IBM TS2340 User Guide - Page 202
System-Managed Encryption, Device Driver Configuration, Configuration File
UPC - 883436006873
View all IBM TS2340 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 202 highlights
Windows System-Managed Encryption System-Managed Encryption Device Driver Configuration System-managed encryption parameters on Windows are placed in the registry under the key for the device driver. The parameters are populated in user-created subkey containing the serial number of the device. The registry keys (sys_encryption_proxy and sys_encryption_write) are used to determine SME enablement and invocation of the EKM proxy on write, respectively. Note: Leading zeros in the serial number should be excluded. For example, if the serial number of the encryption-capable tape drive were 0123456789, the user would create the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ibmtp2k3\123456789 Under this key, the user would create DWORD values called sys_encryption_proxy and/or sys_encryption_write, and assign them values corresponding with the desired behavior. The device driver SME settings can be set for all drives at once by placing the ″sys_encryption_proxy″ and ″sys_encryption_write″ registry options under the device driver key, found at: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ibmtp2k3 When this option is chosen, the settings established for all drives are overridden by the serial-number specific settings described the previous paragraph. If no options are specified in the registry, the driver uses the default values for the parameters. v The default value for sys_encryption_proxy is 1. This value causes the device driver to handle encryption key requests, if the drive is set up for system-managed encryption. This value should not need to be changed. A value of 0 causes the device driver to ignore encryption key requests for system-managed encryption drives, and is not desirable. v The default value for sys_encryption_write is 2. This value causes the device driver to leave the encryption write-from-BOP settings alone. It does not turn on or turn off encryption writing, but instead uses the settings that are already in the drive. If encryption has not been set up previously, then the drive writes unencrypted data. A value of 0 causes the device driver to write unencrypted data. A value of 1 causes the device driver to write encrypted data. Changes to the registry require a reboot before the settings are able to be viewed; however, during new installations of the driver, if the old driver is not uninstalled, the old settings remain in place and no reboot is required. Configuration File The file %system_root%:\IBMEKM.conf is used to store the IP address of the EKM server and other network-related parameters. The phrase %system_root% refers to the drive letter where the Windows installation is located, typically C (for example C:\IBMEKM.conf). The format for the EKM server parameters is: 184 IBM Tape Device Drivers Installation and User's Guide