HP StoreEver 1/8 G2 Tape Autoloader User and Service Guide (AK377-96024, December 2012)
LTO-4 and later generation tape drives and encryption
The LTO-4 and later generation tape drives include hardware capable of encrypting data while
writing data, and decrypting data when reading. Hardware encryption can be used with or without
compression while maintaining the full speed and capacity of the tape drive and media.
Encryption is the process of changing data into a form that cannot be read until it is deciphered
with the key used to encrypt the data, protecting the data from unauthorized access and use. LTO
tape drives use the 256-bit version of the industry-standard AES encrypting algorithm to protect
your data.
To make use of this feature you need:
• The HP 1/8 G2 & MSL Encryption Kit or a backup application that supports hardware
encryption.
• LTO-4 or later generation media; no encryption will be performed when writing LTO-3 and
earlier generations of tape.
Table 7 Backward read compatibility
LTO-6 driveLTO-5 driveLTO-4 drive
IncompatibleIncompatibleIncompatibleLTO-1 media
IncompatibleIncompatibleRead onlyLTO-2 media
IncompatibleRead onlyRead/Write (no encryption)LTO-3 media
Read onlyRead/WriteRead/WriteLTO-4 media — unencrypted
Read only with encryption
key
Read/Write with
encryption key
Read/Write with
encryption key
LTO-4 media — encrypted
Read onlyRead/WriteIncompatibleLTO-5 media — unencrypted
Read/Write with encryption
key
Read/Write with
encryption key
IncompatibleLTO-5 media — encrypted
Read/WriteIncompatibleIncompatibleLTO-6 media — unencrypted
Read/Write with encryption
key
IncompatibleIncompatibleLTO-6 media — encrypted
Your company policy will determine when you need to use encryption. For example, it may be
mandatory for company confidential and financial data, but not for personal data. Company policy
will also define how encryption keys should be generated and managed. Backup applications that
support encryption will generate a key for you or allow you to enter a key manually.
Using the Encryption Kit
The encryption kit includes two USB key server tokens. One key server token is available for use
as a backup for the other. Alternatively, you can save the encryption keys to a file and store that
file in a safe location.
To use the encryption kit, a key server token is inserted in the USB port on the back of the autoloader,
and encryption is enabled and configured from the RMI.
The encryption kit supports your manual security policies and procedures by providing secure
storage for encryption keys. Access to the key server tokens and their backup files is protected with
user-specified passwords. You will need to create processes to protect the tokens and secure the
passwords.
LTO-4 and later generation tape drives and encryption 11