How it Works
HP
Loading...
S
Loading...
Loading...
STORAGEWORKS MSL4048
User Manual
116 pgs6.06 Mb0
User Manual
44 pgs708.48 Kb0
User Manual
13 pgs738.31 Kb0
User Manual
15 pgs150.9 Kb0
Table of contents
Loading...

HP STORAGEWORKS MSL4048, STORAGEWORKS MSL2024, STORAGEWORKS 1/8 G2, STORAGEWORKS MSL8096 User Manual

Download
Page 1
HP StorageWorks 1/8 G2 and MSL Encryption Kit User guide
Part number: AM495-96001
irst edition: June 2008
F
Page 2
Legal and notice information
© Copyright 2008 Hewlett-Packard Development Company, L.P.
12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Intel, Itanium, Pentium, Intel Inside, and the Intel Inside logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Microsoft, Windows, Windows XP, and Windows NT are U.S. registered trademarks of Microsoft Corporation.
Adobe and Acrobat are trademarks of Adobe Systems Incorporated.
Java is a US trademark of Sun Microsystems, Inc.
Oracle is a registered US trademark of Oracle Corporation, Redwood City, California.
UNIX is a registered trademark of The Open Group.
Printed in the US
Page 3

Contents

Aboutthisguide .......................... 7
Intendedaudience...................................... 7
Prerequisites ........................................ 7
Relateddocumentation.................................... 7
Documentconventionsandsymbols .............................. 8
HPtechnicalsupport..................................... 8
Customerselfrepair ..................................... 9
Productwarranties...................................... 9
Subscriptionservice ..................................... 9
HPwebsites......................................... 9
Documentationfeedback ................................... 9
1 Features and overview ...................... 11
ConsiderationsforusingtheEncryptionKit .......................... 11
LTO-4tapedrivesandencryption............................... 12
RequirementsforusingtheEncryptionKit ........................... 12
Autoloader or Library rmwarerequirements........................ 13
Tape drive and drive rmwarerequirements ........................ 13
AccesstotheUSBport................................. 13
ThekeyservertokenLED .................................. 14
Thekeysonthekeyservertoken............................... 14
Thetokendatabackupandrestoreprocesses ......................... 15
Scenario1 ...................................... 16
Scenario2 ...................................... 16
Scenario3 ...................................... 17
2Creatingyourkeymanagementprocesses ............. 19
Whentocreateanewencryptionkey............................. 19
Enablingautomaticgenerationofnewkeys ........................ 19
Backingupthekeyservertokendata............................. 19
Managingthetokenpassword(PIN) ............................. 22
Namingkeyservertokens.................................. 22
Maintainingencryptioncapabilityintheeventofapowerloss.................. 22
3 Installing and conguringtheEncryptionKit............. 23
Identifyingproductcomponents ............................... 23
PreparingtheAutoloaderorLibrary ............................. 23
Logintotheremotemanagementinterface ........................ 23
Verify your Autoloader or Library rmwareversion ..................... 23
LocatetheUSBport .................................. 24
Preparingthekeyservertokens ............................... 24
Conguringencryption................................... 25
Insertthekeyservertoken................................ 25
EnterthePIN ..................................... 25
Conguretheencryptionmodeandfeatures........................ 26
Backingupthekeyservertokendata............................. 27
4UsingtheEncryptionKit ..................... 31
User guide
3
Page 4
EnteringthePIN...................................... 31
ChangingthePIN ..................................... 32
Generatinganewencryptionkey .............................. 32
Enablingordisablingencryption............................... 32
Backingupthetokendata ................................. 33
Restoringthetokendata .................................. 34
Restoringencrypteddata.................................. 35
Whentoobtainanewkeyservertoken............................ 35
Restoringencrypteddataduringdisasterrecovery ....................... 35
UsingtheEncryptionKitwithlogicallibraries ......................... 36
Restoring the encryption conguration after a chassis or library controller replacement . . . . . . . . 36
5Troubleshooting . . ....................... 37
Installationproblems.................................... 37
TheLibrarydoesnothaveaUSBport........................... 37
Operationproblems .................................... 37
EncryptiontokenLED.................................. 37
Troubleshootingtable.................................. 38
Errorcodes........................................ 40
Warningeventsandmessages................................ 41
Index .............................. 43
4
Page 5

