Data encryption

Data is one of the most highly valued resources in a competitive business environment. Protecting that data, controlling access to it, and verifying its authenticity while maintaining its availability are priorities in our security–conscious world. Increasing regulatory requirements are also helping to drive the need for the security of data. Encryption is a powerful and widely used technology that helps protect data from loss and inadvertent or deliberate compromise.

The IBM System Storage™ TS1120 Tape Drive and the IBM Ultrium™ 4 tape drives include data encryption capabilities within the drives. Encrypting at the storage end–point helps avoid the need for host–based encryption of data–and the concurrent drain on host performance. It may allow elimination of the use of specialized encryption appliances and the complexity of another layer of devices to manage in the SAN. Encrypting at the tape drive level can preserve the compression characteristics of tape storage avoiding a requirement for additional cartridges. In addition, in the IBM implementation data encryption is performed without significant impact to the tape drives native performance, meaning that batch processing windows are likely not affected. This capability is intended to provide customers with greater ability to protect information if tape cartridges are lost or stolen by enabling the storage of the data in an encrypted form with minimal impact on operational complexity.

Any encryption solution introduces new functional requirements to manage encryption keys. The application of encryption to storage disciplines may significantly increase the length of time any given encryption key needs to be retained and managed. Both of the IBM encrypting tape drives provide customers alternatives for the management of encryption keys that are designed to simplify management of those keys. IBM provides support for encryption keys to be managed by a backup application explicitly or by a key store or key management application external to the applications and systems using the tape drive for storage of data.

Both the TS1120 and LTO Gen 4 drives support application based keystores where a customer’s backup application is responsible for generation, retention, management, and providing encryption keys to the tape drive when needed. IBM Tivoli™ Storage Manager has been enhanced to control the encryption process, and provides functions to generate, retain, manage, and provide keys to the TS1120 or IBM Ultrium 4 tape drive.

The IBM Encryption Key Manager component for the Java™ platform provides the interface between the IBM encrypting tape drive products and external keystores. The EKM component is supported on a wide variety of environments including z/OS™, i5/OS™, AIX™, HP, Sun, Windows and Linux, can help generate and manage encryption keys for TS1120 and IBM Ultrium 4 tape drives across the enterprise. This component interfaces to a variety of open and standards based key repositories on supported platforms.

The TS1120 and IBM Ultrium 4 tape drives are designed to provide transparent encryption when integrated with an external key store, minimizing change at the application and OS layer. The encryption capability is supported when the TS1120 tape drive is integrated into or attached to the IBM System Storage TS3500 Tape Library, the IBM TS3400 Tape Library, the IBM Virtualization Engine TS7700, the IBM System Storage TS1120 Tape controller, the IBM TotalStorage™ 3494 Tape Library, the IBM 3592 Tape Frame Model C20 or is used in stand–alone environments. The transparent encryption capability for IBM Ultrium 4 tape drives is supported when FC or SAS capable tape drives are integrated into or attached to IBM System Storage TS3100, TS3200, TS3310 and TS3500 Tape Libraries and the transparent encryption feature is installed.