If you are using SKM, you can share encrypted tapes with other companies and individuals who also use SKM for managing encryption keys.
Each SKM server provides a unique encryption key for each tape cartridge that is encrypted. To read an encrypted tape in a library that is attached to an SKM server that is different than the server that originally provided the encryption key, the encryption key from the originating (i.e., source) SKM server needs to be shared with the receiving (i.e., destination) SKM server. The key (or list of keys, if there is more than one tape), is exported from the source SKM server to a file, which is sent to the destination recipient. Each key contained in the file is encrypted using the public key of the destination SKM server. The destination SKM server provides its public key to the source SKM server as part of an Encryption Certificate, which the source SKM server uses to wrap (encrypt) the encryption keys for transport. Upon arrival, the file containing the wrapped encryption keys can only be unwrapped by the corresponding private key, which resides on the destination SKM server and is never shared.
The process is as follows:
The source administrator e-mails the file containing the wrapped encryption keys to the destination administrator.
For more information about the key servers and library managed encryption best practices, please refer to the Scalar Key Manager User’s Guide.
See also: