Sharing Encrypted Tape Cartridges

If you are using QKM, you can share encrypted tapes with other companies and individuals who also use QKM for managing encryption keys.

Each QKM server provides a unique encryption key for each tape cartridge that is encrypted. To read an encrypted tape in a library that is attached to a QKM server that is different than the one that originally provided the encryption key, the encryption key from the originating (i.e., source)  QKM server needs to be shared with the receiving (i.e., destination) QKM server. The key (or list of keys, if there is more than one tape), is exported from the source QKM server to a file, which is sent to the destination recipient. Each key contained in the file is encrypted using the public key of the destination QKM server. The destination QKM server provides its public key to the source QKM server as part of an Encryption Certificate, which the source QKM server uses to wrap (encrypt) the encryption keys for transport. Upon arrival, the file containing the wrapped encryption keys can only be unwrapped by the corresponding private key, which resides on the destination QKM server and is never shared.

The process is as follows:

  1. The destination administrator exports the Encryption Certificate that belongs to the destination QKM server. The Encryption Certificate is saved as a file to a location specified by the administrator on a computer (see Exporting Encryption Certificates).
  2. The destination administrator e-mails the Encryption Certificate file to the source administrator.
  3. The source administrator saves the Encryption Certificate file to a location on a computer, and then imports the Encryption Certificate onto the source QKM server (see Importing Encryption Certificates).
  4. The source administrator exports the Encryption Keys, assigning the same Encryption Certificate noted above to wrap the keys. The file containing the wrapped encryption keys is saved to a location on a computer specified by the source administrator. See Exporting Encryption Keys.
  5. The source administrator e-mails the file containing the wrapped encryption keys to the destination administrator.

  6. The destination administrator saves the file containing the wrapped encryption keys to a location on a computer, and then imports the keys onto the destination QKM server (see Importing Encryption Keys).
  7. The destination library can now read the encrypted tapes.

For more information about the key servers and library managed encryption best practices, please refer to the Quantum Key Manager User’s Guide.

See also: