Académique Documents
Professionnel Documents
Culture Documents
SpectraLogic.com
Copyright Notices
Copyright 20062012 Spectra Logic Corporation. All rights reserved. This item and the information contained herein are the property of Spectra Logic Corporation. Except as expressly stated herein, Spectra Logic Corporation makes its products and associated documentation on an AS IS BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, BOTH OF WHICH ARE EXPRESSLY DISCLAIMED. In no event shall Spectra Logic be liable for any loss of profits, loss of business, loss of use or data, interruption of business, or for indirect, special, incidental or consequential damages of any kind, even if Spectra Logic has been advised of the possibility of such damages arising from any defect or error. Information furnished in this manual is believed to be accurate and reliable. However, no responsibility is assumed by Spectra Logic for its use. Due to continuing research and development, Spectra Logic may revise this publication from time to time without notice, and reserves the right to change any product specification at any time without notice. BlueScale, CarbideClean, Python, RXT, Spectra, SpectraGuard, Spectra Logic, TeraPack, T-Finity, TranScale, the CarbideClean logo and the Spectra Logic logo are registered trademarks. Endura, EnergyAudit, and Tape without Pain are trademarks of Spectra Logic Corporation. All rights reserved worldwide. All other trademarks and registered trademarks are the property of their respective owners. 90940012 Rev. G
Trademarks
Revision A B- E F G Note:
To make sure you have the most current version of this guide check the Spectra Logic website at www.spectralogic.com/documents. To make sure you have the release notes for the most current version of the BlueScale software, log into the Spectra Logic Technical Support portal at http://support.spectralogic.com. The release notes contain updates to the User Guide since the last time it was revised.
December 2012
You have acquired a Spectra Encryption User Guide that includes software owned or licensed by Spectra Logic from one or more software licensors (Software Suppliers). Such software products, as well as associated media, printed materials and online or electronic documentation (SOFTWARE) are protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. If you do not agree to this end user license agreement (EULA), do not use the Spectra Product; instead, promptly contact Spectra Logic for instructions on return of the Spectra Product for a refund. Any use of the Software, including but not limited to use on the Spectra Product, will constitute your agreement to this EULA (or ratification of any previous consent). Grant of License. The Software is licensed on a non-exclusive basis, not sold. This EULA grants you the following rights to the Software: You may use the Software only on the Spectra Product. Not Fault Tolerant. The Software is not fault tolerant. Spectra Logic has independently determined how to use the Software in the Spectra Product, and suppliers have relied upon Spectra Logic to conduct sufficient testing to determine that the Software is suitable for such use. No Warranties for the SOFTWARE. The Software is provided AS IS and with all faults. The entire risk as to satisfactory quality, performance, accuracy, and effort (including lack of negligence) is with you. Also, there is no warranty against interference with your enjoyment of the Software or against infringement. If you have received any warranties regarding the SOFTWARE, those warranties do not originate from, and are not binding on Software suppliers. Note on Java Support. The Software may contain support for programs written in Java. Java technology is not fault tolerant and is not designed, manufactured, or intended for use of resale as online control equipment in hazardous environments requiring fail-safe performance, such as in the operation of nuclear facilities, aircraft navigation or communications systems, air traffic control, direct life support machines, or weapons systems, in which the failure of Java technology could lead directly to death, personal injury, or severe physical or environmental damage. No Liability for Certain Damages. Except as prohibited by law, Software suppliers shall have no liability for any indirect, special, consequential or incidental damages arising from or in connection with the use or performance of the Software. This limitation shall apply even if any remedy fails of its essential purpose. In no event shall Software suppliers, individually, be liable for any amount in excess of U.S. two hundred fifty dollars (U.S. $250.00). Limitations on Reverse Engineering, Decompilation, and Disassembly. You may not reverse engineer, decompile, or disassemble the Software, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation. Software Transfer Allowed with Restrictions. You may permanently transfer rights under this EULA only as part of a permanent sale or transfer of the Spectra nTier700, and only if the recipient agrees to this EULA. If the Software is an upgrade, any transfer must also include all prior versions of the Software. Export Restrictions. Export of the Software from the United States is regulated by the Export Administration Regulations (EAR, 15 CFR 730-744) of the U.S. Commerce Department, Bureau of Export Administration. You agree to comply with the EAR in the export or re-export of the Software: (i) to any country to which the U.S. has embargoed or restricted the export of goods or services, which as May 1999 include, but are not necessarily limited to Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria, and the Federal Republic of Yugoslavia (including Serbia, but not Montenegro), or to any national or any such country, wherever located, who intends to transit or transport the Software back to such country; (ii) to any person or entity who you know or have reason to know will utilize the Software or portion thereof in the design, development or production of nuclear, chemical, or biological weapons; or (iii) to any person or entity who has been prohibited from participating in U.S. export transactions by any federal agency of the U.S. government. You warrant and represent that neither the BXA nor any other U.S. federal agency has suspended, revoked or denied your export privileges.
December 2012
Mexico, Central and South America, Asia, Australia, and New Zealand Phone: 1.303.449.0160 Email: support@spectralogic.com Spectra Logic Sales Website: www.spectralogic.com/shop United States and Canada Phone: 1.800.833.1132 or 1.303.449.6400 Fax: 1.303.939.8844 Email: sales@spectralogic.com To Obtain Documentation Spectra Logic Website: www.spectralogic.com/documents Europe Phone: 44 (0) 870.112.2150 Fax: 44 (0) 870.112.2175 Email: eurosales@spectralogic.com
December 2012
Contents
About This Guide
INTENDED AUDIENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RELATED INFORMATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8
8 9
11
11 13 14
14 15
BEST PRACTICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Passwords and Other Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
17 17 20
SITE SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Low Security Site Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Medium Security Site Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . High Security Site Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
22 23 24
25
25 26 27 28
29
30
31
35 37
Contents
39
39
41 44
45 48 49
51
51 52
56 57
58
59
59
61 65
66 67 71 73
75
76 76
81 82
83
December 2012
Contents
86
86 88 90
90 91 93
95
96
96
December 2012
This guide contains information about Spectra TKLM encryption key management and BlueScale Encryption key management for Spectra T-Series libraries. Spectra TKLM Encryption Key Management Requires a purchased option key to activate, which enables library access to the Spectra TKLM server. See Using Spectra TKLM Encryption Key Management on page 29 for more information.
BlueScale Encryption Key Management Standard Edition Included as a standard feature of the BlueScale software. See Using BlueScale Encryption Key Management Standard Edition on page 38 for more information. Professional Edition Requires a purchased option key to activate and provides additional security and flexibility features. See Using BlueScale Encryption Key Management Professional Edition on page 58 for more information.
Note: The Spectra T50e Library User Guide contains the instructions for using encryption on the T50e library.
INTENDED AUDIENCE
This guide is intended for data center administrators and operators who maintain and operate backup systems. This guide assumes that you are familiar with data backup and data protection strategies.
Related Information
RELATED INFORMATION
Additional Publications
For detailed information on the configuration and use of the library, see the Spectra Logic publications specific to your library. The librarys user guide describes the configuration and use of the library, including specifications and troubleshooting information. The librarys release notes provide the most up-to-date information about the BlueScale software as well as the library, drives, and media.
The most up-to-date versions of all library documentation are available on Spectra Logics website at www.spectralogic.com/documents.
December 2012
Related Information
Typographical Conventions
This document uses the following conventions to highlight important information: Note: Read notes for additional information or suggestions about the current topic.
Important
Read text marked by the Important icon for information that will help you complete a procedure or avoid extra steps. Read text marked by the Caution icon for information you must know to avoid damaging the library, the tape drives, or losing data.
Caution
WARNING
Read text marked by the Warning icon for information you must know to avoid personal injury. WARNUNG Lesen Sie markierten Text durch die Warnung-Symbol fr die Informationen, die Sie kennen mssen, um Personenschden zu vermeiden.
This document uses an arrow (>) to describe a series of menu selections. For example: Select Configuration > Partitions > New. means Select Configuration, then select Partitions, and then select New.
December 2012
10
CHAPTER 1
Encryption Overview and Strategies
Encryption Overview Spectra TKLM Key Management Overview BlueScale Key Management Overview Understanding the Components Standard Edition vs. Professional Edition Best Practices People Processes Passwords and Other Identifiers Site Security Low Security Site Example Medium Security Site Example High Security Site Example Accessing the Encryption Feature Log Into the Encryption Feature Configure the User Mode (BlueScale Professional Only) Configure the Secure Initialization Mode (BlueScale Only) Configure the Password page 11 page 13 page 14 page 14 page 15 page 17 page 17 page 17 page 20 page 21 page 22 page 23 page 24 page 25 page 25 page 26 page 27 page 28
ENCRYPTION OVERVIEW
Spectra Logic libraries can encrypt data and manage encryption keys, using either the Spectra TKLM key management system or BlueScale Encryption key management. Spectra TKLM is a stand-alone, centralized key manager, while BlueScale Encryption key management is integrated within, and specific to, each library.
11
Encryption Overview
The following table shows the encryption features and functionality provided by BlueScale key management and Spectra TKLM key management.
Feature
Library Integrated Server Stand-alone Server Supports T50e, T120, T200, T380, T680, T950, T-Finity Multi-vendor Support (dual vendor shops) Graphical User Interface Command Line Interface LTO-4 Drive Support LTO-5 Drive Support LTO-6 Drive Support TS1140 Technology Drive Support (in supported libraries) Multi-library/ Multi-site Support AES-256 Bit Encryption Secure Initialization Mode Maximum Number of Encryption Keys Key per Tape M-of-N Key Shares Symmetric Shares Asymmetric Shares Role-based Access Control Key Grouping Device Grouping Key Group Policies Key Rotation Policies Key Lifecyle Status Audit Verified Key Deletion Certificates of Authority Audit Trail FIPS Certification KMIP Compliance IKEv2-SCSI Compliance Configuration, Policies, & Keystore Backup LDAP Support MLM PostScan Media Verification 1,000,000+ 30
Spectra TKLM
BlueScale
December 2012
12
Note: Spectra TKLM key management is not compatible with BlueScale Encryption key management. Data encrypted using Spectra TKLM key management cannot be decrypted using BlueScale Encryption key management, and vice versa.
December 2012
13
December 2012
14
If a single partition includes both an encryption-enabled F-QIP and encryption-enabled LTO drives, Spectra Logic recommends that you choose drive-based encryption for compatibility with libraries that do not have F-QIPs.
BlueScale Encryption key management is not compatible with Spectra TKLM key management. Data encrypted using Spectra TKLM key management cannot be decrypted using BlueScale Encryption key management, and vice versa.
December 2012
15
The following table compares the major differences between the Standard and Professional Editions.
Feature Availability Encryption Login Passwords Standard Edition Included as a standard feature on the library. Single encryption password accesses all encryption features. Professional Edition Requires a purchased option key to activate. Choice of using one or three passwords to access all encryption features. Using the three-password option requires the following: Three unique encryption passwords must be configured. Any one of the three passwords must be entered to enable encryption when the library is in Secure Initialization mode. Any one of the three passwords must be entered to access encryption key management and configuration options, excluding key import and export. Two of the three passwords must be entered to import and export keys. Up to 30 encryption keys stored on the library. Separate encryption keys can be assigned to each data partition to isolate data sets. Choice of using one or M-of-N shares with multiple passwords to export and import keys. With the M-of-N shares option, a single file of encrypted key data is split into multiple parts, or shares (N), and some specified subset (M) is required to import the file containing the key data. Drive- or F-QIP-based compression.
Single encryption key stored on the library at a time. The same key is used for all partitions configured to use encryption. A single password is used when exporting and importing the encryption key. The encryption key is exported in a single file.
Data encrypted using either software edition (Standard or Professional) can be decrypted by a library running the other edition.
December 2012
16
Best Practices
BEST PRACTICES
To effectively use encryption and to ensure data security, create an encryption strategy and back it up with the appropriate staff and custom strategies based on your security requirements.
People
Identify the key people who will be responsible for managing the encryption of data written to tape. Superuser One or more people who have superuser privileges on the library. Only a superuser can access and configure the encryption features. See User Security in the User Guide for your library for information about the three types of user groups and what types of privileges each has. Encryption Password Holder One or more superusers who have the librarys encryption password(s). When determining the number of superusers and encryption password holders, balance the needs for security and availability for the encrypted data. It may be wise to have more than a single user familiar with passwords, depending on the size of your organization, so that if one person is not available, another can take over.
Processes
Consider the following when establishing your encryption procedures:
Startup Security
Develop procedures for tracking user names and passwords. Make sure only the authorized users know the encryption passwords, and that the passwords themselves are secure. Refer to Passwords and Other Identifiers on page 20 for more information on setting up passwords. Optionally, identify a primary and secondary encryption team, so that you have redundancy in your encryption strategy. Although that means the information required to decrypt data is spread across more people, it also means that restoration of encrypted data may be much easier, and you may ultimately have more data protection given the extra layer of coverage; for example, if a user leaves, you are not in a position to lose data.
December 2012
17
Best Practices
Determine the level of security to use at startup. Both editions of BlueScale encryption permit a standard mode and a secure initialization mode. In standard mode, data is encrypted and restored as soon as the library is started with no further action required. In secure initialization mode, the partitions configured to use encryption are not accessible for backup or restore operations until a user with superuser privileges has logged into the library and entered the encryption password. (Spectra TKLM does not use the secure initialization mode.)
Data to Encrypt
Decide whether to encrypt all data or a subset. If all of the sites data is to be encrypted on backup, then a single partition could be sufficient. If, however, you are backing up some data without encryption, create a partition dedicated to encrypted data, and another for non-encrypted data. Determine whether the encrypted data can be grouped together or if it must be isolated into sets. If sets of encrypted data need to be isolated from each other, create several encrypted data partitions, each using a different encryption key. For example, your site may store financial data as one set and consumer identity information as a separate set.
Caution
As a matter of best practice, Spectra Logic recommends exporting encryption keys to a USB drive instead of using email. Although emailing encryption keys is supported by the library, using email presents security issues, including the following: Copies of encryption keys may be left on the email servers used for sending and receiving email and are thus subject to compromise. The difficulty in verifying where all the copies of emailed encryption keys may be located can make security audits more challenging.
December 2012
18
Best Practices
Establish a key rotation plan that specifies how often to create and use new keys. The rotation plan may be a simple schedule such as changing keys once every six months, and destroying the keys only after the last set of data encrypted using that key is overwritten or destroyed. BlueScale Encryption Standard Edition stores one key on the library at a time; you must delete the key currently on the library before you can create or import another key. Professional Edition permits multiple keys per library, with one key per encryption-enabled partition.
Establish a procedure for tracking monikers. Make sure you track the information required to access and identify keys, along with the location of stored data that uses each encryption key. Make sure this information is not stored with the encrypted data. Keep it on a system or in an archive that is not available on a network. For additional security, encrypt this information as well. Before you delete a key from the library, make sure that at least one copy has been exported and stored securely. It is important to make sure that at least one copy of each key is secure and readable (that is, uncorrupted), to ensure that you can restore your data. Keeping a copy of an exported key is essential; after a key is deleted from the library, it is not recoverable. Once the key is gone, the data is inaccessible; for legal and practical purposes the data is typically considered to have been deleted.
Caution
The current version (Revision 2) of EDU does not support recovering data that is encrypted using an F-QIP. If you need to recover data that was encrypted using an F-QIP contact Spectra Logic Technical Support for assistance (see Contacting Spectra Logic on page 4).
December 2012
19
Best Practices
December 2012
20
Site Security
Password(s) for Key Import and Export Passwords are also used to encrypt keys for export and when importing previously exported keys. Your site may consider whether to create different rules for these passwords, such as requiring that these passwords are longer than the encryption access password(s), and therefore more secure. Optionally, in Professional Edition, you can require two different passwords in order to import and export keys. Monikers A moniker is an alphanumeric identifier that is tied to the never-revealed true key value, which is a 256-bit encryption key. The library uses monikers to generate unique encryption keys. The library displays the moniker, not the encryption key itself, whenever it references the encryption key. The actual value of an encryption key is never displayed. The moniker helps to protect data encrypted using the key by eliminating the need to display or type the actual key value. Your site may want to create rules governing naming conventions for key monikers to ensure that each key is unique. Recommended Make a habit of using a single case (all upper or all lower) for monikers. After the encryption key is created and exported, the library ignores the case used in the moniker. For example, the library interprets Spectra1, spectra1, and SPECTRA1 as the same moniker when importing a key. However, the key generated by each variation is unique.
Important
If you create two monikers that are identical except for case, you may not be able to retrieve your data after importing a key that was created using a different variation of the moniker.
Password and Moniker Standards Create standards to govern passwords and moniker names based on your sites security requirements. For example, if your site requires a high level of security for access to encryption partitions, your passwords and monikers may need to incorporate some combination of the following requirements: Use a minimum number of characters. Use both alphabetic and numeric characters. Use both uppercase and lowercase letters for passwords. Do not use words found in a dictionary. Change the passwords at regularly scheduled intervals.
SITE SECURITY
The following sections provide examples of different security scenarios.
December 2012
21
Site Security
Encryption principals Data to encrypt Level of security to implement Data sets requiring isolation Key escrow method Copies of each key to store and their locations Key rotation plan Tracking key monikers and passwords
Multiple encryption teams (optional) Decrypt and restore encrypted data Passwords
December 2012
22
Site Security
Annual evaluation and review, along with wider corporate security plan. Passwords to access encryption features: minimum of 12 characters, including at least one number and one letter Password to export and import encryption keys: minimum of 30 characters, including at least one number and one letter
December 2012
23
Site Security
Data sets requiring isolation Key escrow method Copies of each key to store, and the stored key locations Key rotation plan Tracking key monikers and passwords
Create a new key every month for each partition dedicated to encryption. Send to the key escrow service an encrypted file with encryption access passwords and superuser passwords. Send to corporate legal office a list of passwords used to export keys. Files with this data cannot be created or stored on a networked computer; delete file or files from the computer once data is transmitted securely. Senior IT admin, chief operating officer, chief security officer, chief technology officer. Quarterly evaluation and review, in conjunction with wider corporate security plan. Passwords to access encryption features: minimum of 15 characters, including at least one number and one letter Password to export and import encryption keys: minimum of 40 characters, including at least one number and one letter
December 2012
24
Figure 1 Enter the encryption user password to access the encryption feature. 2. Enter the encryption password (if one has been set) and then click OK. The Encryption Configuration screen displays the moniker for any BlueScale encryption keys currently stored in the library. Notes: The default encryption password is blank. If you are configuring encryption for the first time or you are using Spectra TKLM key management, no encryption key monikers will display. If you are using BlueScale Professional Edition, up to 30 encryption keys can be stored in the library.
Figure 2 The Encryption Configuration screen displays after you log into the encryption feature.
December 2012
25
If you are configuring BlueScale Encryption Professional Edition, use the following steps to set the encryption user mode. 1. From the Encryption Configuration screen, click Configure. The Encryption Users screen displays.
Figure 3 Select Single User Mode or Multi-User Mode. 2. Select either Single User Mode or Multi-User Mode.
User Mode Single User Mode Multi-User Mode Description Only one encryption password can be configured and only one is required to access all encryption features. Three unique encryption passwords must be configured. After you set up the three passwords, they are used as follows: Enter any one of the three to permit a library using Secure Initialization mode to initialize encryption when the library is starting up and to otherwise access most encryption features, excluding export and import encryption key features. Enter a second password, when prompted, to access export and import encryption key features.
December 2012
26
Figure 4 Select the desired initialization behavior (BlueScale Standard Edition or Professional Edition Single User mode).
Figure 5 Select the desired initialization behavior (BlueScale Professional Edition MultiUser mode).
2. Select or clear the Enable Secure Initialization check box to configure the desired initialization mode used.
Initialization Mode Standard mode Description The partitions configured to use encryption are accessible to the hosts as soon as the library completes its initialization. Data can be backed up to partitions that support encryption without entering an encryption password. To use Standard Mode, make sure that the Enable Secure Initialization check box is cleared. Standard mode is the default setting. The partitions configured to use BlueScale Encryption key management are not accessible to the hosts until the encryption password is entered through the Encryption User Login screen. Until that time, any backup or restore operations using partitions that use encryption cannot run. To initialize the encryption partitions and make them available for use, each time the library is initialized, a user with superuser privileges must first log into the library and then log into the encryption feature using the encryption password. To enable Secure Initialization mode, make sure that the Enable Secure Initialization check box is selected. Secure Initialization mode becomes active after the library has been power-cycled.
December 2012
27
Caution
The BlueScale encryption user password is separate from the password used to log into the library. Make sure you keep a record of this password. If you lose this password, you will not be able to configure the encryption settings. If you are using BlueScale key management, you will not be able to import or export encryption keys that have already been assigned and used with encrypted data.
Notes:
The encryption user password is separate from both the BlueScale login password and the encryption key password you define when you export a BlueScale encryption key (see Export the Encryption Key on page 45). Security is greatly enhanced when the user who knows the encryption password is different from the user who performs day-to-day operations such as importing or exporting cartridges. If BlueScale Professional edition Multi-User mode was selected, you must enter three unique encryption passwords.
2. Retype each password in the Retype User Password field and then click OK. The Encryption Configuration screen displays.
December 2012
28
CHAPTER 2
Using Spectra TKLM Encryption Key Management
This chapter describes configuring and using Spectra TKLM Encryption key management. If you are using BlueScale key management Standard Edition, see Chapter 3 Using BlueScale Encryption Key Management Standard Edition, beginning on page 38. If you are using BlueScale key management Professional Edition, see Chapter 4 Using BlueScale Encryption Key Management Professional Edition, beginning on page 58.
Spectra TKLM Encryption Key Management Configure the Spectra TKLM Server Configuring a Partition to Use a Spectra TKLM Server Disabling Encryption in a Partition
29
Note: Spectra TKLM key management is not compatible with BlueScale Encryption key management, because they cannot share encryption keys. Data encrypted using Spectra TKLM key management cannot be decrypted using BlueScale Encryption key management, and vice versa.
December 2012
30
Caution
The encryption password is separate from the password used to log into the library. Make sure you keep a record of this password. If you lose this password, you will not be able to access the library encryption configuration screen.
1. If you plan to use a hostname, instead of an IP address, you must enter a valid IP address for at least one DNS server. a. From the toolbar menu, select Configuration > System. The System Setup screen displays. Scroll down to the Other Settings pane.
December 2012
31
b. Click Edit next to Network Settings. The Network Settings screen displays.
Figure 7 The Network Settings screen. c. Enter a valid IP address for at least one DNS server, and then click save. 2. Access the encryption feature (see Log Into the Encryption Feature on page 25). 3. On the Encryption Configuration screen, click Spectra TKLM. The Spectra TKLM Server Status screen displays.
December 2012
32
4. The Spectra TKLM Server Status screen displays a list of previously configured Spectra TKLM servers (if any). Up to four Spectra TKLM servers are supported; each is listed by its IP address or hostname. Note: When read or write processes begin, a green check mark appears in the Connectivity column next to servers the library can access. A red X in the Connectivity column indicates the library is currently unable to connect to that server. On the Spectra TKLM Server Status screen, click Edit to add or modify Spectra TKLM servers.
Figure 9 Click Edit to add or modify a server. 5. The TKLM Server Configuration screen displays an editable list of configured Spectra TKLM servers (if any). Enter the appropriate information for the server you want to configure. a. Enter the IP address or hostname of the server. Note: If a server is no longer needed, simply delete its IP address or hostname. b. If desired, change the port setting. The default port setting is 3801. Note: When you set up the Spectra TKLM server, you must add a Windows firewall rule to allow connections to this port. Otherwise, the library will not be able to access the server.
December 2012
33
Click Update to accept the changes, and display the TKLM Server Update Result page, or click Cancel to return to the Spectra TKLM Server Status page without saving the changes.
Figure 10 Click Update to save the changes. 6. If you selected Update, the library attempts to connect to the server and the TKLM Server Update Result screen displays the success or failure of the Spectra TKLM server configuration.
Figure 11 The TKLM Server Update Result screen. 7. Click OK to return to the Spectra TKLM Server Status screen. Note: Newly added servers are added to the list of servers on the Spectra TKLM Server Status screen. If the library could not connect to the server or verify it as a Spectra TKLM server, it does not appear on the list.
December 2012
34
Important
To use Spectra TKLM Encryption key management, drives must be updated to firmware version C7RC, or later.
Notes:
The Encryption screen in the partition wizard lets you enable the encryption features for the partition. It only displays if you are logged in as an encryption user and have already configured a Spectra TKLM server or a BlueScale encryption key. (See Configure the Spectra TKLM Server on page 31 or Create an Encryption Key on page 39 for more information.) Spectra TKLM key management is not compatible with BlueScale Encryption key management, because they cannot share encryption keys. Data encrypted using Spectra TKLM key management cannot be decrypted using BlueScale Encryption key management, and vice versa. Spectra TKLM Encryption is only compatible with LTO-5 and later generation tape drives and TS1140 technology tape drives.
Use the following steps to assign a Spectra TKLM server to the partition and encrypt all data sent to the partition: 1. Access the encryption feature (see Log Into the Encryption Feature on page 25). Note: If you have not already logged in as an encryption user, you must enter the encryption password before you create or edit a partition using the BlueScale partition wizard. If you are not logged in, the Encryption screen will not display. 2. Click Menu, then select Configuration > Partitions. The Shared Library Services screen displays. 3. Click New to create a partition, or click Edit to modify the settings for an existing partition (see Creating a Data Partition in the User Guide for your library).
December 2012
35
4. Navigate through the partition wizard by clicking Next until you reach the Encryption screen.
6. Navigate through the remaining partition configuration screens by clicking Next. 7. When you reach the Save Partition screen, click Save.
December 2012 Spectra Encryption User Guide
36
December 2012
37
CHAPTER 3
Using BlueScale Encryption Key Management Standard Edition
This chapter describes configuring and using BlueScale Encryption Key Management Standard Edition. If you are using Spectra TKLM Encryption key management, see Chapter 2 Using Spectra TKLM Encryption Key Management, beginning on page 29. If you are using BlueScale Encryption Professional Edition, see Chapter 4 Using BlueScale Encryption Key Management Professional Edition, beginning on page 58.
Configuring BlueScale Standard Edition Create an Encryption Key Assigning an Encryption Key to a Partition Exporting and Protecting Encryption Keys Export the Encryption Key Verify the Exported Encryption Key Protect the Encryption Key Restoring Encrypted Data Use the Key Stored in the Library Import the Required Key Into the Library Deleting an Encryption Key from the Library Disabling Encryption in a Partition
page 39 page 39 page 41 page 44 page 45 page 48 page 49 page 51 page 51 page 52 page 56 page 57
38
Caution
The BlueScale encryption password is separate from the password used to log into the library. Make sure you keep a record of this password. If you lose this password, you will not be able to configure encryption nor will you be able to import/export encryption keys that have already been assigned and used on encrypted tapes.
User Privilege Requirements Only users with superuser privileges can access and use the BlueScale encryption features.
December 2012
39
3. Enter a name for the encryption key in the Moniker field. Make sure that the moniker meets the following requirements: A moniker can be any combination of the numbers 09, lower and upper case alphabetic characters (az and AZ), and the at symbol (@), dash (), underscore (_), and colon (:) characters. To improve readability, use an underscore to separate words. Do not use any space characters.
Caution
When using LTO drive-based encryption, make sure that the moniker you choose when creating the BlueScale encryption key contains no more than 32 characters. If you lose an encryption key that has a moniker greater than 32 characters, data cannot be recovered using Spectra Logics Endura Decryption Utility (EDU). See Chapter 6 Using the Endura Decryption Utility, beginning on page 86 for more information.
Each moniker must be a unique string of characters that has not been used for any other encryption key. Recommended. Make a habit of using a single case (all upper or all lower) for monikers. After the encryption key is created and exported, the library ignores the case used in the moniker. For example, the library interprets Spectra1, spectra1, and SPECTRA1 as the same moniker when importing a key. However, the key generated by each variation is unique.
Important
If you create two monikers that are identical except for case, you will not be able to retrieve your data after importing a key that was created using a different variation of the moniker.
4. Click OK. The Encryption Configuration screen displays with a confirmation showing the moniker for the newly created encryption key and a message reminding you to create a copy of the key for safekeeping.
Figure 15 The new encryption key is listed on the Encryption Configuration screen. If the key is not yet assigned to a partition, None displays in the Primary Key For column.
December 2012 Spectra Encryption User Guide
40
5. Export the newly created encryption key and save it to a secure location (see Export the Encryption Key on page 45).
Caution
If you lose the encryption key, data encrypted using the key cannot be recovered. For this reason, promptly copying the key and storing it safely (that is, away from the data encrypted using the key) is extremely important to data decryption and recovery. See Exporting and Protecting Encryption Keys on page 44 for additional information.
Caution
To ensure that you can use Spectra Logic's Endura Decryption Utility (EDU) to recover your encrypted data in an emergency, use drive-based encryption if possible. The current version (Revision 2) of EDU does not support recovering data that is encrypted using an F-QIP (see Chapter 6 Using the Endura Decryption Utility, beginning on page 86).
December 2012
41
Use the following steps to assign a key to a partition and encrypt all data sent to the partition: 1. Access the encryption feature (see Log Into the Encryption Feature on page 25). Note: If you have not already logged in as an encryption user, you must enter the encryption password before you create or edit a partition using the BlueScale partition wizard. If you are not logged in, the Encryption screen will not display. 2. Select Configuration > Partitions. The Shared Library Services screen displays. 3. Click New to create a partition, or click Edit to modify the settings for an existing partition (see Creating a Data Partition in the User Guide for your library). 4. Navigate through the partition configuration wizard by clicking Next until you reach the Encryption screen.
December 2012
42
6. Click Next. 7. Navigate through the remaining partition configuration screens by clicking Next. 8. When you reach the Save Partition screen, click Save. All data sent to this partition will be encrypted using the key you selected.
December 2012
43
9. Access the encryption feature (Accessing the Encryption Feature on page 25) and confirm that the listed key reflects the assignment you just completed.
Figure 17 Confirm that the encryption key was correctly assigned to the partition.
Caution
Data cannot be recovered without the encryption key used to encrypt the data, so protecting encryption keys is extremely important to data decryption and recovery. To decrypt and restore encrypted data, you need the data, the encryption key, and the encryption key password used to protect the exported key and data.
Important
Backup files of the library configuration include any encryption keys that were stored in the library at the time the file was created.
December 2012
44
Best Practice Spectra Logic recommends that you export each encryption key to at least two different USB drives and store them in separate locations. Remember, lost encryption keys cannot be recreated; you should keep them as secure (and as backed up) as your data.
Caution
As a matter of best practice, Spectra Logic recommends exporting encryption keys to a USB drive instead of using email. Although emailing encryption keys is supported by the library, using email presents security issues, including the following: Copies of encryption keys may be left on the email servers used for sending and receiving email and are thus subject to compromise. The difficulty in verifying where all of the copies of emailed encryption keys may be located can make security audits more challenging.
December 2012
45
Caution
As a matter of best practice, Spectra Logic recommends exporting encryption keys to a USB drive instead of using email. Although emailing encryption keys is supported by the library, using email presents security issues, including the following: Copies of encryption keys may be left on the email servers used for sending and receiving email and are thus subject to compromise. The difficulty in verifying where all the copies of emailed encryption keys may be located can make security audits more challenging.
Description Saves the exported encryption key to the USB drive connected to the LCM. Sends the encryption key as an email attachment to a previously configured mail recipient (see Configure Mail Users in the User Guide for your library). Use the Mail single key file to: drop-down list to select the desired recipient. Note: Do not use the default autosupport@spectralogic.com email recipient. Spectra Logic does not save emailed files unless they are specifically requested for troubleshooting.
Figure 20 Enter and confirm a password for the exported encryption key.
December 2012 Spectra Encryption User Guide
46
6. Type and retype an export password using any combination of the numbers 09, lower and upper case alphabetic characters (az and A-Z), and the at symbol (@), dash (), underscore (_), and colon (:) characters. This key is used to encrypt the exported key. 7. Make a record of the encryption key password; you will need it in order to import the key back into the library. Without the password, you cannot import the key, and the data encrypted using the key will be inaccessible.
Caution
Do not lose the encryption key password. Without it, you cannot reimport an encryption key after it is deleted from the library, and the data encrypted using the key will be inaccessible.
8. Click Next to export the key to the selected location. 9. Confirm that the encryption key was correctly exported. If you exported the encryption key to a USB driveImmediately confirm that the encrypted key copied correctly by clicking Check Key Files and following any prompts. If desired, save or print the Check Key Files report for an audit record showing that the USB drive was readable, and that the destination key matched the source key. Use the steps in Verify the Exported Encryption Key on page 48 to provide a second confirmation.
Figure 21 Use Check Key Files to confirm successful export. If the confirmation indicates the key did not copy correctly, delete all data from the USB drive so that no trace of the failed export file remains, and then export the key again using a different USB drive, beginning with Step 2 on page 45. If you exported the encryption key using emailConfirm the receipt of the email with the attachment by contacting the user to whom you sent the encrypted key file. Have them confirm that the email attachment contains a key file as described in Verify the Exported Encryption Key on page 48.
December 2012
47
December 2012
48
Caution
Make sure you keep a record of the password created when exporting the key. You must have this password and the encrypted file containing the exported key in order to import the encryption key back into the library. Without the key password, you will not be able to import the encryption key.
Important
Backup files of the library configuration include any encryption keys that were stored in the library at the time the file was created.
The following guidelines outline the essential tasks required to protect encryption keys: Save one or more copies of every key using the Key Export option on the Encryption Configuration screen (see Export the Encryption Key on page 45).
Caution
As a matter of best practice, Spectra Logic recommends exporting encryption keys to a USB drive instead of using email. Although emailing encryption keys is supported by the library, doing so presents security issues, including the following: Copies of encryption keys may be left on the email servers used for sending and receiving email and are thus subject to compromise. The difficulty in verifying where all the copies of emailed encryption keys may be located can make security audits more challenging.
If you choose to store only a single copy of an encryption key, make sure that you keep the copy secure. If something happens to the device where you stored the exported key and the key has been deleted from the library, both the key and all data encrypted using the key are unrecoverable.
Caution
To emphasize: If you lose the encryption key or the password for the exported file, your data is unrecoverable if the key has been deleted from the library. You need to balance the number of copies of the key to store to guarantee access to the encrypted data against the security risk associated with storing multiple keys. Make sure that the key has been successfully stored prior to removing a key from the library.
December 2012
49
Store encryption keys offsite in a location other than the site used for media storage. Confirm that the key is stored correctly on the USB drive or has been received by the intended recipient before deleting the key from your library. If you delete the key, you must import the key back into the library in order to decrypt the data that was encrypted using the key. Importing keys is described in Import the Required Key Into the Library on page 52. You may want to make two copies of a key, storing each in a secure location. Keep a record of each keys location so that you can easily find the key when you need to restore or delete data.
Maintain a list of every password associated with each key and securely store the list. Never keep this list as cleartext (unencrypted text) on a networked computer, or send it through email as cleartext. For added security, encrypt the file containing the list of passwords. Track every copy of each key. This tracking is critical in order to meet requirements that may govern data retention and data destruction. Destroying all exported copies of keys associated with encrypted data AND deleting the keys from the library is sufficient to satisfy data destruction requirements, since encrypted data cannot be accessed without the key used to encrypt it. Spectra Logic recommends tracking the information listed in the following table for every key that you create. For added security, encrypt the file containing the tracking information.
Key moniker: Number of shares (if any): Number of key copies: Location of each copy: Password(s) associated with exported copy of the moniker: Location of cartridges containing data that has been encrypted using this moniker: Moniker creation date: Planned expiration date:
December 2012
50
December 2012
51
Important
In addition to the file containing the exported key, you need the password for the key file in order to import the key into the library. Without the key password, you will not be able to import the encryption key.
Note: If there is already an encryption key stored in the library, you must first delete that key as described in Deleting an Encryption Key from the Library on page 56. You can then import another key. You can import the encryption key from a USB drive or from a remote computer through the librarys BlueScale web interface, as described in the following sections. Import the Key from a USB Drive on page 52 Import the Key Using a Remote Connection to the Library on page 54
December 2012
52
3. From the Encryption Configuration screen, click Import Key. The Encryption Key Files Source screen displays. Note: If you are accessing the library from the operator panel, the Import Key Selection screen displays instead of the Encryption Key Files Source screen.
Figure 23 Choose Import key from USB to retrieve the key file from the USB drive. 4. Select Import key from USB and then click Next. The Import Key Selection screen displays.
Figure 24 Choose the key you want to import. 5. Choose the key to import from the Key List drop-down list and then click Next. The Import Password screen displays.
Figure 25 Enter and confirm a password for the importing encryption key. 6. Type and retype the password that was used to encrypt the key file when it was exported (see Export the Encryption Key on page 45) and click Next.
December 2012
53
7. When the key import is complete, the Encryption Configuration screen displays, showing the moniker of the newly imported key (see Figure 15 on page 40). 8. Assign the imported key to the partition which contains the encrypted cartridge (see Assigning an Encryption Key to a Partition on page 41). 9. Use your backup software to restore the data.
1. Access the encryption feature (see Log Into the Encryption Feature on page 25).
Figure 26 Click Import Key to begin the key import process. 2. From the Encryption Configuration screen, click Import Key. The Encryption Key Files Source screen displays.
December 2012
54
3. Select Import key from RLC and then click Next. The RLC Encryption Key Upload screen displays.
Figure 28 Enter the name of the key file you want to import. 4. To enter the name of the key file to import: Type in the full path and file name in the Encryption Key File field. OR Click Browse. In the File Upload screen, browse to the location where the key is stored, select the key file and then click Open. The path and filename for the key display in the Encryption Key File field.
5. Click Next. The Import Password screen displays (see Figure 25 on page 53). 6. Enter the password that was used to encrypt the key file when it was exported (see Export the Encryption Key on page 45). 7. Click Next. The Encryption Configuration screen displays, showing the moniker of the newly imported key (see Figure 15 on page 40). 8. Assign the imported key to the partition containing the encrypted cartridge (see Assigning an Encryption Key to a Partition on page 41). 9. Use your backup software to restore the data.
December 2012
55
Caution
Make sure that you export a copy of the existing key before you delete it. You will need a copy of the exported key and its password to import the key back into the library and restore data that was encrypted with the key.
Important
Backup files of the library configuration include any encryption keys that were stored in the library at the time the file was created.
Use the following steps to delete a key: 1. Access the encryption feature (see Log Into the Encryption Feature on page 25). 2. Export at least one copy of the key and store it in a safe location (see Export the Encryption Key on page 45). 3. If the encryption key you plan to delete is assigned to a partition, edit the partition to disable encryption (see Disabling Encryption in a Partition on page 57). Note: If you delete an encryption key that is assigned to a partition you will not be able to encrypt or decrypt data in that partition until you reimport the key. 4. From the Encryption Configuration screen, click Delete Key next to the key you want to remove from the library and respond to the confirmation screens to delete the key.
Figure 29 Click Delete Key to remove the key from the library. 5. The Encryption Configuration screen redisplays with a message indicating that the key was successfully deleted. The moniker is no longer listed on the screen.
December 2012
56
Chapter 3Using BlueScale Encryption Key Management Standard Edition Disabling Encryption in a Partition
December 2012
57
CHAPTER 4
Using BlueScale Encryption Key Management Professional Edition
This chapter describes configuring and using BlueScale Encryption Key Management Professional Edition. If you are using Spectra TKLM Encryption key management, see Chapter 2 Using Spectra TKLM Encryption Key Management, beginning on page 29. If you are using BlueScale Encryption Standard Edition, see Chapter 3 Using BlueScale Encryption Key Management Standard Edition, beginning on page 38.
Configuring BlueScale Professional Edition Create an Encryption Key Key Protection Features of Encryption Professional Assigning an Encryption Key to a Partition Exporting and Protecting Encryption Keys Export an Encryption Key Verify the Exported Encryption Key Protect the Encryption Key Restoring Encrypted Data Use a Key Stored in the Library Import the Required Key Into the Library Deleting an Encryption Key from the Library Disabling Encryption in a Partition
page 59 page 59 page 66 page 61 page 65 page 67 page 71 page 73 page 75 page 76 page 76 page 81 page 82
58
Configuring BlueScale
Caution
The BlueScale encryption password is separate from the password used to log into the library. Make sure you keep a record of this password. If you lose this password, you will not be able to configure encryption nor will you be able to import/export encryption keys that have already been assigned and used on encrypted tapes.
User Privilege Requirements Only users with superuser privileges can access and use the BlueScale encryption features.
December 2012
59
Configuring BlueScale
3. Enter a name for the encryption key in the Moniker field. Make sure that the moniker meets the following requirements: A moniker can be any combination of the numbers 09, lower and upper case alphabetic characters (az and AZ), and the at symbol (@), dash (), underscore (_), and colon (:) characters. To improve readability, use an underscore to separate words. Do not use any space characters.
Caution
When using LTO drive-based encryption, make sure that the moniker you choose when creating the BlueScale encryption key contains no more than 32 characters. If you lose an encryption key that has a moniker greater than 32 characters, data cannot be recovered using Spectra Logics Endura Decryption Utility (EDU). See Chapter 6 Using the Endura Decryption Utility, beginning on page 86 for more information.
Each moniker must be a unique string of characters that has not been used for any other encryption key. Recommended. Make a habit of using a single case (all upper or all lower) for monikers. After the encryption key is created and exported, the library ignores the case used in the moniker. For example, the library interprets Spectra1, spectra1, and SPECTRA1 as the same moniker when importing a key. However, the key generated by each variation is unique.
Important
If you create two monikers that are identical except for case, you will not be able to retrieve your data after importing a key that was created using a different variation of the moniker.
4. Click OK. The Encryption Configuration screen displays with a confirmation showing the moniker for the newly created encryption key and a message reminding you to create a copy of the key for safekeeping.
Figure 31 The encryption key currently stored in the library. If the key is not yet assigned to a partition, None displays in the Primary Key For column.
December 2012
60
Chapter 4Using BlueScale Encryption Key Management Professional EditionAssigning an Encryption Key to a
5. Export the newly created encryption key and save it to a secure location (see Exporting and Protecting Encryption Keys on page 65).
Caution
If you lose the encryption key, data encrypted using the key cannot be recovered. For this reason, promptly copying the key and storing it safely (that is, away from the data encrypted using the key) is extremely important to data decryption and recovery. See Exporting and Protecting Encryption Keys on page 65 for additional information.
Caution
To ensure that you can use Spectra Logic's Endura Decryption Utility (EDU) to recover your encrypted data in an emergency, use drive-based encryption if possible. The current version (Revision 2) of EDU does not support recovering data that is encrypted using an F-QIP (see Chapter 6 Using the Endura Decryption Utility, beginning on page 86).
December 2012
61
Chapter 4Using BlueScale Encryption Key Management Professional EditionAssigning an Encryption Key to a
Use the following steps to assign a key to a partition and encrypt all data sent to the partition: 1. Access the encryption feature (see Log Into the Encryption Feature on page 25). Note: If you have not already logged in as an encryption user, you must enter the encryption password before you create or edit a partition using the BlueScale partition wizard. If you are not logged in, the Encryption screen will not display. 2. Select Configuration > Partitions. The Shared Library Services screen displays. 3. Click New to create a partition, or click Edit to modify the settings for an existing partition (see Creating a Data Partition in the User Guide for your library). 4. Navigate through the partition configuration wizard by clicking Next until you reach the Encryption screen.
December 2012
62
Chapter 4Using BlueScale Encryption Key Management Professional EditionAssigning an Encryption Key to a
December 2012
63
Chapter 4Using BlueScale Encryption Key Management Professional EditionAssigning an Encryption Key to a
6. If there is only one key in the library, skip to Step 7. If there are multiple encryption keys in the library, use the following steps to configure encryption and decryption for the partition. a. Select the primary key for the partition. This key is used when encrypting and decrypting data. Notes: Only one key can be assigned as the primary encryption key. With drive-based encryption, only one encryption key is allowed per tape. If you associate a different encryption key with a partition, you must first recycle tapes encrypted with the previous key to re-use them. Refer to Chapter 5 Recycling Encrypted Media, beginning on page 83 for more information.
b. Select none, one, or multiple additional keys to be associated with this partition for decrypting data. Notes: The additional keys will only be used for decrypting data. Having additional keys associated with the partition makes it possible to decrypt data encrypted with those keys even if the primary key for the partition is different. You do not need to reselect the primary key.
7. Click Next to move to the next partition configuration screen. Navigate through the remaining partition configuration screens by clicking Next. 8. When you reach the Save Partition screen, click Save. All data sent to this partition will be encrypted using the key you selected. 9. Access the encryption feature (Accessing the Encryption Feature on page 25) and confirm that the listed keys reflect the assignments you just completed.
December 2012
64
Caution
Data cannot be recovered without the encryption key used to encrypt the data, so protecting encryption keys is extremely important to data decryption and recovery. To decrypt and restore encrypted data, you need the data, the encryption key, and the encryption key password used to protect the exported key and data.
Important
Backup files of the library configuration include any encryption keys that were stored in the library at the time the file was created.
Best Practice Spectra Logic recommends that you export each encryption key to at least two different USB drives and store them in separate locations. Remember, lost encryption keys cannot be recreated; you should keep them as secure (and as backed up) as your data.
Caution
As a matter of best practice, Spectra Logic recommends exporting encryption keys to a USB drive instead of using email. Although emailing encryption keys is supported by the library, using email presents security issues, including the following: Copies of encryption keys may be left on the email servers used for sending and receiving email and are thus subject to compromise. The difficulty in verifying where all of the copies of emailed encryption keys may be located can make security audits more challenging.
December 2012
65
For example, if you choose the 2-of-3 option, then the encrypted key, which is further protected by a key-specific password, is split into three shares. Each share is then copied to a separate USB drive or sent as an email attachment. Keys that have been split into shares can only be imported from USB drives; they cannot be uploaded through the BlueScale web interface. If the shares were sent as email attachments, they must be copied to separate USB drives in order to import the key. Building on the previous example, this means that two of the three USB drives, along with the encryption key password, are needed to import the key.
December 2012
66
Figure 33 Click Export Key to begin the key export process. If you selected Multi-User mode and you have not already entered a second encryption user password, you will be prompted to enter another password. Enter one of the encryption user passwords that you did not use during the initial login and then click Next. The Export Type screen displays.
3. If you want to export the encryption key to one or more USB drives, plug a USB drive into a USB port on the LCM before continuing. 4. On the Export Type screen, select the desired export option.
December 2012
67
Caution
As a matter of best practice, Spectra Logic recommends exporting encryption keys to a USB drive instead of using email. Although emailing encryption keys is supported by the library, using email presents security issues, including the following: Copies of encryption keys may be left on the email servers used for sending and receiving email and are thus subject to compromise. The difficulty in verifying where all the copies of emailed encryption keys may be located can make security audits more challenging.
Description Saves the exported encryption key to the USB drive connected to the LCM. Sends the encryption key as an email attachment to a previously configured mail recipient (see Configure Mail Users in the User Guide for your library). Use the Mail single key file to: drop-down list to select the desired recipient. Note: Do not use the default autosupport@spectralogic.com email recipient. Spectra Logic does not save emailed files unless they are specifically requested for troubleshooting. Divides the exported key into multiple shares, with each share saved to a separate USB drive. When you select this option, have on hand a separate USB drive for each share (N). Note: Refer to Export as M-of-N Shares on page 66 for more information about using this option. Divides the exported key into multiple shares, with each share sent as an email attachment to a separate, previously configured mail recipient. Note: Refer to Export as M-of-N Shares on page 66 for more information about using this option.
December 2012
68
5. If you did not select one of the M-of-N options, continue with Step 6. If you selected one of the M-of-N options, use the following steps to configure the shares. a. Click Next. The Export M-of-N Shares screen displays.
Figure 35 Select the desired M-of-N option. b. Select the desired M-of-N option, where M is the minimum number of shares required to import the encryption key and N is the total number of shares to be created. c. If you chose to export the shares to USB, continue with Step 6. If you chose to email the shares, click Next. The Export M-of-N Email screen displays.
December 2012
69
d. Select from the list of email users; you must select the same number of email users as the total number of shares (N). Note: Do not use the default autosupport@spectralogic.com email recipient. Spectra Logic does not save emailed files unless they are specifically requested for troubleshooting. 6. Click Next. The Export Password screen displays.
Figure 37 Enter and confirm a password for the exported encryption key. 7. Type and retype an export password using any combination of the numbers 09, lower and upper case alphabetic characters (az and A Z), and the at symbol (@), dash (), underscore (_), and colon (:) characters. This key is used to encrypt the exported key. 8. Make a record of the encryption key password; you will need it in order to import the key back into the library. Without the password, you cannot import the key, and the data encrypted using the key will be inaccessible.
Caution
Do not lose the encryption key password. Without it, you cannot reimport an encryption key after it is deleted from the library, and the data encrypted using the key will be inaccessible.
9. Click Next to export the key to the selected location. If you selected the option to split the key across M-of-N shares on multiple USB drives, remove the USB drive from the LCM when you are prompted to do so and insert another USB drive.
December 2012
70
10. Confirm that the encryption key was correctly exported. If you exported the encryption key to a USB driveImmediately confirm that the encrypted key copied correctly by clicking Check Key Files and following any prompts. If desired, save or print the Check Key Files report for an audit record showing that the USB drive was readable, and that the destination key matched the source key. Use the steps in Verify the Exported Encryption Key to provide a second confirmation.
Figure 38 Use Check Key Files to confirm successful export. If the confirmation indicates the key did not copy correctly, delete all data from the USB drive so that no trace of the failed export file remains, and then export the key again using a different USB drive, beginning with Step 2 on page 67. If you exported the encryption key using emailConfirm the receipt of the email with the attachment by contacting the user to whom you sent the encrypted key file. Have them confirm that the email attachment contains a key file as described in Verify the Exported Encryption Key.
71
3. If desired, save or print a screen capture of the USB directory for an audit record showing that the USB drive was readable, and that the key file contained information. 4. Store the USB drive in a safe location. 5. If you exported the key as M-of-N shares, repeat Step 1 through Step 4 for each additional USB drive. 6. If the exported key file is not present or if the file is 0 bytes in size, repeat the export process as described in Export an Encryption Key on page 67 using a different USB drive.
December 2012
72
Caution
Make sure you keep a record of the password created when exporting the key. You must have this password and the encrypted file containing the exported key in order to import the encryption key back into the library. Without the key password, you will not be able to import the encryption key.
Important
Backup files of the library configuration include any encryption keys that were stored in the library at the time the file was created.
The following guidelines outline the essential tasks required to protect encryption keys: Save one or more copies of every key using the Key Export option on the Encryption Configuration screen (see Export an Encryption Key on page 67).
Caution
As a matter of best practice, Spectra Logic recommends exporting encryption keys to a USB drive instead of using email. Although emailing encryption keys is supported by the library, doing so presents security issues, including the following: Copies of encryption keys may be left on the email servers used for sending and receiving email and are thus subject to compromise. The difficulty in verifying where all the copies of emailed encryption keys may be located can make security audits more challenging.
If you choose to store only a single copy of an encryption key make sure that you keep the copy secure. If something happens to the device where you stored the exported key and the key has been deleted from the library, both the key and all data encrypted using the key are unrecoverable.
Caution
To emphasize: If you lose the encryption key or the password for the exported file, your data is unrecoverable if the key has been deleted from the library. You need to balance the number of copies of the key to store to guarantee access to the encrypted data against the security risk associated with storing multiple keys. Make sure that the key has been successfully stored prior to removing a key from the library.
December 2012
73
Store encryption keys offsite in a location other than the site used for media storage. Confirm that the key is stored correctly on the USB drive or has been received by the intended recipient before deleting the key from your library. If you delete the key, you must import the key back into the library in order to decrypt the data that was encrypted using the key. Importing keys is described in Import the Required Key Into the Library on page 76. You may want to make two copies of a key, storing each in a secure location. Keep a record of each keys location so that you can easily find the key when you need to restore or delete data.
Maintain a list of every password associated with each key and securely store the list. Never keep this list as cleartext (unencrypted text) on a networked computer, or send it through email as cleartext. For added security, encrypt the file containing the list of passwords. Track every copy of each key. This tracking is critical in order to meet requirements that may govern data retention and data destruction. Destroying all exported copies of keys associated with encrypted data AND deleting the keys from the library is sufficient to satisfy data destruction requirements, since encrypted data cannot be accessed without the key used to encrypt it. Spectra Logic recommends tracking the information listed in the following table for every key that you create. For added security, encrypt the file containing the tracking information.
Key moniker: Number of shares (if any): Number of key copies: Location of each copy: Password(s) associated with exported copy of the moniker: Location of cartridges containing data that has been encrypted using this moniker: Moniker creation date: Planned expiration date:
December 2012
74
December 2012
75
Important
In addition to the file containing the exported key, you need the password for key file in order to import the key into the library. Without the key password, you will not be able to import the encryption key.
December 2012
76
As described in the following sections, you can import the encryption key from a USB drive or from a remote computer through the librarys BlueScale web interface.
Important
You cannot import a key that was exported using M-of-N shares using the BlueScale web interface. You must use multiple USB drives to import the key. If the shares of the encrypted key were distributed as email attachments, the required number of shares (M) must be copied to separate USB drives before the key can be imported and used to decrypt and restore data.
Import the Key from a USB Drive Import the Key Using a Remote Connection to the Library on page 79
Figure 39 Click Import Key to begin the key import process. 2. Plug the USB drive containing the exported encryption key you want to import into a USB port on the LCM. Note: If you exported the key as M-of-N shares, you must have the required number shares (M) available on separate USB drives.
December 2012
77
3. From the Encryption Configuration screen, click Import Key. If you selected Multi-User mode and you have not already entered a second encryption user password, you will be prompted to enter another password. Enter one of the encryption user passwords that you did not use during the initial login and then click Next. The Encryption Key Files Source screen displays. Otherwise, the Encryption Key Files Source screen displays immediately.
Note: If you are accessing the library from the operator panel, the Import Key Selection screen displays instead of the Encryption Key Files Source screen.
Figure 40 Choose Import key from USB to retrieve the key file from the USB drive. 4. Select Import key from USB and then click Next. The Import Key Selection screen displays.
Figure 41 Choose the key you want to import. 5. Choose the key to import from the Key List drop-down list and then click Next. The Import Password screen displays.
Figure 42 Enter and confirm a password for importing the encryption key.
December 2012 Spectra Encryption User Guide
78
6. Type and retype the password that was used to encrypt the key file when it was exported (see Export an Encryption Key on page 67) and click Next. If you are importing a key that was exported as M-of-N shares, connect each of the required UBS drives, one after the other, when prompted. For each share, type and retype the password that was used to encrypt the key file when it was exported. 7. When the key import is complete, the Encryption Configuration screen displays, showing the moniker of the newly imported key (see Figure 31 on page 60). 8. Assign the imported key to the partition which contains the encrypted cartridge (see Assigning an Encryption Key to a Partition on page 61). 9. Use your backup software to restore the data.
1. Access the encryption feature (see Log Into the Encryption Feature on page 25).
December 2012
79
2. From the Encryption Configuration screen, click Import Key. If you selected Multi-User mode and you have not already entered a second encryption user password, you will be prompted to enter another password. Enter one of the encryption user passwords that you did not use during the initial login and then click Next. The Encryption Key Files Source screen displays. Otherwise, the Encryption Key Files Source screen displays immediately.
Figure 44 Choose Import key from RLC to upload the key. 3. Select Import key from RLC and then click Next. The RLC Encryption Key Upload screen displays.
Figure 45 Enter the name of the key file you want to import. 4. To enter the name of the key file to import: Type in the full path and file name in the Encryption Key File field. OR Click Browse. In the File Upload screen, browse to the location where the key is stored, select the key file and then click Open. The path and filename for the key display in the Encryption Key File field.
5. Click Next. The Import Password screen displays (see Figure 42 on page 78). 6. Enter the password that was used to encrypt the key file when it was exported (see Export an Encryption Key on page 67). 7. Click Next. The Encryption Configuration screen displays, showing the moniker of the newly imported key (see Figure 31 on page 60). 8. Assign the imported key to the partition containing the encrypted cartridge (see Assigning an Encryption Key to a Partition on page 61). 9. Use your backup software to restore the data.
December 2012
80
Chapter 4Using BlueScale Encryption Key Management Professional EditionDeleting an Encryption Key from
Caution
Make sure that you export a copy of the existing key before you delete it. You will need a copy of the exported key and its password to import the key back into the library and restore data that was encrypted with the key.
Important
Backup files of the library configuration include any encryption keys that were stored in the library at the time the file was created.
Use the following steps to delete a key: 1. Access the encryption feature (see Log Into the Encryption Feature on page 25). 2. Export at least one copy of the key and store it in a safe location (see Export an Encryption Key on page 67). 3. If the encryption key you plan to delete is assigned to a partition, either as the primary key or as a decryption-only key, edit the partition to disable encryption (see Disabling Encryption in a Partition on page 82 or assign a different key (see Assigning an Encryption Key to a Partition on page 61). Note: If you delete an encryption key that is assigned to a partition you will not be able to encrypt or decrypt data in that partition until you reimport the key. 4. From the Encryption Configuration screen, click Delete Key next to the key you want to remove from the library and respond to the confirmation screens to delete the key.
Figure 46 Click Delete Key to remove the key from the library. 5. The Encryption Configuration screen redisplays with a message indicating that the key was successfully deleted. The moniker is no longer listed on the screen.
December 2012 Spectra Encryption User Guide
81
Disabling Encryption in a
December 2012
82
CHAPTER 5
Recycling Encrypted Media
Overview Encryption-enabled LTO drives require that all data encrypted and written to a single cartridge use the same encryption keythat is, a single key is associated with all the encrypted data on an individual cartridge. After encrypted data is written to a cartridge, the drive will not overwrite the data using a different encryption key. You must recycle the cartridge using the recycling capability provided by BlueScale Encryption before a different encryption key can be used. In addition, you must recycle the cartridge before you can re-use it if you lose the encryption key for the cartridge. Notes: If you plan to use the same key that was used to encrypt the data already on the cartridge, you do not need to recycle the cartridge using the process described in this section. Make sure that the backup software cannot access the drive you plan to use for recycling the encrypted media. The recycle media operation can only be performed from the library operator panel. You cannot access the Import/Export screen when using the BlueScale web interface from a remote computer.
User Privilege Requirement Any user with operator privileges who is assigned to the partition and all users with superuser or administrator privileges can recycle encrypted cartridges. See your User Guide for information about assigning users to a partition. Requirements You cannot run backup or restore operations while the library is recycling encrypted cartridges. If you have a large number of cartridges to process, make sure that you wait until the library is idle.
Important
For libraries that use one of the drives in the partition to provide the robotic control path, use your software to take the library off-line or stop all backup or restore operations to the partition before beginning the recycle process. Attempting to recycle media while the host is issuing commands to the library through the exporting drive may cause the backup or restore operation to fail.
83
Process Use the following steps to recycle one or more encrypted LTO cartridges so that they can be reused with a new encryption key. 1. From the operator panel, log into the library as a user with the appropriate privileges (see User Privilege Requirement on page 83). 2. Select General > Import/Export. The Import/Export screen displays showing the information for the last partition that was viewed on either the Import/Export screen or the Inventory screen. 3. Select the partition that contains the cartridges that you want to recycle from the Partition drop-down list and then click Go. The Import/Export screen refreshes to show the current status of the chambers assigned to the selected partition.
Figure 47 Choose the partition containing the cartridges to be recycled. 4. Click Recycle Encryption Media. The Select Media to Recycle screen displays.
December 2012
84
5. Select the first cartridge you want to move into or out of the Media to Recycle list and then click the appropriate button. The Available Media list shows all of the encrypted media in the partition you selected. To narrow down the media choices in the Available Media list, enter a partial or entire barcode in the Find by Barcode field and select Find. The list displays only cartridges with barcodes that match the values that you entered.
Function Adds the cartridge currently selected in the Available Media list to the Media to Recycle list. Adds all of the encrypted media currently in the entry/exit pool to the Media To Recycle list. This option is especially useful if you have imported a large amount of encrypted media into the library entry/exit pool and want to recycle it before moving it into a partition. Adds all of the cartridges in the Available Media list to the Media To Recycle list. Removes the selected cartridge from the Media To Recycle list. Removes all of the cartridges from the Media To Recycle list.
Figure 49 The Select Drive to Recycle Media screen. 7. Select the drive that you want to use for recycling the cartridges from the Drive drop-down list and then click Recycle Encryption Media to begin the recycling operation. Note: Once the recycle operation starts, you cannot perform any other library operations until it is complete.
December 2012
85
CHAPTER 6
Using the Endura Decryption Utility
Endura Decryption Utility Overview Prepare for the Decryption Process Run EDU to Decrypt Data EDU Command Line Description Example: Using Two Drives to Decrypt and Write the Data (Preferred Method) Example: Using One Drive To Decrypt and Write the Data (Not Recommended) Restore the Data Decrypted with Endura
Important
EDU is not designed to be used as an alternative to decrypting data using an encryption-capable library. Using EDU in a production environment is not recommended.
86
Hardware and Software Requirements Before you can use EDU to decrypt data stored on LTO cartridges, you must have the following hardware and software available and configured: A host computer running Linux with root level access. The following Linux kernels have been tested and are supported by Spectra Logic. Red Hat has been tested with these kernels and is recommended. Kernel 2.4 Kernel 2.6 Other versions of Red Hat have not been tested. Make sure the host uses a file system that can support a file size equal to the maximum data capacity of the tape to be decrypted.
Notes:
One or two standalone IBM LTO drives that are compatible with the data cartridges you need to decrypt (Fibre Channel, SAS, or SCSI) that the host computer can access for reading and writing data. Using two drives is recommended, but not required. Note: Using drives in a library is not supported. If only one drive is available, make sure that the host has sufficient available hard disk space in its temporary directory (/tmp) to store all of the data on the cartridge. If you are unsure of the exact amount of data on the cartridge, make sure sufficient space is available to hold the maximum amount of data that can be stored on the cartridge.
Important
Depending on the compressability of the data, up to five times the base tape capacity may be required. If the host hard disk does not have sufficient space, the operation will fail.
For example, to decrypt uncompressed data from an LTO-4 cartridge, you need to have at least 800 GB of disk space available. The binary file for the current version of EDU stored in a location that can be accessed and read by the host computer. Note: Copying the binary file for EDU to the host simplifies the command syntax required to run EDU. For example, copy the binary file to the following location on the host:
/root/decrypt/
A host running the backup software originally used to write the data to tape. You need this in order to restore the decrypted data.
December 2012
87
Data Cartridge, Encryption Key, and Password Requirements For each data cartridge you need to decrypt, make sure that you have the following available: A blank data cartridge to store the decrypted data.
Important
Although this requirement is optional, using a blank cartridge for the decrypted data is strongly recommended. If the cartridge containing the original encrypted data is used for the decrypted data, the original encrypted data will be overwritten and, in the event of a failure, lost.
A barcode label with the same numbering sequence as the barcode label used on the encrypted cartridge (see Restore the Data Decrypted with Endura on page 95). The encryption key file(s) required to decrypt the data; the key file(s) must be stored in a location that can be accessed and read by the host computer. Notes: Copying the key file(s) to the same location as the EDU binary file simplifies the command syntax required to run EDU. For example, copy the key file(s) to the following location on the host: /root/decrypt/. If the key was split into M-of-N shares when it was exported, make sure that you have files for the required number of shares (M). Because the shares on the USB drives all have the same filename, you must rename each of the share files to make them unique when you copy them from the USB drives to the location from which they will be accessed.
The password for each encryption key file. Note: If the key was exported as M-of-N shares, each share will require you to enter the password that was used to encrypt the key file when it was exported.
December 2012
88
5. Determine the Linux device name for each tape drive you will use (for example, the two drives may be /dev/nst0 and /dev/nst1). Decide which drive will be used to read and decrypt the data and which one will be used to write the decrypted data to a new cartridge. 6. From the host Linux command line, type the following command to verify that the drive is online and communicating with the host. If you are using two drives, verify both drives.
mt -f /dev/[device name] status
where [device name] is the Linux device name for the drive determined in Step 5 on page 89. The response from each drive should be similar to the following:
SCSI 2 tape drive: File number=0, block number=0, partition=0, Tape block size 0 bytes. Density code 0x0 (default). Soft error count since last status=0 General status bits on (40050000): BOT DR_OPEN IM_REP_EM
7. Make sure you know the full path and full filename for the EDU binary file (see Hardware and Software Requirements on page 87). 8. Make sure you know the full path, filename, and password for each encryption key file (see Data Cartridge, Encryption Key, and Password Requirements on page 88). 9. Write-protect all of the cartridges containing the original encrypted data.
Caution
Although you can choose to turn off write-protection on the original cartridge and decrypt and restore data to the same cartridge, doing so is strongly discouraged. Writing the decrypted data to the same cartridge overwrites the original data set. If the system has had any problem copying the data, then the original data is erased and cannot be recovered.
10. Make sure that the blank cartridges to which the decrypted data will be written are not write-protected.
December 2012
89
December 2012
90
Command Response EDU responds to the command with system prompts requesting the encryption key filename and the password for the key file. Enter the requested information and press Enter. Notes: If the key was exported as a single file, the key filename has an extension of .bsk. If the key was split into M-of-N shares when it was exported, each share file has an extension of .bss. You will be prompted for the filename and password for each share. All of the shares use the same password. If you did not copy the key file to the same location as the EDU binary file, the filename must include the full path to the file.
Example: Using Two Drives to Decrypt and Write the Data (Preferred Method)
This section provides an example of using one drive to read and decrypt the data and a second drive to write the decrypted data to a new data cartridge. This example makes the following assumptions: EDU and the encryption key file are stored in a folder called
/root/decrypt/
The EDU version number is 2.4-1_4_0_8 The device name for the drive you will use to read and decrypt the original data cartridge is /dev/nst0 The device name for the drive you will use to write the decrypted data to a new data cartridge is /dev/nst1 The filename for the encryption key file is 106067test.bsk The encryption key was exported as a single file (n=1)
Use the following steps to perform the decryption. 1. Complete the requirements in Prepare for the Decryption Process on page 88. Note: Make sure that you know the Linux device identifier for each drive. 2. Prepare the tape drives. Insert a write-protected cartridge into the drive that will be used to read and decrypt the data on the encrypted cartridge. Insert a blank, write-enabled cartridge into the drive that will be used to write the decrypted data to a new data cartridge.
December 2012
91
3. From the Linux command line, enter the following commands to start EDU. Press Enter after each command.
Caution
Make sure that you specify the drive containing the encrypted cartridge as the source and the drive containing the blank cartridge as the destination. Reversing the two drives will result in the encrypted data being erased if the encrypted cartridge is not write-protected.
[root@localhost ~]# cd /decrypt [root@localhost decrypt]# ./edu-2.4-1_4_0_8 -i /dev/nst0 -o /dev/nst1 -n1
4. The system displays a startup message and then prompts for the key password and key file path, including the filename. Press Enter after you enter the password and again after you enter the full path and filename for the key. Example The following shows an example of the startup message and prompts.
Endura Decryption Utility version 1:4:0:8 starting ================================================================= Enter the password and path to the key. If the key has been split up into multiple parts, you will be prompted for additional filenames. Password of key: 106067
5. The system uses the source drive to read the data from the original encrypted cartridge and decrypt the data. It then writes the decrypted data to the blank cartridge in the destination drive. Messages display as the data is decrypted. When the host system prompt redisplays, the decryption operation is complete. 6. Remove the cartridges from both drives. 7. Repeat Step 2 on page 91 through Step 6 on this page for each cartridge you need to decrypt. 8. Use the backup software originally used to write the data to restore it (see Restore the Data Decrypted with Endura).
December 2012
92
Example: Using One Drive To Decrypt and Write the Data (Not Recommended)
This section provides an example of using one drive to both decrypt the data and write the decrypted data to a new cartridge. This example makes the following assumptions: EDU and the encryption key file are stored in a folder called
/root/decrypt/
The EDU version number is 2.4-1_4_0_8 The device name for the drive you will use is /dev/nst0 The filename for the encryption key file is 106067test.bsk The encryption key was exported as a single file (n= 1)
Use the following steps to perform the decryption. 1. Complete the requirements in Prepare for the Decryption Process on page 88 2. Insert a write-protected cartridge into the drive. 3. From the Linux command line, enter the following commands to start EDU. Press Enter after each command.
[root@localhost ~]# cd /decrypt [root@localhost decrypt]# ./edu-2.4-1_4_0_8 -i /dev/nst0 -o /dev/nst0 -n1
4. The system displays a startup message and then prompts for the key password and the filename for the key file, including the path (see Step 4 on page 92). Press Enter after you enter the password and again after you enter the full path and filename for the key. 5. The system begins copying the encrypted data to the /tmp directory on the host. Messages display as the data is copied. Example The following shows an example of the messages and prompts displayed as the data is copied and decrypted.
Added key with moniker: 106067test Opening: /tmp/edu_cache.dat Opening: /tmp/edu_cache.siz /dev/nst0: opening /dev/nst0: rewinding /dev/nst0: rewind complete Copying encrypted data from tape to disk cache... /dev/nst0: Reached EOD /dev/nst0: Reached EOD Done (1001 blocks) Copied 1001 blocks
December 2012
93
6. When the system indicates that the copy is complete and prompts you to insert an empty tape, eject the write-protected cartridge. Insert a write-enabled blank cartridge into the drive and then press Enter. EDU writes the decrypted data to the cartridge currently loaded in the drive.
Caution
If you did not write-protect the original cartridge before you inserted it into the drive and you press Enter without inserting a blank cartridge into the drive, EDU will write the decrypted data to the original cartridge. The original data set will be overwritten. If the system had any problem copying the data from the /tmp directory on the host, then the original data is lost and cannot be recovered.
Note: If the blank cartridge is write-protected, the copy operation will fail. You must then start the entire process again. Example
Insert destination tape and press [enter]... Decrypting /dev/nst0: /dev/nst0: /dev/nst0: Done (1001 from disk cache to tape... opening rewinding rewind complete blocks)
Checking CAM Information ----------------------------------------------------------------/dev/nst0: opening device Getting LUN information for /dev/nst0 ----------------------------------------------------------------/dev/sg0: opening device /dev/sg1: opening device Found matching SCSI device. /dev/nst0 = /dev/sg0 /dev/sg0: Sending Read Attribute /dev/sg0: Command complete (8 bytes, 9 ms) Info Message: Encryption Attribute on MAM not found - This is not an error. ----------------------------------------------------------------[root@localhost decrypt]#
7. When the process completes, remove the cartridge containing the decrypted data from the drive. 8. Repeat Step 2 on page 93 through Step 7 on this page for each cartridge you need to decrypt. 9. Use the backup software originally used to write the data to restore it (see Restore the Data Decrypted with Endura on page 95).
December 2012
94
December 2012
95
CHAPTER 7
Encryption Troubleshooting
This chapter describes troubleshooting steps you can take, as appropriate, to help resolve problems you might encounter while operating the library. Try these troubleshooting procedures before you open a support ticket with Spectra Logic Technical Support. If you are unable to resolve the problem yourself, open a support ticket. Note: The library must be under warranty or have a valid service contract in order to qualify for support (see Service Contract Extension in the User Guide for your library to learn about service contracts).
System message states that Load attempted while encryption is enabled, but no moniker or key list was sent to the DCM.
If a cartridge is left in a drive after the library loses power or you reset or power-cycle the library, the drive will not be able to receive encryption monikers. This can also occur if a tape is left in a drive while the drive is reset or reseated.
96
Chapter 7Encryption Troubleshooting Issue System message states that a tape drive requires a specific moniker. Cause The cartridge was encrypted using an encryption key that is not currently available on the library. Or, if you are using BlueScale Professional Edition, the required encryption key is available, but was not selected as one of the partitions decryption keys. Resolution Depending on which BlueScale Encryption edition you are using, use the following steps to enable the cartridge to be read: BlueScale Standard Edition 1. Log into the library as a superuser. 2. Log into the encryption feature. 3. Export and then delete the encryption key currently listed on the Encryption Configuration screen (see Deleting an Encryption Key from the Library on page 56). 4. Import the required key (see Import the Required Key Into the Library on page 52). 5. Select Configuration > Partitions. 6. Click Edit next to the partition containing the cartridge. 7. Navigate through the BlueScale partition wizard to the Encryption screen. 8. Select the encryption key to be associated with the partition. BlueScale Professional Edition 1. Log into the library as a superuser. 2. Log into the encryption feature. 3. Make sure the encryption key is listed on the Encryption Configuration screen. If it is not listed, add the key to the library (see Import the Required Key Into the Library on page 76). 4. Select Configuration > Partitions. 5. Click Edit next to the partition containing the cartridge. 6. Navigate through the BlueScale partition wizard to the Encryption screen. 7. Select the required encryption key as either the primary encryption key or as a decryption key.
December 2012
97
INDEX
B
backup encryption keys 44 to 48, 65 to 74 backup software restoring encrypted data 51 to 55, 75 to 80 best practices 21 encryption policies and strategies 17 to 21 export and protect encryption keys 49 to 50 monikers 21 password and moniker standards 21 passwords for exported keys 21 protecting encryption keys 49 to 50, 73 to 74 BlueScale Encryption components 14 overview 14 Professional vs. Standard Edition 15 to 16 Check Key Files, using to validate exported key 47, 71 compatibility between LTO and F-QIP encryption 15 configuring encryption access the encryption features 25 BlueScale Professional Edition 59 to 82 create key 39 to 41, 59 to 61 disable for a data partition 57, 82 passwords required to access features 20 Spectra TKLM 30 to 37 Standard Edition 39 to 57 user mode 26 contacting Spectra Logic 4 creating an encryption key 59
E
email Spectra Logic offices 4 enable F-QIP-attached drive partitions 41, 61 Encryption overview 11 encryption features, access 20 encryption key assigning to a partition 41 to 44, 61 to 64 best practices 65 creating a moniker 39 to 41, 59 to 61 deleting 56, 81 export before deleting 56, 81 export requirements for multiuser mode 66 exporting 44 to 48, 65 to 74 exporting, best practice 65 guidelines for protecting 49 to 50, 73 to 74 import M-of-N shares 77 to 79 import M-of-N shares, requirements 75, 79 import requirements for multiuser mode 75, 78 import using USB drive 52 to 54, 77 to 79 importing using web interface 54 to 55, 79 to 80 M-of-N shares, description 66 M-of-N shares, export requirements 66 protect against lost 41, 61 requirements for creating monikers 40, 60 stored in auto save configuration file 44, 65 validating exported 47, 71 verify exported file 48 to 48, 71 to 72
D
data restoring encrypted 51 to 55, 75 to 80 data partitions, configuring disable encryption 37 default encryption password 25 deleting encryption key 56, 81 documentation related to drive use 9 typographical conventions 10 drives, firmware device drivers 35 drives, general information related documentation 9 drives, using LTO encryption compatibility 15
C
cartridges, using recycling encrypted tapes 83 to 85 cautions deleting encryption keys 56, 81 emailing encryption keys 18, 45, 46, 65, 68 encryption key moniker length 40, 60 lost encryption keys 41, 61 lost encryption user password 28, 31, 39, 59
98
Index F
encryption key, exporting 44 to 48, 65 to 74 best practices 65 encryption key, importing USB drive for M-of-N shares 77 encryption, best practices encryption key 65 monikers 21 password and moniker standards 21 passwords and monikers 20 passwords for exported keys 21 encryption, configuring disable for a data partition 37 log in 25 set initialization mode 27 set user passwords 28 Endura Decryption Utility overview 86 exporting encryption keys 44 to 48, 65, 65 to 74 initialization mode secure mode 27 standard mode 27 initialization mode, encryption configuring 27 monikers 21 creating 39 to 41, 59 to 61 recommended standards 21 requirements 39 to 41, 60 multi-user mode 26
K
key management tasks 49 to 50, 73 to 74 key management 49 to 50, 73 to 74
P
partitions, configuring assign an encryption key 41 to 44, 61 to 64 disable encryption 57, 82 enable encryption 35 to 36, 41 to 44, 61 to 64 partitions, using recycle encrypted tapes 83 to 85 user privileges required to recycle encrypted cartridges 83 passwords encryption 28 passwords, best practices recommended standards 21 phone numbers, Spectra Logic offices 4 protecting encryption keys 49 to 50, 65, 73 to 74
L
library, troubleshooting encryption 96 encryption issues 96 to 97 encryption moniker 96 encryption server 96 Spectra TKLM requirements 96 license agreement, software 3 LTO recycling encrypted tapes 83 to 85
F
fax numbers, Spectra Logic 4 filenames exported encryption key 48, 48, 48, 71, 72 F-QIP enabling encryption 41, 61
M
mailing address, Spectra Logic 4 main office, Spectra Logic 4 media recycling 83 modes, encryption multi-user 26 secure initialization, no encryption on startup 27 single user 26 standard initialization, encryption enabled on startup 27 M-of-N shares description 66 encryption key export requirements 66 encryption key import requirements 75, 79
R
recycling encrypted LTO media 83 to 85 restoring encrypted data 51 to 55, 75 to 80 reusing encrypted tapes 83 to 85
G
guidelines protecting encryption keys 49 to 50, 73 to 74 using encryption 17 to 21
S
sales, contacting 4 secure initialization 27 secure initialization, modes secure initialization, no encryption at library startup 27 standard initialization, encryption enabled on startup 27
I
importing an encryption key using a USB drive 52 to 54, 77 to 79 using web interface 54 to 55, 79 to 80
December 2012
99
Index T
single user mode 26 software license agreement 3 Spectra Logic contacting 4 Spectra TKLM Encryption overview 13 standard initialization 27
T
technical support contacting 4 troubleshooting, library encryption 96 encryption issues 96 to 97 encryption moniker 96 encryption server 96 general information 96 Spectra TKLM requirements 96 typographical conventions 10
U
USB drive using to import encryption key 52 to 54, 77 to 79 user mode multi-user mode 26 single user mode 26 user privileges required to access Encryption application 25 enable and configure encryption 17 log into and use BlueScale Encryption 31, 39, 59 recycle encrypted cartridges 83
W
web interface using when importing encryption keys 54 to 55, 79 to 80 website Spectra Logic 4
December 2012
100