The Web client allows you to configure a partition so that the tape cartridges it contains are encrypted by the library. Library managed encryption works with an external Encryption Key Manager (EKM) server. For an overview of library managed encryption key management, see About Library Managed Encryption.
The library supports only IBM LTO-4 Fibre-Channel and SAS tape drives and LTO-4 tape cartridges for encryption using . If no IBM LTO-4 tape drives are assigned to a partition, the encryption method for that partition will show as Unsupported on the screen. If a partition contains a mix of IBM LTO-4 tape drives and other tape drive types, only LTO-4 tape cartridges written to and read by IBM LTO-4 Fibre-Channel or SAS tape drives will be encrypted. Additionally, in order for data to be encrypted, the media must be blank or have been written to using library managed encryption at the first write operation at the beginning of tape (BOT). If the media was previously written in a non-encrypted format, all data subsequently written to it will continue to be non-encrypted.
![]() |
NOTE: This operation should not be performed concurrently by multiple administrative users logged in from different locations. You can access the appropriate screens, but you cannot apply changes while another administrative user is performing the same operation. |
Users with administrative privileges can configure partition encryption settings, but users with user privileges cannot.
![]() |
NOTE: When you change a partition from Enable Library Managed to Allow Application Managed or None, the data that was written to the tapes while the partition was configured for library managed encryption can no longer be read, until you change the partition back to Enable Library Managed. |
![]() |
NOTICE: Only fill in the overrides section if you want different partitions to use different EKM servers. Otherwise, leave this section alone and allow the values from the Setup > Encryption > System Configuration screen to populate these fields. Once you make any changes to the overrides section, the default values from the Setup > Encryption > System Configuration screen will no longer automatically populate these fields. If you want to return to the default settings after changing the overrides, you must enter them manually. |
![]() ![]() |
NOTE: Keys are always encrypted before being sent from the EKM server to a drive, whether SSL is enabled or not. Enabling SSL provides additional security. |
![]() ![]() |
NOTE: Restriction on EKM servers used for overrides: If you are using primary and secondary servers for overrides, the following restriction applies. (If you are not using a secondary server, there are no restrictions.)
|
Do one of the following:
For instructions on how to save the library configuration, see Saving the Configuration.
See also: