Dell PowerVault TL4000 Dell PowerVault ML6000 Encryption Key Manager User's - Page 25
Backing up Keystore Data
View all Dell PowerVault TL4000 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 25 highlights
3. If no alias is specified in the request and no alias is specified in the drive table, Encryption Key Manager selects an alias from the set of aliases or the key group in the keyAliasList. 4. Encryption Key Manager fetches a corresponding DK from the keystore. 5. Encryption Key Manager converts the alias to a DKi and wraps the DK with a key the drive can decrypt 6. Encryption Key Manager sends the DK and DKi to the tape drive 7. Tape drive unwraps the DK and writes encrypted data and DKi to tape Figure 2-2 shows how keys are processed for encrypted read operation. 4 DK 5 Key Manager 6 3 DKi Alias 1 Config File 2 Key store Drive Table | Figure 2-2. LTO 4 or LTO 5 Tape Drive Request for Encryption Read Operation 1. Tape drive receives read request and sends DKi to Encryption Key Manager 2. Encryption Key Manager verifies tape device in Drive Table 3. Encryption Key Manager translates DKi to alias and fetches corresponding DK from keystore 4. Encryption Key Manager wraps the DK with a key the drive can decrypt 5. Encryption Key Manager sends the wrapped DK to tape drive 6. Tape drive unwraps the DK and uses it to decrypt the data Backing up Keystore Data Note: Due to the critical nature of the keys in your keystore, it is vital that you back up this data on a non-encrypted device so that you can recover it as needed and be able to read the tapes that were encrypted using those certificates associated with that tape drive or library. Failure to backup your keystore properly will result in irrevocably losing all access to your encrypted data. There are many ways to backup this keystore information. Each keystore type has it own unique characteristics. These general guidelines apply to all: v Keep a copy of all certificates loaded into the keystore (usually a PKCS12 format file). v Use system backup capabilities (such as RACF) to create a backup copy of the keystore information (be careful not to encrypt this copy using the encrypting tape drives as it would impossible to decrypt it for recovery). Chapter 2. Planning Your Encryption Key Manager Environment 2-5