Configuring Partition Encryption

The Web client allows you to configure a partition so that the tape cartridges it contains are encrypted by the library. Library managed encryption works with an external Encryption Key Manager (EKM) server. For an overview of library managed encryption key management, see About Encryption Key Management.

The library supports only IBM LTO-4 Fibre-Channel and SAS tape drives and LTO-4 tape cartridges for encryption using . If no IBM LTO-4 tape drives are assigned to a partition, the encryption method for that partition will show as Unsupported on the screen. If a partition contains a mix of IBM LTO-4 tape drives and other tape drive types, only LTO-4 tape cartridges written to and read by IBM LTO-4 Fibre-Channel or SAS tape drives will be encrypted. Additionally, in order for data to be encrypted, the media must be blank or have been written to using library managed encryption at the first write operation at the beginning of tape (BOT). If the media was previously written in a non-encrypted format, all data subsequently written to it will continue to be non-encrypted.

NOTE: This operation should not be performed concurrently by multiple administrative users logged in from different locations. You can access the appropriate screens, but you cannot apply changes while another administrative user is performing the same operation.

Users with administrative privileges can configure partition encryption settings, but users with user privileges cannot.

  1. From the Setup menu, select Encryption > Partition Configuration.

    The Setup - Partition Configuration screen appears. Each partition's current encryption method is listed under Encryption Method.
  2. If you want to change the encryption method on a partition, make sure that no tape drives in that partition have cartridges in them. If they do, you cannot change the encryption method.
  3. For any library partition, do one of the following:
  4. If you want different partitions to use different EKM servers, fill in the Library Managed Encryption Server Overrides section as described in this step. The settings in the overrides section supercede the default settings listed in the Setup > Encryption > System Configuration screen. (However, the overrides settings do not change the settings listed in the Setup > Encryption > System Configuration screen. Those settings are the default configuration settings for any partition that does not use overrides.) Overrides are only available on partitions that have Library Managed set as the encryption method.

    NOTICE: Only fill in the overrides section if you want different partitions to use different EKM servers. Otherwise, leave this section alone and allow the values from the Setup > Encryption > System Configuration screen to populate these fields. Once you make any changes to the overrides section, the default values from the Setup > Encryption > System Configuration screen will no longer automatically populate these fields. If you want to return to the default settings after changing the overrides, you must enter them manually.

     
     
    For each partition that has Library Managed as the encryption method, do the following:

    If you use overrides, make sure that you install Dell EKM on all the servers you specify. Then run Encryption Key Manager Path Diagnostics on each tape drive in every partition configured for EKM to make sure that each drive can communicate with and receive keys from the specified EKM server.

    You can see which EKM server is currently in use for each partition by looking at the Failed Over column. If the column entry is "Yes" then the primary EKM server "failed over" to the secondary and the secondary server is in use. If the column entry is "No" it means the primary server did not fail over and is in use.
  5. Click Apply. The Progress Window appears. The Progress Window contains information on the action, elapsed time, and status of the requested operation.

    Do one of the following:

  6. Save the library configuration.

    For instructions on how to save the library configuration, see Saving the Configuration.

See also: