Configuring Partition Encryption
The Setup - Partition Encryption screen allows you to change the tape cartridge encryption method for each partition in the library.
Encryption Methods, Details, and Restrictions
The following encryption methods are available on the library:
Enable Library Managed — Enables library managed encryption support via a connected key manager server— either Quantum Key Manager (QKM) or Quantum Encryption Key Manager (Q-EKM) — for all tape drives and encryption-capable media assigned to the partition.
- QKM supports encryption on LTO-4 data cartridges using HP LTO-4 Fibre Channel and SAS tape drives. If you are using QKM and want to enable Library Managed Encryption for a partition, all of the tape drives in that partition must be either HP LTO-4 Fibre Channel or HP LTO-4 SAS drives.
- Generating Encryption Keys for QKM: To generate encryption keys, you must change a partition to Enable Library Managed. The library checks to see if encryption keys are needed and, if so, triggers the QKM server to create them. If your partitions are already configured, you will need to change a partition from Enable Library Managed to Allow Application Managed using the process described below, then change it back to Enable Library Managed.
- Q-EKM supports encryption on LTO-4 data cartridges using IBM LTO-4 Fibre Channel and SAS tape drives (but not IBM LTO-4 SCSI tape drives). If you are using Q-EKM and want to enable Library Managed Encryption for a partition, all of the tape drives in that partition must be either IBM LTO-4 Fibre Channel or IBM LTO-4 SAS drives.
- If you are using both QKM and Q-EKM, you must separate the tape drives among the partitions so that each partition only contains tape drives supported by either QKM or Q-EKM. The library will assign the correct servers (QKM or Q-EKM) depending on the drive type in the partition.
- Only LTO-4 tape cartridges will be encrypted in Library Managed Encryption partitions (the partition may can contain LTO-2 and LTO-3 media, but they will not be encrypted).
- In order for data to be encrypted via library managed encryption, the media must be blank or have been written to using library managed encryption at the first write operation at the beginning of tape (BOT). If the media was previously written in a non-encrypted format, all data subsequently written to it will continue to be non-encrypted.
- You must have an LME license installed on the library (see Applying a License Key) before you can select this option.
- Your QKM or Q-EKM servers must be installed, configured on the library, and be operational before you can select this option.
- For more information, see About Library Managed Encryption.
Allow Application Managed — Allows your host application to provide encryption support on all encryption-capable tape drives and media within the partition.This is the default setting if the partition contains encryption-capable tape drives. If you select this option, the library will NOT communicate with the key server on this partition. If you want an application to manage encryption, you must specifically configure the application to do so. The library will not participate in performing encryption. See your host documentation for further details.
Unsupported — If Unsupported is shown, it means that no tape drives in that partition support encryption, and you will not be able to change the setting.
Changing the Encryption Method
 |
NOTE: This operation should not be performed concurrently by multiple administrative users logged in from different locations. You can access the appropriate screens, but you cannot apply changes while another administrative user is performing the same operation.
|
Users with administrative privileges can configure partition encryption settings, but users with user privileges cannot.
- From the Setup menu, select Encryption > Partition Configuration.
The Setup - Partition Configuration screen appears. Each partition's current encryption method is listed under Encryption Method.
 |
NOTE: If a partition uses Library Managed Encryption, this screen also displays whether it is using QKM or Q-EKM (automatically assigned by the library based on whether the tape drives in the partition are HP or IBM); the IP addresses of the key servers; and whether SSL is enabled. This information is view-only on this screen. It is configurable from the Setup - Encryption Key Server Access Configuration screen (Setup > Encryption > System Configuration). See Configuring Encryption Key Server Access for details.
|
- If you want to change the encryption method on a partition, make sure that no tape drives in that partition have cartridges in them. If they do, you cannot change the encryption method.
- For any library partition, change the encryption method by selecting from the Encryption Method drop-down list (see above for explanations and restrictions):
- Enable Library Managed
- Allow Application Managed
- Unsupported
 |
NOTE: When you change a partition from Enable Library Managed to Allow Application Managed, the data that was written to the tapes while the partition was configured for library managed encryption can no longer be read, until you change the partition back to Enable Library Managed.
|
 |
NOTE: If a partition uses Library Managed Encryption, this screen also displays whether it is using QKM or Q-EKM (automatically assigned by the library based on whether the tape drives in the partition are HP or IBM); the IP addresses of the key servers; and whether SSL is enabled. This information is view-only on this screen. It is configurable from the Setup - Encryption Key Server Access Configuration screen (Setup > Encryption > System Configuration). See Configuring Encryption Key Server Access for details.
|
- Click Apply. The Progress Window appears. The Progress Window contains information on the action, elapsed time, and status of the requested operation.
Do one of the following:
- If Success appears in the Progress Window, the partition encryption settings were successfully configured. Click Close to close the Progress Window.
- If Failure appears in the Progress Window, the partition encryption settings were not successfully configured. Follow the instructions listed in the Progress Window to resolve any issues that occurred during the operation.
-
 |
NOTE: When you change the encryption method on a partition, the partition is taken offline. When the change completes, the partition comes back online automatically.
|
- Save the library configuration.
For instructions on how to save the library configuration, see Saving the Configuration.
You may also access the EKM Path Diagnostics from this screen. For more information, see Encryption Key Manager Path Diagnostics.
See also: