Scalar i3 Encryption

Overview

The library supports several encryption key management solutions. These solutions work in conjunction with the library to generate, protect, store, and manage encryption keys. The keys are used by tape drives to encrypt information being written to, and decrypt information being read from, media. The library communicates with the encryption key management server(s). The encryption keys pass through the library, so that encryption is transparent to the applications. Using the library in this way is known as library managed encryption.

Encryption Key Management (EKM)

Encryption Key Management (EKM) is a licensed feature. The library supports two third party key managers that require an EKM license installed:

In addition, the library also supports a Quantum proprietary key management solution, which requires an SKM license installed:

A tape library can only configure a single EKM solution for library manged encryption (LME). Encryption can be enabled or disabled per partition. By default, LME is disabled per partition. However, encryption-capable tape drives are configured for application managed encryption (AME) by default, so that an application is able to request drives to encrypt/decrypt data without the need for any specific library configuration.

Additional Information

WARNING: No changes to the encryption settings can be made while library partitions are configured to use Library-Managed Encryption (LME). LME must first be disabled on the partition before making changes to the encryption settings (see Encryption Key Management (EKM)).

Encryption involves the use of several kinds of keys. How these keys are generated, maintained, controlled, and transmitted depends upon the operating environment where the encrypting tape drive is installed. Some host applications are capable of performing key management. For environments without such applications or those where application agnostic encryption is desired, Quantum provides the Scalar Key Manager (SKM) solution to perform all necessary key management tasks.

Scalar Key Manager - How it Works

Scalar Key Manager (SKM) generates, protects, stores, and maintains data encryption keys that are used to encrypt information being written to, and decrypt information being read from, tape media (tape and cartridge formats).

SKM acts as a process awaiting key generation or key retrieval requests sent to it through a secure TCP/IP communication path between SKM and the tape library.

When a new data encryption key is needed, the tape drive requests a key, which the library forwards to the primary SKM server. The library requests a data encryption key from the primary SKM server first, unless the primary SKM server is down and failover to the secondary SKM server has occurred. If failover to the secondary SKM server occurred, then the library continues to request data encryption keys from the secondary SKM server until either the library is rebooted or the secondary server goes down and failover back to the primary occurs.

After a library reboot, the library goes back to forwarding requests to the primary server.

Upon receipt of the request, SKM retrieves an existing data encryption key from the keystore and securely transfers it to the library, which then provides it to the tape drive where it is used to encrypt the data being written to tape. Once a data encryption key is assigned to a tape, it is never reused on another tape.

When an encrypted tape is read by a tape drive, the tape drive requests, via the library, the required data encryption key from the SKM server. SKM retrieves the required data encryption key from the keystore and securely transfers it to the library, which provides it to the tape drive. The tape drive uses the data encryption key to perform encryption or decryption.

No data encryption key is stored anywhere on the cartridge memory or the tape. Only the name of the data encryption key is stored on the tape, so that in the future the key can be requested for further read or write purposes. The first read/write operation on an encrypted tape requires the tape drive to request the data encryption key.

The Key Management Interoperability Protocol (KMIP) is a specification developed by OASIS. Its function is to standardize communication between enterprise key management systems and encryption systems.

KMIP is only supported in certain environments. Contact your Quantum representative for details.

Details about the KMIP-compliant implementation include:

  • As with other encryption systems supported by the library, in order to use KMIP-compliant encryption systems, you must have an Encryption Key Management license installed on the library.
  • A minimum of two KMIP-compliant encryption servers is recommended to ensure keys are backed up to alternate servers for safe keeping and disaster recovery.

Security Key Lifecycle Manager (SKLM) offers secure and robust key storage, key serving and key lifecycle management for IBM and non-IBM storage solutions, which the tape library supports using the OASIS Key Management Interoperability Protocol (KMIP) to connect to the IBM SKLM solution.

The tape library allows the IBM SKLM encryption key management solution to configure either a single master, or master/clone encryption key server configuration. The tape library creates key sets during encryption key management configuration on the master IBM key server. The master key server then clones the key set(s) to any configured clone server, which allows the tape library to retrieve a key from the configured clone server in case of connection failures to the master key server.

Note: The tape library does not have visibility to any existing encryption keys created via the IBM SKLM user interface, but retrieves new key requests from the tape library created key set only. In addition, the tape library maintains metadata on the key server to identify key sets and the last used key so that new key requests retrieve keys by rotating through the complete key set. Key sets may be extended, or additional key sets may be created, for use by individual library partitions.

Note: Tape library generated key sets are stored on the IBM SKLM key server, but are currently not manageable for any IBM SKLM key life cycle management operations.

If you are running SKM or a KMIP key manager encryption solutions, Transport Layer Security (TLS) communication certificates with valid dates must be installed on the library in order for the library to communicate securely with attached EKM servers. At any time, you may install a new set of TLS certificates to overwrite the existing set. The new TLS certificates must all be valid or the overwrite will not occur and the existing certificates will remain in place.

You can install your own TLS certificates (for SKM), or when installing TLS certificates for KMIP key managers. When providing your own certificates, it is assumed you understand the concepts of PKI and can access the tools or third-party resources needed to generate or obtain certificates.

  • If you are using SKM: You must be running SKM 2.4 or higher on your SKM servers in order to install your own TLS certificates. If you install your own TLS certificates on the library, you must also install your own certificates on the SKM servers. Similarly, if you use the Quantum-provided TLS certificates on the SKM servers, you must also use the Quantum-provided TLS certificates on the library.
  • If you are using KMIP key managers: Your KMIP server provider will provide TLS communication certificates.

When you upload encryption certificates to the library, you will need to provide the following:

Encryption System Certificates Required
SKM

  • Root (Certificate Authority) certificate.

  • Client certificate.

  • Admin certificate.
KMIP Key Management

  • Root (Certificate Authority) certificate.

  • Client certificate.
IBM SKLM (KMIP)

  • Root (Certificate Authority) certificate.

  • Client certificate.

Certificate Format

The certificate files must be in the following format. If any of the following requirements is not met, none of the certificates will be uploaded.

  • Root certificate must be 2048 bits.

  • Root certificate must be in PEM format.

  • Admin and Client certificates must be in pkcs12 (.p12) format, with a separate certificate and private key contained in each. The .p12 format combines the public/private key pair files in .pem file format and password protects access to such .pem certificate files.

  • The Admin and Client certificates must be 1024 bits.

  • The Admin and Client certificates must be signed by the Root certificate.

  • Certificates must have the Organization name (O) set in the Issuer and Subject information.

  • (SKM only) The Admin certificate must have its Organizational Unit name (OU) set as "akm_admin" in its Subject Information.

  • The same Root certificate must be installed on the encryption key servers and the library.

  • All the certificates must have a valid validity period according to the date and time settings on the encryption key server.

  • You cannot update encryption communication certificates if there is a library partition in LME mode

Layout

List all available encryption types and any current configuration details.

Column Description
EKM Solution/ Service IP Address

Type of encryption: Scalar Key Manager (SKM) KMIP Key Manager IBM SKLM (KMIP).
Configuration Status Configured or Not Configured.
Access Security

Type of communication security: SSL/TLS
Path Diagnostics Enabled or Disabled.

Lists all the configured parameters for any highlighted encryption type.

Shows a summary of the total number of Library- or Application-managed partitions in the library.

Provides options for drive configuration, maintenance and action.

Configuration
Add Allows you to define the key management server IP address and port configurations.
Modify Allows you to modify the key management server IP address and port configurations.
Delete Allows you to add, modify, or delete Encryption (EKM) Solutions that are licensed on the library.
Actions
Path Diagnostics Allows you to run series of short tests to validate whether the key servers are running, connected, and able to serve keys as required
Load Certificates Allows you to upload authorized certificates for security on your library.

Tasks

Configuration

This window allows you to define the key management server IP address and port configurations. You can either add a redundant Scalar Key Manager (SKM) solution or a Key Management Interoperability Protocol (KMIP) key manager solution that supports up to 10 key servers.

  1. From the Navigation panel, select Encryption.
  2. In the North Panel, select the check box next to Scalar Key Manager (SKM).

  3. In the Operations panel, click Add.

    Item Description Action
    Server Address

    Identifies the IP address of the first SKM server. The library will contact this server first for all key requests unless it is not available.

    Note: It is recommended that you use the geographically closest server in this field.

    		 Enter text.

    Server Address

    		 Identifies the IP address of the second SKM server. The library will failover to this server if the first SKM server is not available. The library will continue to use this server until it is not available even if the first server become available. Enter text.

    Path Diagnostics

    Allows the library to establish a heartbeat with the SKM servers to alert of connectivity or operational failures. Time intervals include:

    0 min - no heartbeat path diagnostics are enabled

    15 min - path diagnostic heartbeat will be run every 15 minutes

    30 min - path diagnostic heartbeat will be run every 30 minutes

    60 min - path diagnostic heartbeat will be run every 60 minutes

    		 Select a value from the drop-down menu.
    Port Identifies SKM port number for first server. Cannot be changed
    Port Identifies SKM port number for second server. Cannot be changed

  4. Click Apply to save your settings.

  5. Click Close to exit the window.

  1. From the Navigation panel, select Encryption.
  2. In the North Panel, select the check box next to IBM SKLM (KMIP).

  3. In the Operations panel, click Add.

    Item Description Action
    Server Identifies the IP address of the IBM KMIP server. Enter a valid IP port address.
    Path Diagnostics

    Allows the library to establish a heartbeat with the EKM servers to alert proactively of connectivity or operational failures. Time intervals include:

    0 min - no heartbeat path diagnostics are enabled

    15 min - path diagnostic heartbeat will be run every 15 minutes

    30 min - path diagnostic heartbeat will be run every 30 minutes

    60 min - path diagnostic heartbeat will be run every 60 minutes

    		 Select a value from the drop-down menu.
    Port Identifies IBM KMIP port number for the servers. Default port is set as 5696. The port needs to match the port assigned to the EKM server.

  4. Click the + icon to add additional servers.

  5. Click Apply to save your settings.

  6. Click the Key Set tab to apply one or more key sets to the IBM KMIP servers.

    Item Description Action
    Key Set Name

    Enter key set name.

    		Enter text.
    Number of Keys Enter the number of keys associated with this key set. Enter number.

  7. Click the + icon to add additional key sets to the KMIP server(s).

  8. Click Apply to save your settings.
  9. Click Close to exit the window.

Note: Key sets can be deleted to prevent the library from using new keys from the key sets. The keys on the IBM key server will remain.

  1. From the Navigation panel, select Encryption.
  2. In the North Panel, select the check box next to KMIP Key Manager.

  3. In the Operations panel, click Add.

    Item Description Action
    Server Identifies the IP address of the KMIP server. Enter text.
    Path Diagnostics

    Allows the library to establish a heartbeat with the SKM servers to alert of connectivity or operational failures. Time intervals include:

    0 min - no heartbeat path diagnostics are enabled

    15 min - path diagnostic heartbeat will be run every 15 minutes

    30 min - path diagnostic heartbeat will be run every 30 minutes

    60 min - path diagnostic heartbeat will be run every 60 minutes

    		 Select a value from the drop-down menu.
    Port Identifies KMIP port number for the servers. Cannot be changed

  4. Click the + icon to add additional servers.

  5. Click Apply to save your settings.
  6. Click Close to exit the window.

This windows allows you to modify the key management server IP address and port configurations. You can either modify your Scalar Key Manager (SKM) solution settings or your Key Management Interoperability Protocol (KMIP) key manager settings.

  1. From the Navigation panel, select Encryption.
  2. In the North Panel, select the check box next to Scalar Key Manager (SKM).

  3. In the Operations panel, click Modify.

    Item Description Action
    Server Address

    Identifies the IP address of the first SKM server. The library will contact this server first for all key requests unless it is not available.

    Note: It is recommended that you use the geographically closest server in this field.

    		 Enter text.
    Server Address Identifies the IP address of the second SKM server. The library will failover to this server if the first SKM server is not available. The library will continue to use this server until it is not available even if the first server become available. Enter text.
    Path Diagnostics

    Allows the library to establish a heartbeat with the SKM servers to alert of connectivity or operational failures. Time intervals include:

    0 min - no heartbeat path diagnostics are enabled

    15 min - path diagnostic heartbeat will be run every 15 minutes

    30 min - path diagnostic heartbeat will be run every 30 minutes

    60 min - path diagnostic heartbeat will be run every 60 minutes

    		 Select a value from the drop-down menu.
    Port Identifies SKM port number for first server. Cannot be changed
    Port Identifies SKM port number for second server. Cannot be changed

  4. Click Apply to save your settings.

  5. Click Close to exit the window.

  1. From the Navigation panel, select Encryption.
  2. In the North Panel, select the check box next to IBM SKLM (KMIP).

  3. In the Operations panel, click Modify.

    Item Description Action
    Server Identifies the IP address of the IBM KMIP server. Enter text.
    Path Diagnostics

    Allows the library to establish a heartbeat with the SKM servers to alert of connectivity or operational failures. Time intervals include:

    0 min - no heartbeat path diagnostics are enabled

    15 min - path diagnostic heartbeat will be run every 15 minutes

    30 min - path diagnostic heartbeat will be run every 30 minutes

    60 min - path diagnostic heartbeat will be run every 60 minutes

    		 Select a value from the drop-down menu.
    Port Identifies IBM KMIP port number for the servers. Cannot be changed
  4. Click Apply to save your settings.

  5. Click the Key Set tab to modify the key set(s) assigned to the KMIP servers.

    Item Description Action
    Key Set Name

    Enter key set name.

    		Enter text.
    Number of Keys

    Enter the number of keys in the key set.

    Note: You cannot modify the key set number to a number smaller than the original numberl

    		 Enter number.

  6. Click the + icon to add additional key sets to the KMIP server(s).

  7. Click Apply to save your settings.
  8. Click Close to exit the window.
  1. From the Navigation panel, select Encryption.
  2. In the North Panel, select the check box next to KMIP Key Manager.

  3. In the Operations panel, click Modify.

    Item Description Action
    Server Identifies the IP address of the KMIP server. Enter text.
    Path Diagnostics

    Allows the library to establish a heartbeat with the SKM servers to alert of connectivity or operational failures. Time intervals include:

    0 min - no heartbeat path diagnostics are enabled

    15 min - path diagnostic heartbeat will be run every 15 minutes

    30 min - path diagnostic heartbeat will be run every 30 minutes

    60 min - path diagnostic heartbeat will be run every 60 minutes

    		 Select a value from the drop-down menu.
    Port Identifies KMIP port number for the servers. Cannot be changed
  4. Click Apply to save your settings.

  5. Click the Key Set tab to modify the key set(s) assigned to the KMIP servers.

    Item Description Action
    Key Set Name

    Enter key set name.

    		Enter text.
    Number of Keys

    Enter the number of keys in the key set.

    Note: You cannot modify the key set number to a number smaller than the original numberl

    		 Enter number.

  6. Click the + icon to add additional key sets to the KMIP server(s).

  7. Click Apply to save your settings.
  8. Click Close to exit the window.

You can add, modify, or delete Encryption (EKM) Solutions that are licensed on the library. To activate the Delete button, you must first have the partition that uses encryption offline and the encryption policy disabled.

Delete all Encryption Settings

To delete all encryption settings under a selected EKM solution, do the following:

  1. From the Navigation panel, select Encryption.

  2. In the North Panel, select the EKM Solution you want to change.

  3. In the Operations panel, click Delete.

  4. Click Apply.
  5. Click Close to exit the Delete window.

Delete one or more Encryption Server Settings

To delete one or more server settings under a selected EKM solution, do the following:

  1. From the Navigation panel, select Encryption.

  2. In the North Panel, select the EKM Solution you want to change.

  3. In the Operations panel, click Modify. The modify server dialog box opens.

  4. Select the red circle icon next to the server to be deleted.

  5. Click Apply.
  6. Click Close to exit the window.

Actions

The EKM Path Diagnostics consists of a series of short tests to validate whether the key servers are running, connected, and able to serve keys as required.

EKM Diagnostics runs the following tests:

Ping Test Verifies the Ethernet communication link between the library and the key servers.
Path Test Verifies that EKM services are running on the key servers.
Configuration Test Verifies that the key servers are capable of serving encryption keys.

If any of the tests fail, try the following resolutions and run the test again to make sure it passes:

Ping Test Failure Verify that the key server host is running and accessible from the network to which the library is connected.
Path Test Failure Verify that the key server is running and that the IP address, port, and SSL settings configured on the library are correct. Check to see if there is a network configuration issue, such as a firewall, preventing communication with the server.
Configuration Test Failure

SKM: A database inconsistency has been detected. Contact Technical Support.

KMIP Key Manager: Indicates a KMIP key server configuration problem. The server does not support all features necessary for the library to use it as a key server. Contact your KMIP server administrator for assistance.
  1. From the Navigation panel, select Encryption.
  2. In the North Panel, select KMIP Key Manager or Scalar Key Manager (SKM).

  3. In the Operations panel, click Path Diagnostics.

  4. Click Apply. The diagnostics tests begin to run.
  5. Click Close to exit the Path Diagnostics window.

This window is where you will load authorized certificates for security on your library. To add a Quantum certificate bundle you will need to create the bundle using SKM 2.4.

Note: You cannot update encryption communication certificates if there is a library partition in LME mode

Note: Before loading encryption certificates, review the Loading Encryption Certificates - Requirements above.

  1. From the Navigation panel, select Encryption.
  2. In the North Panel, select the check box next to either Scalar Key Manager (SKM), IBM SKLM (KMIP), or KMIP Key Manager.

  3. In the Operations panel, click Load Certificates.

    Item Description Action
    Install Quantum Certificate Bundle Allows you to upload a Quantum specific EKM certificate bundle that includes SKM and KMIP certificates as well as admin, root and client access certificates. Select the checkbox to enable the Quantum Certificate Bundle field. Deselect the checkbox to disable the Quantum Certificate Bundle field.
    Admin Certificate

    Allows you to install an administration certificate manually created by you. This field is only available if the Install Quantum Certificate Bundle checkbox is not selected.

    		 Click Browse to navigate to your admin certificate.
    Root Certificate Allows you to install a root certificate manually created by you. This field is only available if the Install Quantum Certificate Bundle checkbox is not selected. Click Browse to navigate to your admin certificate.
    Client Certificate

    Allows you to install a client certificate manually created by you. This field is only available if the Install Quantum Certificate Bundle checkbox is not selected.

    		 Click Browse to navigate to your admin certificate.
    Password Allows you to enter the password associated with the root certificate. Enter text.
    Certificate Installation Summary

    Lists all currently loaded and active certificates for your library.

    		  

  4. Click Apply to save your settings.

  5. Click Close to exit the window.