Select Export Key

• If you selected multi-user mode and supplied only one encryption password, a prompt asks you to enter another password. Enter it, then select Next. The Export Type screen displays.

• Otherwise, the Export Type screen immediately displays.

4. Select to export the key as a single file or as M-of-N shares to either USB or email.

Export Method Steps to Follow

Export Single File to USB

(Standard and Professional Editions)

• Select this option, then put a USB device into the library’s USB port. See the library’s user guide for the location of this port.

• Select Next.

Email Exported Key

(Standard and Professional Editions)

• Select this option, then select an email user. If the intended recipient is not available as an email user, first create the email recipient; see the library’s user guide.

• Select Next.

Export M-of-N Shares to USB

• A screen displays that asks you to select the minimum shares required to restore the encrypted key, along with the total number of shares.

• Put the first USB device into the USB library port. See the library documentation for information about the location of this port.

Have on hand the number of USB devices that equals the total number of shares.

• Select Next_.

Email M-of-N Shares

• A screen displays that asks you to select the minimum shares required to restore the encrypted key, along with the total number of shares.

• Select from the list email users; you must select the same number of email users as the total number of shares.

• Select Next_.

5. Enter a password twice, then select Next. This password is used to encrypt the key, and needs to be available before you can import and use the key. The key encrypted with this password is copied to one or more USB devices or attached in an email to one or more users

.

• USB

• If you exported the key to a single USB device, confirm that the encrypted key copied correctly by selecting Check Key Files. If you are not sure, delete all data from the USB devices so that no trace of the failed key attachment remains, then start again with Step 2 of this procedure.

• If you selected the option to split the key across M-of-N shares on multiple USB devices, eject the USB device after a share has been written to it, and at every prompt, insert another USB device.

• After the shares have been written, insert each USB device into the library, one by one, and select Check Key Files. If you are not sure if the key has been copied correctly, delete all data from the USB device so that no trace of the failed key attachment remains, then use another USB device and start again.

• Email

• If sending keys using email, you may want to confirm the receipt of the

attachment by checking with each user to whom you sent the encrypted key file.

6. Note the password, which you will need to import the key. Without it, you cannot import the key and the data encrypted using the key is lost.

Caution:Track where you have stored the key or who received an email message with the key, in conformance with your security plan. You need both the password and the encrypted file containing the key to import the encryption key.

Restoring Data

Restoring encrypted data from tape follows the standard data restore processes that you use with your backup software. The only difference is that the key used to encrypt the data being restored needs to be on the library and assigned to the partition with the tape, so the data can be decrypted. If it’s available and assigned, then standard restore procedures simply work.

If the key either isn’t on the library or is on the library but not assigned to the partition with the encrypted media, the library displays the moniker of the key to import. To import the key, you need the exported key (or keys, if the M-of-N shares option was used) and a copy of the password used to encrypt it.

Endura Decryption Utility (EDU) is an optional safeguard, providing a method that lets you restore data without a library. Review information about the command-line encryption utility in Chapter 11. Endura Decryption Utility.

Restoring Data if Required Key is Available

To restore data:

1. Load the tape to be decrypted.

2. Assign the key or keys to the partition with the tape if they are not already assigned to it.

3. Use the backup software to automatically decrypt and restore data. If the key or keys are not available, a message indicates this.

To import a key so that you can restore data, continue to the next set of steps.

Importing Keys

If a key is not available on the library, you can import it from a USB device.

Or, if you are using the RLC and can access the key, you can use it to upload the encryption key. This option only displays if you are logged in remotely. Note that you cannot import a key through this method if it has been split into M-of-N shares.

Importing Keys from a USB Device To import a key stored on a USB device:

1. Log in as a superuser.

2. Select Security > Encryption. The Encryption User Login screen displays.