HP StoreEver MSL6480 Tape Library User and Service Guide
Encryption
The LTO-4 and later generation tape drives include hardware capable of encrypting data while
writing, and decrypting data when reading. Hardware encryption can be used with or without
compression while maintaining the full speed and capacity of the tape drive and media.
Encryption is the process of changing data into a form that cannot be read until it is deciphered
with the key used to encrypt the data, protecting the data from unauthorized access and use. LTO
tape drives use the 256-bit version of the industry-standard AES encrypting algorithm to protect
your data.
To use this feature you need:
• The HP 1/8 G2 and MSL Encryption Kit, a supported key server, or a backup application
that supports hardware encryption.
• The associated feature license when using an ESKM or KMIP license manager.
• LTO-4 or later generation media; no encryption will be performed when writing LTO-3 and
earlier generations of tape.
Table 1 Backward read compatibility
LTO-6 driveLTO-5 driveLTO-4 drive
IncompatibleIncompatibleIncompatibleLTO-1 media
IncompatibleIncompatibleRead onlyLTO-2 media
IncompatibleRead onlyRead/Write (no encryption)LTO-3 media
Read onlyRead/WriteRead/WriteLTO-4 media — unencrypted
Read only with encryption
key
Read/Write with encryption
key
Read/Write with encryption
key
LTO-4 media — encrypted
Read/WriteRead/WriteIncompatibleLTO-5 media — unencrypted
Read/Write with encryption
key
Read/Write with encryption
key
IncompatibleLTO-5 media — encrypted
Read/WriteIncompatibleIncompatibleLTO-6 media — unencrypted
Read/Write with encryption
key
IncompatibleIncompatibleLTO-6 media — encrypted
Your company policy will determine when you need to use encryption. For example, it may be
mandatory for company confidential and financial data, but not for personal data. Company policy
will also define how encryption keys should be generated and managed. Backup applications that
support encryption will generate a key for you.
Using the encryption kit
The encryption kit provides secure generation and storage of encryption keys. The encryption kit
may be used with any HP 1/8 G2 Tape Autoloader, MSL2024, MSL4048, MSL6480, MSL8048
or MSL8096 Tape Library with at least one LTO-4 or later generation tape drive. The encryption
kit cannot be used with the MSL6000.
The encryption kit includes two USB key server tokens. One key server token is available for use
as backup for the other. To use the encryption kit, a key server token is inserted in the USB port
on the back of the library, and encryption is enabled and configured from the RMI.
The encryption kit supports your manual security policies and procedures by providing secure
storage for encryption keys. Access to the key server tokens and their backup files is protected with
user-specified passwords. You will need to create processes to protect the tokens and secure the
passwords.
12 Features and overview