Enter a password twice in the Export Password screen, then select Next. The Encryption Configuration screen displays

This password is used to encrypt the key, and needs to be available before you can import and use the key. The key encrypted with this password is copied to one or more USB devices or attached in an email to one or more users.

• USB

•If you exported the key to a single USB device, confirm that the encrypted key copied correctly by selecting Check Key Files. If you are not sure, delete all data from the USB devices so that no trace of the failed key attachment remains, then start again.

•If you selected the option to split the key across M-of-N shares on multiple USB devices, eject the USB device after a share has been written to it, and at every prompt, insert another USB device.

After the shares have been written, insert each USB device into the library, one by one, and select Check Key Files. If you are not sure if the key has been copied correctly, delete all data from the USB device so that no trace of the failed key attachment remains, then use another USB device and start again.

• Email

•If sending keys using email, you may want to confirm the receipt of the attachment by checking with each user to whom you sent the encrypted key file.

6. Note the password, which you will need to import the key. Without it, you cannot import the key and the data encrypted using the key is lost.

Caution:Track where you have stored the key or who received an email message with the key, in conformance with your security plan. You need both the password and the encrypted file containing the key to import the encryption key.

Restoring Data

Restoring encrypted data from tape follows the standard data restore processes that you use with your backup software. The only difference is that the key used to encrypt the data being restored needs to be on the library and assigned to the partition with the tape, so the data can be decrypted. If it’s available and assigned, then standard restore procedures simply work.

If the key either isn’t on the library or is on the library but not assigned to the partition with the encrypted media, the library displays the moniker of the key to import. To import the key, you need the exported key (or keys, if the m-of-n shares option was used) and a copy of the password used to encrypt it.

Endura Decryption Utility (EDU) is an optional safeguard, providing a method that lets you restore data without a library. Review information about the command-line encryption utility in Chapter 11. Endura Decryption Utility.

Restoring Data if Required Key is Available

To restore data:

1. Load the encrypted tape in the library.

2. Assign the key or keys to the partition with the tape if they are not already assigned to it.

3. Use the backup software to automatically decrypt and restore data. If the key or keys are not available, a message indicates this.

To import a key so that you can restore data, continue to the next set of steps.

Importing Keys

If a key is not available on the library, you can import it from a USB device.

Or, if you are using the RLC and can access the key, you can use it to upload the encryption key. This option only displays if you are logged in remotely. Note that you cannot import a key through this method if it has been split into m-of-n shares.

Importing Keys from a USB Device

If the key is stored on a USB device, import it by following this procedure.

To import keys from a USB device to restore data:

1. Log in as a superuser, then select Security > Encryption. The Encryption User Login screen displays.

2. Enter the encryption password, then select OK. The Encryption Configuration screen displays.

3. Insert the USB device into the library’s USB port.

4. Select Import Key. The Import Key Selection screen displays.

• If you selected multi-user mode, and only one encryption password has been supplied, a prompt asks you to enter another password. Enter it, then select Next.

5. Choose the key to import from the Key List field, then select Next. The Import Password screen displays.

6. Enter the password that was used to encrypt the key when it was being exported, then select Next.

If you are using the M-of-N shares option, insert multiple USB devices one after the other, as requested.

The Encryption Configuration screen displays, showing the moniker of the newly imported key.

7. Assign the imported key to the partition with the encrypted media.

8. Use your backup software to restore the data.

Importing Keys through the RLC

As long as you are importing a single key, not one split into M-of-N shares, you can upload it through the RLC.

If you are using the RLC and can access the key from your computer, import it by following this procedure.

To import keys through the RLC:

1. Log in as a superuser, then select Security --> Encryption. The Encryption User Login screen displays.

2. Enter the encryption password, then select OK. The Encryption Configuration screen displays.

3. Select Import Key. The Encryption Key Files Source screen displays.

Note that this screen only displays when you are using the RLC.

4. Select Import key from RLC, then select Next. The RLC Encryption Key Upload screen displays.

5. To identify the encryption key file, either:

• Type the path for the key in the Encryption Key File field.

• Select Browse, locate and select the key. Select Open. The path for the key displays in the Encryption Key File field.

6. Select Next. The Import Password screen displays.

7. Enter the password that was used to encrypt the key when it was being exported in both fields, then select Next.

The Encryption Configuration screen displays, showing the moniker of the newly imported key.

8. Assign the imported key to the partition with the encrypted media.

9. Use your backup software to restore the data.

Deleting a Key

Only one key is allowed per LTO-4 tape. To use a tape encrypted with a deleted encryption key, you must first scratch the tape through BlueScale Encryption. This procedure is described in Recycling Encrypted Media on page 98.

To delete a key:

1. Log in as a superuser, then select Security --> Encryption. The Encryption User Login screen displays.

2. Enter the encryption password, then select OK. The Encryption Configuration screen displays.

3. Confirm that at least one copy of the key has been exported and stored safely.

4. Select Delete. The Delete Encryption Key screen displays.

5. Select OK.

T50 Libraries

Recycling Encrypted Media

LTO-4 drives require that all data encrypted and written to a single tape be encrypted using the same key (that is, a single key is associated with each tape storing encrypted data). Once the encrypted data is written to a tape, the drive won't overwrite the encrypted data to re-use the tape until you recycle the tape through BlueScale Encryption.

This option is available on the Import/Export screen for partitions using encryption.

To recycle encrypted media:

1. From the toolbar menu, select General --> Import/Export. The Import/Export screen displays.

2. If your library has more than one partition, use the Import/Export drop-down menu to select the partition with the media to be recycled, then select Go. The Import/Export screen refreshes with the information for the selected partition displayed.

If you only have one partition, the drop-down menu does not appear on this screen.