Find the answer to your Linux question:
Results 1 to 4 of 4
Is there an LTO3/4 Tape Encryption HOWTO somewhere that explains how to use the native hardware encryption on LTO3/4 tape drives ? I have an IBM HH SAS standalone LTO4 ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2008
    Posts
    7

    LTO3/4 Tape Encryption HOWTO?


    Is there an LTO3/4 Tape Encryption HOWTO somewhere that explains how to use the native hardware encryption on LTO3/4 tape drives ? I have an IBM HH SAS standalone LTO4 drive.

  2. #2
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,752
    LTO3's don't support hardware encryption - only the 4TH gen's do.

    Wikipedia - LTO

    To use the encryption, you can have your application manage the keys, or use the HW-managed keys. For HW, this is usually tied into firmware/OS of the *library* and accessed via a console/web frontend.

    For a standalone drive, you will likely need some application that can manage/pass keys to the drive.

    According to this doc (Sept. 2007):

    IBM offers 3 different implementations for drive-based encryption. System i can only use the first one at the
    present time:

    Library Managed Encryption (LME) – in this implementation, the drives must reside in a tape library,
    since it is the tape library that talks to the Encryption Key Manager (EKM) to get the keys. This is the
    only implementation of encryption that is supported on System i at the present time.

    • System Managed Encryption (SME) – in this implementation, the host system talks to the EKM to get
    the keys. An example of this method is AIX which has an A-tape driver that talks to the EKM

    Application Managed Encryption (AME) – in this implementation, the backup application handles the
    encryption keys so no EKM is required. An example of this method is Tivoli Storage Manager (TSM).
    The Robot/Save backup application that runs on System i offers software-based tape encryption, but it
    does not fall into the AME category since it does not use the encryption capabilities of the drive. It falls
    in the “Middleware” category described in the first section of this document. If drive-based encryption
    was used on a system running Robot/Save, then an EKM would be required to handle the keys needed
    by the drive.

    Here is a list of the various platforms and the types of drive-based encryption they can do at the present time:

    - System i - LME only
    - System p - all 3 options are available
    - System z - SME only
    - Windows - LME and AME (eg TSM)
    - Linux - LME and AME (eg TSM)
    - Sun/HP - LME and AME (eg TSM)
    All information found via Google.

  3. #3
    Just Joined!
    Join Date
    Feb 2012
    Posts
    1
    I know this is a very old thread so forgive me for waking the dead here.

    Check out the stenc project on sourceforge if you need a way to manage the hardware keys on LTO drives on Linux or AIX. It's a lightweight open-source command driven program. I would put a direct link but it won't let me. As was mentioned earlier, it will only work with LTO4 or 5 drives.

    Hope this helps someone out there.

  4. #4
    Just Joined!
    Join Date
    Dec 2008
    Posts
    7

    Re: LTO3/4 Tape Encryption HOWTO?

    Thanks for the reply to my 2008 post. I'll take a look at stenc. I have an HP LTO4 SAS drive now.
    Last edited by jayd512; 02-17-2012 at 12:43 AM. Reason: Moved post over.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •