System-Managed Encryption on z/OS use either of the following key flows:
In-band encryption key flow: Tape drive requests to the Encryption Key Manager component travel over the ESCON/FICON® channels to the server proxy that is TCP/IP-connected to the Encryption Key Manager.
Out-of-band encryption key flow: The tape controller establishes the communication to the EKM server over a TCP/IP connection. Out-of-band support requires a router.
Out-of-band support also runs on VM, VSE, TPF, and Linux on System z. It is your only option on those operating system platforms. The TS7700 Virtualization Engine also uses
out-of-band support.
In-band key flow
In-band key flow, which is shown in Figure 3-16, occurs between EKM and the tape drive through a FICON proxy on the FICON/ESCON® interface. The FICON proxy supports failover to the secondary key path on failure of the first-specified EKM path addresses. The effect on the controller service requirements is minimal.
The controller performs these actions:
Reports drive status in SMIT displays
Passes encryption-related errors from the drive to the host
Reports “encryption failure unit checks” to the host
You must reconfigure the controller when new encryption drives are introduced for attachment or when an encryption-capable drive is enabled for encryption.
Figure 3-16 In-band encryption key flow
Out-of-band key flow
Out-of-band key flow, which is shown in Figure 3-17 on page 77, occurs between EKM and the tape drive through a subsystem proxy, which is located in the 3592 controller or TS7700
Encryption
Chapter 3. IBM storage encryption methods 77 Virtualization Engine on the EKM interface. The effect on the service requirements can be greater than for in-band key flow because of the introduction of two routers on the EKM interface, to and from the controller.
The controller and the TS7700 perform these functions:
Support failover to the secondary key path on failure of the first-specified EKM path addresses
Report drive status in SMIT displays
Pass encryption-related errors from the drive to the host
Report “encryption failure unit checks” to the host
Must be reconfigured when new encryption drives are introduced for attachment or when an encryption-capable drive is enabled for encryption
You can enter up to two EKM IP/domain addresses (and up to two ports) for each controller, and two domain name server IP addresses.
Figure 3-17 Out-of-band encryption key flow
3.5.2 Library-Managed Encryption
In a Library-Managed Encryption (LME) implementation, encryption policies reside within the tape library. This method of tape encryption requires an EKM for key management. LME is fully transparent to the application and system layers. Figure 3-18 on page 78 shows an illustration of Library-Managed Encryption.
LME offers you the broadest range of application and operating system support. Centralized enterprise-class key management facilitates tape interchange and migration. If you
implement LME on a TS3500 or 3494 tape library, you get policy granularity on a per-volume Encryption
basis. LME requires additional responsibilities for the storage administrator as compared to AME. Data access depends on the availability of EKM and the key path.
In most open systems environments, LME is the preferred method for tape encryption.
Figure 3-18 Library-Managed Encryption (LME)
LME can be implemented in these tape libraries:
Open systems-attached TS3500 tape library with TS1120 and LTO Ultrium 4 tape drives
Open systems-attached 3494 or TS3400 tape library with TS1120 tape drives
TS3310, TS3200, or TS3100 tape library with LTO Ultrium 4 tape drives
Key generation and management is handled by EKM, running on a host with a TCP/IP connection to the library. Policy control and keys pass through the library-to-drive interface;
therefore, encryption is transparent to the applications.
For TS3500 and IBM 3494 tape libraries, you can use barcode encryption policies to specify when to use encryption. On an IBM TS3500 Tape Library, you set these policies through the IBM System Storage Tape Library Specialist web interface. On a 3494 tape library, you can use the Enterprise Automated Tape Library Specialist web interface or the Library Manager Console. With barcode encryption policies, policies are based on cartridge volume serial numbers. LME also allows for encryption of all volumes in a library, independent of barcodes.
For certain applications, such as Symantec NetBackup, LME includes support for Internal Label Encryption Policy (ILEP). When ILEP is configured, the TS1120 or LTO Ultrium 4 tape drive automatically derives the encryption policy and key information from the metadata written on the tape volume by the application. Refer to your tape library operator’s guide.
The following IBM tape libraries support Library-Managed Encryption:
IBM System Storage TS3500 Tape Library
IBM TotalStorage® 3494 Tape Library
IBM System Storage TS3310 Tape Library
IBM System Storage TS3200 Tape Library
IBM System Storage TS3100 Tape Library Encryption
Key Manager
Policy
Application Layer
System
Layer
Library
Layer
Chapter 3. IBM storage encryption methods 79
3.5.3 Encrypting and decrypting with SME and LME
Encryption and decryption with System-Managed Encryption and with Library-Managed Encryption are identical as far as their process flows.