Quick Reference Guide
1. Open a command prompt and navigate to the audit log file directory.
In Windows
, the audit log is located at <
root
>:\Dell\EKM\products\tklm\logs\audit\tklm_audit.txt.
In Linux
, the audit log is located at: /opt/dell/ekm/products/tklm/logs/audit/tklm_audit.log.
2. Copy the current audit log file to a temporary file so it can be opened. The current audit log file is active and cannot
be opened while being updated.
3. Open the temporary copy in a text editor (for example, WordPad). Search for Drive Serial Number. If there is an
entry, a key has been provided. If the volser entry is blank, this is the result of key path diagnostics, and you should
search the file for additional entries associated with the drive serial number to be certain.
CAUTION: If keys have been provided, you must unencrypt the data on the affected media prior to uninstalling EKM
3.0 .
How is my backup application affected when I configure the tape library for library-managed encryption?
When you have enabled library-managed encryption on the tape library and have configured encryption-enabled
partitions, changes to the drive settings are made to the drive(s) in those partitions. You must stop and restart the
backup application services after the encryption-enabled partitions are configured to ensure the backup application
recognizes the encryption setting in the drive(s).
NOTE: The tape backup application will not show encryption as enabled if library-managed encryption is used. The
tape library will show the partitions as encryption enabled. Library-managed encryption is transparent to the tape
backup application. The tape backup application only shows encryption as enabled if the application (for example,
Symantec, CommVault, etc.) is providing the encryption keys to the drive(s).
How does EKM 3.0 handle the addition of new drives or the replacement of bad drive?
You can add new or replacement drives to the EKM 3.0 server through auto-discovery or manually. To add drives
through auto-discovery, refer to Adding a Device to a Device Group.
Dell recommends that you use auto-discovery because the 12-digit drive serial number (10 digit serial number plus two
leading zeros) must be entered to add the drive manually. If security is a concern, you can turn auto-discovery on and
run test backups or key path diagnostics in the tape library to add the necessary drives to the drive table. Then you can
turn off auto-discovery to prevent new drives from obtaining keys. As long as EKM 3.0 can authenticate the digital
signature assigned to the drive at the factory, EKM 3.0 accepts the key request. The keys are grouped in the keystore in
key groups and you can associate the key groups with the new/replacement drives after the drives are added.
NOTE: If you want to add a device manually, refer to the TKLM documentation. For information on how to access
the TKLM documentation, see the Documentation and Reference Materials section of the ReadThisFirst.txt file on
the EKM 3.0 installation media.
How does EKM 3.0 handle the addition of a new tape library or the replacement of a bad tape library?
In library-managed encryption, the tape library is only a proxy. You can add or replace tape libraries and provide keys as
long as the EKM 3.0 can authenticate to the digital signature on the drive. The replacement tape library will need to be
licensed for library-managed encryption and configured for use with the existing EKM 3.0.
How is compression affected by encryption and vice versa?
The data is compressed prior to being encrypted because encrypted data is generally uncompressible. Therefore,
compression has no effect on encryption, and vice versa.
Is there a performance impact with encryption?
There may be a slight performance impact with encryption but it should not cause an increase in the backup window.
How do I request and use a third-party certificate?
Create a certificate request in EKM 3.0. Send this certificate request to a Certificate Authority. The certificate returned
by the Certificate Authority can be imported into EKM 3.0 and used to protect data on an encryption-enabled device, or
for SSL communication. Refer to TKLM documentation for more information on how to generate a certificate request,
59