Dell PowerVault TL4000 Dell PowerVault ML6000 Encryption Key Manager User's - Page 24

Encryption Keys and the LTO 4 and LTO 5 Tape Drives, Key Manager

Get Dell PowerVault TL4000 PDF manuals and user guides View all Dell PowerVault TL4000 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 24 highlights

| Encryption Keys and the LTO 4 and LTO 5 Tape Drives The Dell Encryption Key Manager and its supported tape drives use symmetric, 256-bit AES keys to encrypt data. This topic explains what you should know about these keys and certificates. | When performing encryption tasks on the LTO 4 or LTO 5 Tape Drives for LTO tape cartridges, Encryption Key Manager uses 256-bit AES symmetric data keys only. | When an LTO 4 or LTO 5 requests a key, Encryption Key Manager uses the alias specified for the tape drive. If no alias was specified for the tape drive, an alias from a key group, key alias list, or range of key aliases specified in the symmetricKeySet configuration property is used. Lacking a specific alias for the tape drive, aliases are selected from the other entities in round robin fashion to balance the use of keys evenly. The selected alias is associated with a symmetric Data Key (DK) that was preloaded in the keystore. Encryption Key Manager sends this DK, wrapped with | a different key that the tape drive can decrypt, to the LTO 4 or LTO 5 tape drive to encrypt the data. The DK is not transmitted through TCP/IP in the clear. The selected alias is also converted to an entity called Data Key identifier (DKi), which is written to tape with the encrypted data. In this way, Encryption Key Manager can use the DKi to identify the correct DK needed to decrypt the data when the | LTO 4 or LTO 5 tape is read. The adddrive and moddrive topics in "CLI Commands" on page 5-7 show how to specify an alias for a tape drive. See "Generating Keys and Aliases for Encryption | on LTO 4 and LTO 5" on page 3-9, which includes information on importing keys, exporting keys, and specifying default aliases in the symmetricKeySet configuration property. "Creating and Managing Key Groups" on page 3-14 shows how to define a key group and populate it with aliases from your keystore. Figure 2-1 shows how keys are processed for encrypted write operation. 5 DK, DKi 6 7 Key Manager 3 alias DK 1 Config File 4 2 Key store Drive Table | Figure 2-1. LTO 4 or LTO 5 Tape Drive Request for Encryption Write Operation 1. Tape drive requests key to encrypt tape 2. Encryption Key Manager verifies tape device in Drive Table 2-4 Dell Encryption Key Mgr User's Guide

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
Encryption Keys and the LTO 4 and LTO 5 Tape Drives
The Dell Encryption Key Manager and its supported tape drives use symmetric,
256-bit AES keys to encrypt data. This topic explains what you should know about
these keys and certificates.
When performing encryption tasks on the LTO 4 or LTO 5 Tape Drives for LTO
tape cartridges, Encryption Key Manager uses 256-bit AES symmetric data keys
only.
When an LTO 4 or LTO 5 requests a key, Encryption Key Manager uses the alias
specified for the tape drive. If no alias was specified for the tape drive, an alias
from a key group, key alias list, or range of key aliases specified in the
symmetricKeySet configuration property is used. Lacking a specific alias for the
tape drive, aliases are selected from the other entities in round robin fashion to
balance the use of keys evenly.
The selected alias is associated with a symmetric Data Key (DK) that was
preloaded in the keystore. Encryption Key Manager sends this DK, wrapped with
a different key that the tape drive can decrypt, to the LTO 4 or LTO 5 tape drive to
encrypt the data. The DK is not transmitted through TCP/IP in the clear. The
selected alias is also converted to an entity called Data Key identifier (DKi), which
is written to tape with the encrypted data. In this way, Encryption Key Manager
can use the DKi to identify the correct DK needed to decrypt the data when the
LTO 4 or LTO 5 tape is read.
The
adddrive
and
moddrive
topics in “CLI Commands” on page 5-7 show how to
specify an alias for a tape drive. See “Generating Keys and Aliases for Encryption
on LTO 4 and LTO 5” on page 3-9, which includes information on importing keys,
exporting keys, and specifying default aliases in the symmetricKeySet
configuration property. “Creating and Managing Key Groups” on page 3-14 shows
how to define a key group and populate it with aliases from your keystore.
Figure 2-1 shows how keys are processed for encrypted write operation.
1.
Tape drive requests key to encrypt tape
2.
Encryption Key Manager verifies tape device in Drive Table
Config
File
Key
store
Drive
Table
Key Manager
1
2
4
5
7
3
alias
6
DK, DKi
DK
Figure2-1. LTO 4 or LTO 5 Tape Drive Request for Encryption Write Operation
2-4
Dell Encryption Key Mgr User's Guide
|
|
|
|
|
|
|