LTO3/4 Tape Encryption HOWTO?

[KewlEugene]

Is there an LTO3/4 Tape Encryption HOWTO somewhere that explains how to use the native hardware encryption on LTO3/4 tape drives ? I have an IBM HH SAS standalone LTO4 drive.

[HROAdmin26]

LTO3's don't support hardware encryption - only the 4TH gen's do.

Wikipedia - LTO

To use the encryption, you can have your application manage the keys, or use the HW-managed keys. For HW, this is usually tied into firmware/OS of the *library* and accessed via a console/web frontend.

For a standalone drive, you will likely need some application that can manage/pass keys to the drive.

According to this doc (Sept. 2007):

IBM offers 3 different implementations for drive-based encryption. System i can only use the first one at the
present time:

• Library Managed Encryption (LME) – in this implementation, the drives must reside in a tape library,
since it is the tape library that talks to the Encryption Key Manager (EKM) to get the keys. This is the
only implementation of encryption that is supported on System i at the present time.

• System Managed Encryption (SME) – in this implementation, the host system talks to the EKM to get
the keys. An example of this method is AIX which has an A-tape driver that talks to the EKM

• Application Managed Encryption (AME) – in this implementation, the backup application handles the
encryption keys so no EKM is required. An example of this method is Tivoli Storage Manager (TSM).
The Robot/Save backup application that runs on System i offers software-based tape encryption, but it
does not fall into the AME category since it does not use the encryption capabilities of the drive. It falls
in the “Middleware” category described in the first section of this document. If drive-based encryption
was used on a system running Robot/Save, then an EKM would be required to handle the keys needed
by the drive.

Here is a list of the various platforms and the types of drive-based encryption they can do at the present time:

- System i - LME only
- System p - all 3 options are available
- System z - SME only
- Windows - LME and AME (eg TSM)
- Linux - LME and AME (eg TSM)
- Sun/HP - LME and AME (eg TSM)

All information found via Google.

[jcoleman1981]

I know this is a very old thread so forgive me for waking the dead here.

Check out the stenc project on sourceforge if you need a way to manage the hardware keys on LTO drives on Linux or AIX. It's a lightweight open-source command driven program. I would put a direct link but it won't let me. As was mentioned earlier, it will only work with LTO4 or 5 drives.

Hope this helps someone out there.

[KewlEugene]

Thanks for the reply to my 2008 post. I'll take a look at stenc. I have an HP LTO4 SAS drive now.