Annual evaluation and review, along with wider corporate security plan.

Passwords Passwords to access encryption features: minimum of 12 characters,including at least one number and one letterPassword to export and import encryption keys: minimum of 30 characters,including at least one number and one letter


24/100



High Security Site Example

The following table describes the security considerations and the suggestedencryption configuration for an enterprise organization.

SecurityConsiderations

Strategy

Security goals Protecting all stored data.


IT senior staff, chief operating officer, chief security officer, chief technologyofficer.

Data to encrypt All.


BlueScale Professional Edition, with multiple keysSecure Initialization Mode: After the library power is turned on, theencryption user must enter the password to enable partitions dedicated toencryptionMulti-user mode, with three encryption passwords

Data sets requiringisolation

Each data set is separately keyed, as defined by the department generatingdata.

Key escrowmethod

Store key copies with two remote corporate legal counsel offices and also witha paid, trusted third-party escrow service.

Copies of each keyto store, and thestored keylocations

Keep three copies of each key: store one at the main office of corporate legalcounsel, two with the key escrow service.

Key rotation plan Create a new key every month for each partition dedicated to encryption.

Tracking keymonikers andpasswords

Send to the key escrow service an encrypted file with encryption accesspasswords and superuser passwords. Send to corporate legal office a list ofpasswords used to export keys. Files with this data cannot be created or storedon a networked computer; delete file or files from the computer once data istransmitted securely.


Senior IT admin, chief operating officer, chief security officer, chief technologyofficer.

Schedule and rundrills

Quarterly evaluation and review, in conjunction with wider corporate securityplan.

Passwords Passwords to access encryption features: minimum of 15 characters,including at least one number and one letterPassword to export and import encryption keys: minimum of 40 characters,including at least one number and one letter


25/100

Chapter 1Encryption Overview and Strategies Accessing the Encryption Feature


ACCESSING THE ENCRYPTION FEATUREUse the following steps to access the encryption feature to configure thelibrary to use either Spectra TKLM or BlueScale Encryption key management.

Log Into the Encryption FeatureUser Privilege Requirements Only users with superuser privileges canaccess and use the encryption feature on the library.1. Log into the library as a user with superuser privileges. Select Security

> Encryption . The Encryption User Login screen displays.

2. Enter the encryption password (if one has been set) and then click OK .The Encryption Configuration screen displays the moniker for anyBlueScale encryption keys currently stored in the library.

Notes: The default encryption password is blank.

If you are configuring encryption for the first time or you areusing Spectra TKLM key management, no encryption keymonikers will display.If you are using BlueScale Professional Edition, up to30 encryption keys can be stored in the library.

Figure 1 Enter the encryption user password to access theencryption feature.

Figure 2 The Encryption Configuration screen displays afteryou log into the encryption feature.

Select Encryption todisplay the EncryptionUser Login screen.


26/100



Configure the User Mode (BlueScale Professional Only)

If you are configuring Spectra TKLM or BlueScale Encryption StandardEdition, the User Mode option does not apply.

If you are configuring Spectra TKLM, proceed to Configure thePassword on page 28 .

If you are configuring BlueScale Encryption Standard Edition proceed toConfigure the Secure Initialization Mode (BlueScale Only) on page 27 .

If you are configuring BlueScale Encryption Professional Edition, use thefollowing steps to set the encryption user mode.1. From the Encryption Configuration screen, click Configure. The

Encryption Users screen displays.

2. Select either Single User Mode or Multi-User Mode .

Figure 3 Select Single User Mode or Multi-User Mode .

User Mode Description

Single User Mode Only one encryption password can be configured and only one is required toaccess all encryption features.

Multi-User Mode Three unique encryption passwords must be configured. After you set up thethree passwords, they are used as follows:

Enter any one of the three to permit a library using Secure Initialization modeto initialize encryption when the library is starting up and to otherwise accessmost encryption features, excluding export and import encryption keyfeatures.Enter a second password, when prompted, to access export and importencryption key features.


27/100



Configure the Secure Initialization Mode (BlueScale Only)

If you are configuring Spectra TKLM, the Secure Initialization mode optiondoes not apply. Continue with Configure the Password on page 28 .If you are configuring BlueScale Encryption key management, use thefollowing steps to set the Secure Initialization mode.

1. Click Next. The Encryption Settings screen displays.

2. Select or clear the Enable Secure Initialization check box to configure thedesired initialization mode used.

Figure 4 Select the desired initializationbehavior (BlueScale Standard Edition or

Professional Edition Single User mode).

Figure 5 Select the desired initializationbehavior (BlueScale Professional Edition Multi-

User mode).

Initialization Mode Description

Standard mode The partitions configured to use encryption are accessible to the hosts as soon asthe library completes its initialization. Data can be backed up to partitions thatsupport encryption without entering an encryption password. To use StandardMode, make sure that the Enable Secure Initialization check box is cleared.Standard mode is the default setting.

Secureinitialization mode The partitions configured to use BlueScale Encryption key management are notaccessible to the hosts until the encryption password is entered through theEncryption User Login screen. Until that time, any backup or restore operationsusing partitions that use encryption cannot run.To initialize the encryption partitions and make them available for use, each timethe library is initialized, a user with superuser privileges must first log into thelibrary and then log into the encryption feature using the encryption password.To enable Secure Initialization mode, make sure that the Enable SecureInitialization check box is selected.Secure Initialization mode becomes active after the library has been power-cycled.


28/100



Configure the Password1. If you want to change the current encryption user password(s), enter

the new password(s) in the New Encryption User Password field(s) usingany combination of the numbers 09 , lower and upper case alphabeticcharacters ( az and AZ), and the at symbol ( @), dash ( ), underscore(_), and colon ( :) characters.

Notes: The encryption user password is separate from both theBlueScale login password and the encryption key password

you define when you export a BlueScale encryption key (seeExport the Encryption Key on page 45 ).

Security is greatly enhanced when the user who knows theencryption password is different from the user who performsday-to-day operations such as importing or exportingcartridges.

If BlueScale Professional edition Multi-User mode wasselected, you must enter three unique encryption passwords.

2. Retype each password in the Retype User Password field and then clickOK . The Encryption Configuration screen displays.

Caution The BlueScale encryption user password is separate from the password used to loginto the library. Make sure you keep a record of this password. If you lose thispassword, you will not be able to configure the encryption settings.If you are using BlueScale key management, you will not be able to import orexport encryption keys that have already been assigned and used with encrypteddata.


29/10029

CHAPTER 2

Using Spectra TKLM EncryptionKey Management

This chapter describes configuring and using Spectra TKLM Encryptionkey management.

If you are using BlueScale key management Standard Edition, seeChapter 3 Using BlueScale Encryption Key Management Standard

Edition , beginning on page 38 .If you are using BlueScale key management Professional Edition, seeChapter 4 Using BlueScale Encryption Key Management ProfessionalEdition , beginning on page 58 .

Spectra TKLM Encryption Key Management page 30Configure the Spectra TKLM Server page 31

Configuring a Partition to Use a Spectra TKLM Server page 35Disabling Encryption in a Partition page 37


30/100

Chapter 2Using Spectra TKLM Encryption Key Management Spectra TKLM Encryption Key Management


SPECTRA TKLM ENCRYPTION KEY MANAGEMENTOverview Spectra TKLM key management configuration entails creatingan encryption password, configuring one or more Spectra TKLM servers,and designating one or more partitions as encryption-enabled. Theencryption password lets a superuser access the librarys encryptionconfiguration settings. Encryption administrative activities are performedon the Spectra TKLM server, including configuration; administration ofgroups, users, and roles; and management of keys, key groups, anddevices.

After Spectra TKLM encryption is enabled, the drives in an encryption-enabled partition request a key from the Spectra TKLM server. The serversends the encryption key to the drive, and the drive uses the key toautomatically encrypt data as it is backed up.

Before you configure your library to use Spectra TKLM Encryption, makesure you have the following:

Spectra TKLM Encryption-capable Drives Spectra TKLM keymanagement is only compatible with LTO-5 and later generation tapedrives and TS1140 technology tape drives.

Spectra TKLM Option Key Install the Spectra TKLM option key. Seeyour librarys User Guide for detailed instructions.

Spectra TKLM Server Install and configure Spectra TKLM on your server.Spectra TKLM is available for either Linux or Windows. For additionalinformation that can assist you during the installation andconfiguration of your server, see the following websites:

IBM Tivoli Key Lifecycle Manager Information Centerathttp://spectra.cc/eHe

Tivoli Key Lifecycle Manager Installation and Configuration Guide athttp://spectra.cc/iyy

Note: Spectra TKLM key management is not compatible withBlueScale Encryption key management, because they cannotshare encryption keys. Data encrypted using Spectra TKLM keymanagement cannot be decrypted using BlueScale Encryptionkey management, and vice versa.
http://spectra.cc/eHehttp://spectra.cc/iyyhttp://spectra.cc/iyyhttp://spectra.cc/eHe


31/100



Configure the Spectra TKLM ServerUse the following steps to configure the Spectra TKLM Server.

User Privilege Requirements Only users with superuser privileges canconfigure the encryption features.

1. If you plan to use a hostname, instead of an IP address, you must entera valid IP address for at least one DNS server.a. From the toolbar menu, select Configuration > System . The System

Setup screen displays.

Scroll down to the Other Settings pane.

Caution The encryption password is separate from the password used to log into the library.Make sure you keep a record of this password. If you lose this password, you will notbe able to access the library encryption configuration screen.

Figure 6 The Other Settings pane of the System Setup screen.


32/100



b. Click Edit next to Network Settings. The Network Settings screendisplays.

c. Enter a valid IP address for at least one DNS server, and then clicksave.

2. Access the encryption feature (see Log Into the Encryption Feature onpage 25 ).

3. On the Encryption Configuration screen, click Spectra TKLM. TheSpectra TKLM Server Status screen displays.

Figure 7 The Network Settings screen.

Figure 8 Access the Spectra TKLM Server Status Screen.


33/100



4. The Spectra TKLM Server Status screen displays a list of previouslyconfigured Spectra TKLM servers (if any). Up to four Spectra TKLMservers are supported; each is listed by its IP address or hostname.Note: When read or write processes begin, a green check mark appears

in the Connectivity column next to servers the library can access.A red X in the Connectivity column indicates the library is

currently unable to connect to that server.On the Spectra TKLM Server Status screen, click Edit to add or modifySpectra TKLM servers.

5. The TKLM Server Configuration screen displays an editable list ofconfigured Spectra TKLM servers (if any). Enter the appropriateinformation for the server you want to configure.a. Enter the IP address or hostname of the server.Note: If a server is no longer needed, simply delete its IP address or

hostname.b. If desired, change the port setting. The default port setting is 3801.Note: When you set up the Spectra TKLM server, you must add a

Windows firewall rule to allow connections to this port.Otherwise, the library will not be able to access the server.

Figure 9 Click Edit to add or modify a server.


34/100



Click Update to accept the changes, and display the TKLM Server UpdateResult page, or click Cancel to return to the Spectra TKLM Server Statuspage without saving the changes.

6. If you selected Update , the library attempts to connect to the server andthe TKLM Server Update Result screen displays the success or failure ofthe Spectra TKLM server configuration.

7. Click OK to return to the Spectra TKLM Server Status screen.Note: Newly added servers are added to the list of servers on the

Spectra TKLM Server Status screen. If the library could notconnect to the server or verify it as a Spectra TKLM server, itdoes not appear on the list.

Figure 10 ClickUpdate to save the changes.

Figure 11 The TKLM Server Update Result screen.


35/100

Chapter 2Using Spectra TKLM Encryption Key Management Configuring a Partition to Use a Spectra TKLM


CONFIGURING A PARTITION TO USE A SPECTRA TKLM SERVEROverview After configuring a Spectra TKLM server, you can enableSpectra TKLM for one or more partitions.

Notes: The Encryption screen in the partition wizard lets you enablethe encryption features for the partition. It only displays ifyou are logged in as an encryption user and have alreadyconfigured a Spectra TKLM server or a BlueScale encryptionkey. (See Configure the Spectra TKLM Server on page 31 orCreate an Encryption Key on page 39 for more information.)

Spectra TKLM key management is not compatible withBlueScale Encryption key management, because they cannotshare encryption keys. Data encrypted using Spectra TKLMkey management cannot be decrypted using BlueScaleEncryption key management, and vice versa.

Spectra TKLM Encryption is only compatible with LTO-5and later generation tape drives and TS1140 technology tapedrives.

Use the following steps to assign a Spectra TKLM server to the partitionand encrypt all data sent to the partition:1. Access the encryption feature (see Log Into the Encryption Feature on

page 25 ).

Note: If you have not already logged in as an encryption user, youmust enter the encryption password before you create or edit apartition using the BlueScale partition wizard. If you are notlogged in, the Encryption screen will not display.

2. Click Menu, then select Configuration > Partitions . The Shared LibraryServices screen displays.

3. Click New to create a partition, or click Edit to modify the settings for anexisting partition (see Creating a Data Partition in the User Guide foryour library).

Important To use Spectra TKLM Encryption key management, drives must be updated tofirmware version C7RC, or later.


36/100

Chapter 2Using Spectra TKLM Encryption Key Management Configuring a Partition to Use a Spectra TKLM


4. Navigate through the partition wizard by clicking Next until you reachthe Encryption screen.

5. Choose the type of encryption to use.

6. Navigate through the remaining partition configuration screens byclicking Next.

7. When you reach the Save Partition screen, click Save .

Figure 12 The Encryption screen.

Encryption Option Description

No Encryption Turns off encryption. None of the data in the partition will be encrypted.

Spectra TKLMEncryption Turns on Spectra TKLM Encryption key management for drive-basedencryption using direct-attached LTO-5 and later generation drives.Note: If PostScan has been enabled on the MLM Media Verification screen,Spectra TKLM Encryption cannot be selected, and will be grayed out.

BlueScaleEncryption

Turns on BlueScale Encryption key management for either drive-based or QIP- based encryption.See Chapter 3 Using BlueScale Encryption Key Management StandardEdition , beginning on page 38 or Chapter 4 Using BlueScale Encryption KeyManagement Professional Edition , beginning on page 58 for more information.

Figure 13 Spectra TKLM is not available if PostScan has been enabled.


37/100

Chapter 2Using Spectra TKLM Encryption Key Management Disabling Encryption in a Partition


DISABLING ENCRYPTION IN A PARTITIONUse the following steps to disable encryption in a partition.

Note: If you have not already logged in as an encryption user, youmust enter the encryption password before you create or edit apartition using the BlueScale partition wizard. If you are notlogged in, the Encryption screen will not display.

1. Access the Shared Library Services screen (see Best Practices onpage 17 ).

2. Select the partition for which you want to disable encryption. Click Edit.3. Click Next to navigate through the partition wizard screens until you

reach the Encryption screen (see Figure 12 on page 36 ).4. Select No Encryption .5. Click Next to move to the next partition configuration screen. Navigate

through the remaining partition configuration screens by clicking Next.6. When you reach the Summary screen, click Save .
http://-/?-http://-/?-


38/10038

CHAPTER 3

Using BlueScale EncryptionKey ManagementStandard Edition

This chapter describes configuring and using BlueScale Encryption KeyManagement Standard Edition.

If you are using Spectra TKLM Encryption key management, seeChapter 2 Using Spectra TKLM Encryption Key Management , beginning on page 29 .

If you are using BlueScale Encryption Professional Edition, seeChapter 4 Using BlueScale Encryption Key Management ProfessionalEdition , beginning on page 58 .

Configuring BlueScale Standard Edition page 39Create an Encryption Key page 39

Assigning an Encryption Key to a Partition page 41Exporting and Protecting Encryption Keys page 44

Export the Encryption Key page 45Verify the Exported Encryption Key page 48Protect the Encryption Key page 49

Restoring Encrypted Data page 51Use the Key Stored in the Library page 51Import the Required Key Into the Library page 52

Deleting an Encryption Key from the Library page 56

Disabling Encryption in a Partition page 57


39/100


40/100

Chapter 3Using BlueScale Encryption Key Management Standard Edition Configuring BlueScale Standard


3. Enter a name for the encryption key in the Moniker field. Make sure thatthe moniker meets the following requirements:

A moniker can be any combination of the numbers 09 , lower andupper case alphabetic characters ( az and AZ), and the at symbol(@), dash ( ), underscore ( _), and colon ( :) characters. To improvereadability, use an underscore to separate words. Do not use any

space characters.

Each moniker must be a unique string of characters that has not been used for any other encryption key.Recommended. Make a habit of using a single case (all upper or alllower) for monikers. After the encryption key is created andexported, the library ignores the case used in the moniker.For example, the library interprets Spectra1, spectra1, andSPECTRA1 as the same moniker when importing a key. However,the key generated by each variation is unique.

4. Click OK . The Encryption Configuration screen displays with aconfirmation showing the moniker for the newly created encryptionkey and a message reminding you to create a copy of the key forsafekeeping.

If the key is not yet assigned to a partition, None displays in the PrimaryKey For column.

Caution When using LTO drive-based encryption, make sure that the moniker you choosewhen creating the BlueScale encryption key contains no more than 32 characters. Ifyou lose an encryption key that has a moniker greater than 32 characters, datacannot be recovered using Spectra Logics Endura Decryption Utility (EDU). SeeChapter 6 Using the Endura Decryption Utility , beginning on page 86 for moreinformation.

Important If you create two monikers that are identical except for case, you will not be able toretrieve your data after importing a key that was created using a different variationof the moniker.

Figure 15 The new encryption key is listed on theEncryption Configuration screen.


41/100

Chapter 3Using BlueScale Encryption Key Management Standard Edition Assigning an Encryption Key to a


5. Export the newly created encryption key and save it to a secure location(see Export the Encryption Key on page 45 ).

ASSIGNING AN ENCRYPTION KEY TO A PARTITIONOverview After creating an encryption key, you can assign it to one ormore partitions. The encryption choices available for a partition depend onthe hardware assigned to the partition.

Notes: The Encryption screen in the partition wizard lets you enablethe encryption features for the partition. It only displays ifyou are logged in as an encryption user and have alreadyconfigured a Spectra TKLM server or a BlueScale encryptionkey. (See Using Spectra TKLM Encryption Key Managementon page 29 or Create an Encryption Key on page 39 for moreinformation.)

F-QIPs are no longer available for purchase. If your librarydoes not already contain an encryption-capable F-QIP, youmust use drive-based encryption.

By default, LTO drives are configured to compress data. Ifnecessary, use your backup software to modify the driveproperty settings to turn off compression.The encryption performed by encryption-enabled drives isnot compatible with the encryption performed by anencryption-enabled F-QIP.

Spectra TKLM key management is not compatible withBlueScale Encryption key management. Data encryptedusing Spectra TKLM key management cannot be decryptedusing BlueScale Encryption key management, and vice versa.

If a partition uses both an encryption-enabled F-QIP and

encryption-enabled drives, you must choose one type ofencryption or the other. You cannot use both types in thesame partition.

Caution If you lose the encryption key, data encrypted using the key cannot be recovered.For this reason, promptly copying the key and storing it safely (that is, away fromthe data encrypted using the key) is extremely important to data decryption andrecovery. See Exporting and Protecting Encryption Keys on page 44 for additional

information.

Caution To ensure that you can use Spectra Logic's Endura Decryption Utility (EDU) torecover your encrypted data in an emergency, use drive-based encryption ifpossible. The current version (Revision 2) of EDU does not support recovering datathat is encrypted using an F-QIP (see Chapter 6 Using the Endura DecryptionUtility, beginning on page 86 ).


42/100



Use the following steps to assign a key to a partition and encrypt all datasent to the partition:1. Access the encryption feature (see Log Into the Encryption Feature on

page 25 ).Note: If you have not already logged in as an encryption user, you

must enter the encryption password before you create or edit apartition using the BlueScale partition wizard. If you are notlogged in, the Encryption screen will not display.

2. Select Configuration > Partitions . The Shared Library Services screendisplays.

3. Click New to create a partition, or click Edit to modify the settings for anexisting partition (see Creating a Data Partition in the User Guide foryour library).

4. Navigate through the partition configuration wizard by clicking Next untilyou reach the Encryption screen.

Figure 16 Select whether to use encryption in the partition.


43/100



5. Select the type of encryption you would like to enable:

6. Click Next .7. Navigate through the remaining partition configuration screens by

clicking Next.8. When you reach the Save Partition screen, click Save . All data sent to

this partition will be encrypted using the key you selected.

Encryption Option Description

No Encryption Turns off encryption. None of the data in the partition will be encrypted.

Spectra TKLMEncryption

Turns on Spectra TKLM Encryption key management for drive-basedencryption using direct-attached LTO-5 and later generation drives.

Note: See Using Spectra TKLM Encryption Key Management on page 29 formore information.

BlueScaleEncryption:QIP-based

Turn on Blue Scale Encryption key management for QIP-based encryption usingF-QIP-attached, SCSI LTO-2, LTO-3, or LTO-4 drives.The F-QIP will encrypt data using the specified encryption key before it is sentto the drive. If only one key is present, it is selected automatically. If multiplekeys are listed, select the key you want to use.If you select QIP-based Encryption, you will have the option to select EnableClear File at BOT. If you choose this option, the tape headers are unencrypted sothat any compatible drive can read the header information on an encryptedtape including the moniker assigned to the encryption key. Using unencryptedheaders facilitates key management for sites with a large number of encryptedtapes.Notes:

Only the moniker is recorded on the cartridge. The encryption key itself isstored on the library or in a password protected file if you exported the key.If you're using F-QIP-based encryption, you can use multiple keys on acartridge.

BlueScaleEncryption:Drive-based

Turn on BlueScale Encryption key management for drive-based encryptionusing direct-attached LTO-4 and later generation drives.The encryption-enabled drives will encrypt data using the specified encryption

key. If only one key is present, it is selected automatically. If there are multiplekeys listed, select the key you want to use.Notes:

With drive-based encryption, only one key is allowed per cartridge. To use anew encryption key on a tape previously encrypted with one encryption key,you must first recycle the tape through BlueScale Encryption, as described inChapter 5 Recycling Encrypted Media , beginning on page 83 , before youcan use a different key.By default, LTO drives are configured to compress data. If necessary, useyour backup software to modify the drive property settings to turn offcompression.

Only the moniker is recorded on the cartridge. The encryption key itself isstored on the library or in a password protected file if you exported the key.


44/100

Chapter 3Using BlueScale Encryption Key Management Standard Edition Exporting and Protecting


9. Access the encryption feature ( Accessing the Encryption Feature onpage 25 ) and confirm that the listed key reflects the assignment you justcompleted.

EXPORTING AND PROTECTING ENCRYPTION KEYSEnsuring that you have a backup of all keys used in the library and arecord of the password for each exported key is essential to ensuring thatyou can recover encrypted data. For safe-keeping and security, export theencryption key and store it in a safe, secure location so that you can importit back into the library if needed.

Overview Decrypting encrypted data requires both the encryption keyand the encryption key password used to protect the encryption key whenit is exported. To ensure that the keys are protected, use the Export Keyoption described in this section to export encryption keys as soon aspossible after you create them.

Figure 17 Confirm that the encryption key was correctlyassigned to the partition.

Caution Data cannot be recovered without the encryption key used to encrypt the data, soprotecting encryption keys is extremely important to data decryption and recovery. To decrypt and restore encrypted data, you need the data, the encryption key, andthe encryption key password used to protect the exported key and data.

Important Backup files of the library configuration include any encryption keys that werestored in the library at the time the file was created.


45/100



Best Practice Spectra Logic recommends that you export each encryptionkey to at least two different USB drives and store them in separatelocations. Remember, lost encryption keys cannot be recreated; you shouldkeep them as secure (and as backed up) as your data.

Export the Encryption Key

Use the following steps to export the current encryption key:1. Access the encryption feature (see Log Into the Encryption Feature on

page 25 ).2. If you want to export the encryption key to a USB drive, plug a USB

drive into a USB port on the LCM before continuing.3. From the Encryption Configuration screen, click Export Key. The Export

Type screen displays.


Copies of encryption keys may be left on the email servers used for sending andreceiving email and are thus subject to compromise. The difficulty in verifying where all of the copies of emailed encryption keysmay be located can make security audits more challenging.

Figure 18 Click Export Key to begin the key export process.


46/100



4. On the Export Type screen, select the desired export option.

5. Click Next . The Export Password screen displays.

Figure 19 Choose where the exported key will be saved.


Copies of encryption keys may be left on the email servers used for sending andreceiving email and are thus subject to compromise. The difficulty in verifying where all the copies of emailed encryption keys maybe located can make security audits more challenging.

Export Type Description

Export Single Fileto USB

Saves the exported encryption key to the USB drive connected to the LCM.

Email Exported Key Sends the encryption key as an email attachment to a previously configuredmail recipient (see Configure Mail Users in the User Guide for your library). Usethe Mail single key file to: drop-down list to select the desired recipient.Note: Do not use the default [email protected] email recipient.Spectra Logic does not save emailed files unless they are specifically requestedfor troubleshooting.

Figure 20 Enter and confirm a password for the exportedencryption key.


47/100



6. Type and retype an export password using any combination of thenumbers 09 , lower and upper case alphabetic characters ( az and A-Z), and the at symbol ( @), dash ( ), underscore ( _), and colon ( :)characters. This key is used to encrypt the exported key.

7. Make a record of the encryption key password; you will need it in orderto import the key back into the library. Without the password, you

cannot import the key, and the data encrypted using the key will beinaccessible.

8. Click Next to export the key to the selected location.9. Confirm that the encryption key was correctly exported.

If you exported the encryption key to a USB drive Immediatelyconfirm that the encrypted key copied correctly by clicking CheckKey Files and following any prompts. If desired, save or print theCheck Key Files report for an audit record showing that the USBdrive was readable, and that the destination key matched the sourcekey. Use the steps in Verify the Exported Encryption Key on page 48 to provide a second confirmation.

If the confirmation indicates the key did not copy correctly, deleteall data from the USB drive so that no trace of the failed export fileremains, and then export the key again using a different USB drive,

beginning with Step 2 on page 45 .If you exported the encryption key using email Confirm thereceipt of the email with the attachment by contacting the user towhom you sent the encrypted key file. Have them confirm that theemail attachment contains a key file as described in Verify theExported Encryption Key on page 48 .

Caution Do not lose the encryption key password. Without it, you cannot reimport anencryption key after it is deleted from the library, and the data encrypted using thekey will be inaccessible.

Figure 21 Use Check Key Files to confirm successful export.


48/100



Verify the Exported Encryption Key

After exporting an encryption key, verify that the export was successful assoon as possible.

When Saved to a USB Drive1. Plug the USB drive into a computer that is not connected to the library.2. Examine the contents of the USB drive to verify that it contains a file

called name .bsk where name is the moniker you assigned to the keywhen it was created.

Make sure that the file is more than 0 bytes in size. If the file meets theserequirements, the encryption key was successfully exported and isusable.

3. If desired, save or print a screen capture of the USB directory for anaudit record showing that the USB drive was readable, and that the keyfile contained information.

4. Store the USB drive in a safe location.5. If the exported key file is not present or if the file is 0 bytes in size,

repeat the export process as described in Export the Encryption Key onpage 45 using a different USB drive.

When Sent as an Email Attachment1. Open the email attachment and verify that it contains at least one file

called name .bsk where name is the moniker you assigned to the keywhen it was created.Make sure that the file is more than 0 bytes in size. If the file meets theserequirements, the encryption key was successfully exported and isusable.

2. If desired print or save a screen capture showing the attachment nameand file size for an audit record showing that the file was received, andthat the key file contained information.

3. Save the email attachment to a safe location from which you can copy itto a USB drive, if needed.

4. If the email attachment does not contain the exported key file or if thefile is 0 bytes in size, repeat the export process as described in Exportthe Encryption Key on page 45 .


49/100



Protect the Encryption Key

In conformance with your security plan, track the location of each USBdrive containing the exported key or the name of each person whoreceived the email message with the exported key file attached. Also keeptrack of the password you used when you exported the key.

The following guidelines outline the essential tasks required to protectencryption keys:

Save one or more copies of every key using the Key Export option onthe Encryption Configuration screen (see Export the Encryption Key onpage 45 ).

If you choose to store only a single copy of an encryption key, makesure that you keep the copy secure. If something happens to the devicewhere you stored the exported key and the key has been deleted fromthe library, both the key and all data encrypted using the key areunrecoverable.

Caution Make sure you keep a record of the password created when exporting the key. Youmust have this password and the encrypted file containing the exported key inorder to import the encryption key back into the library. Without the key password,you will not be able to import the encryption key.

Important Backup files of the library configuration include any encryption keys that werestored in the library at the time the file was created.

Caution As a matter of best practice, Spectra Logic recommends exporting encryption keysto a USB drive instead of using email.Although emailing encryption keys is supported by the library, doing so presentssecurity issues, including the following:

Copies of encryption keys may be left on the email servers used for sending andreceiving email and are thus subject to compromise.

The difficulty in verifying where all the copies of emailed encryption keys maybe located can make security audits more challenging.

Caution To emphasize: If you lose the encryption key or the password for the exported file,your data is unrecoverable if the key has been deleted from the library. You need tobalance the number of copies of the key to store to guarantee access to the encrypteddata against the security risk associated with storing multiple keys. Make sure that thekey has been successfully stored prior to removing a key from the library.


50/100



Store encryption keys offsite in a location other than the site used formedia storage. Confirm that the key is stored correctly on the USB driveor has been received by the intended recipient before deleting the keyfrom your library. If you delete the key, you must import the key backinto the library in order to decrypt the data that was encrypted usingthe key. Importing keys is described in Import the Required Key Intothe Library on page 52 .

You may want to make two copies of a key, storing each in a securelocation. Keep a record of each keys location so that you can easily findthe key when you need to restore or delete data.

Maintain a list of every password associated with each key and securelystore the list. Never keep this list as cleartext (unencrypted text) on anetworked computer, or send it through email as cleartext. For addedsecurity, encrypt the file containing the list of passwords.

Track every copy of each key. This tracking is critical in order to meetrequirements that may govern data retention and data destruction.

Spectra Encryption User Guide

Documents

Transcript of Spectra Encryption User Guide