Figures

1
Conguration:Securitytab............................ 13
2
USB port locati
3
KeyservertokenLED .............................. 14
4
RMI Status: Security page showing the Current key and key creation dates . . . . . . . 15
5
EncryptionKitcomponents............................ 23
6
RMI Congur
7
USBportlocation................................ 24
8
Inserting
9
Security Conguration pane of the Conguration:Securitypage............ 26
10
Generate a
11
Back up Token to File pane of the Conguration:Securitypage ............ 28
12
Restore T
13
Conguration:Securitypage........................... 31
14
RMILogoutlink................................. 32
15
Changing the PIN in the Conguration:Securitypage................ 32
16
Generating a new encryption key in the Conguration:Securitypage ......... 32
17
Enabling encryption in the Conguration:Securitypage ............... 33
on................................ 14
ation:Securitytab.......................... 24
thekeyservertoken........................... 25
new write key pane of the Conguration:Securitypage .......... 27
oken from File pane of the Conguration:Securitypage ........... 29
18
Back up Token to File pane of the Conguration:Securitypage ............ 33
19
Restore Token from File pane of the Conguration:Securitypage ........... 34
20
Restore Token from File pane of the RMI Conguration:Securitypage ......... 34
21
RMI Conguration:Save/Restoretab ....................... 36
22
USBportlocation................................ 37
User guide
5
Page 6

Tables

1 2 3
4
5 6
Documentconventions............................... 8
Tokenstatus .................................. 14
Exampletokendatabackupprocesses....................... 21
Troubleshootingtable .............................. 38
Errorcodes .................................. 40
Warningeventsandmessages .......................... 41
6
Page 7

About this guide

This guide provides information about:
Developing key management processes.
Conguring the Tape Autoloader or Tape Library to implement the security policy based on the
Encryption Kit.
Using and administering the Tape Autoloader or Tape Library with the Encryption Kit.
Troubleshooting problems with the Tape Autoloader or Tape Library when using the Encryption Kit.

Intended audience

This guide is
Tape Autoloader or Tape Library administration and operation
Security policies and procedures

Prerequisites

Prerequisitesforusingthisproductinclude:
An HP StorageWorks 1/8 G2 Tape Autoloader, or MSL2024, MSL4048, or MSL8096 Tape
Library with at least one LTO-4 tape drive installed.
intended for system adm inistrators with knowledge of:
Related do
The following documents provide related information:
HP StorageWorks 1/8 G2 Tape Autoloader user and service guide
HP Storage
You can nd
h
ttp://w
In the Storage section, click Tape Storage and Media and then select your product.
cumentation
WorksMSL2024,MSL4048,andMSL8096userandserviceguide
these documents from the Manuals page of the HP Business Support Center website:
ww.hp.com/support/manuals
User guide
7
Page 8
Document conven
Table 1 Document conventions
tions and symbols
Convention
Blue text: Table 1
Blue, underlined text: http://www.hp.com
Bold text
Italic text Text emphasis
Monospace text
Monospa
Monospace, bold text
ce, italic text
Element
Cross-reference links and e-mail addresses
Website addresses
Keys that are p
Text typed in
GUI elements
menu and lis
File and directory names
System output
Code
Commands, their arguments, and argument values
Code variables
Command variables
Emphasized monospace text
ressed
to a GUI element, such as a box
that are clicked or selected, such as
titems,buttons,tabs,andcheckboxes
CAUTION:
Indicates that failure to follow directions could result in damage to equipment or data.
IMPORTANT:
Provides clarifying information or specic instructions.
NOTE:
Provides additional information.
TIP:
Provides helpful hints and shortcuts.

HP technical support

For worldwide technical support information, see the HP support website:
h
ttp://www.hp.com/support
Before contacting HP, collect the following information:
Product model names and numbers
Technical support registration number (if applicable)
Product serial numbers
Error messages
Operating system type and revision level
8
About this guide
Page 9
Detailed questions
Customer self r
HP customer sel part needs replacing, HP ships the part directly to you so that you can install it at your convenience. Some parts do not qualify for CSR. Your HP-authorized service provider will determine whether a repair can be accomplished by CSR.
For more infor
h
ttp://www.hp.com/go/selfrepair
This product has no customer replaceable components.
epair
f repair (CSR) programs allow you to repair your StorageWorks product. If a CSR
mation about CSR, contact your local service provider, or see the CSR website:

Product warranties

For information about HP StorageWorks product warranties, see the warranty information website:
h
ttp://www.hp.com/go/storagewarranty

Subscription service

HP recommends that you register your product at the Subscriber's Choice for Business website:
h
ttp://www.hp.com/go/e-updates
After registering, you will receive e-mail notication of product enhancements, new driver versions, rmware updates, and other product resources.

HP websites

For additional information, see the following HP websites:
•h
ttp://www.hp.com
•http://www.hp.com/go/storage
•http://www.hp.com/service_locator
•http://www.hp.com/support/manuals
•http://www.hp.com/support/downloads
•http://www.hp.com/go/tape

Documentation feedback

HP welcom
To make comments and suggestions about product documentation, please send a message to
storagedocsFeedback@hp.com. All submissions become the property of HP.
es your feedback.
User guide
9
Page 10
10
About this guide
Page 11

1 Features and overview

IMPORTANT:
The Encryption Kit provides secure encryption of your data using key server tokens and passwords. A thorough understanding and proper use of the Encryption Kit operation will maintain the security of your data and ensure that only qualiedpersonshaveaccesstothedata. Managingyourkeyserver tokens and passwords is critical for preventing unauthorized data access and for avoiding the inability of qualied personnel to access data from tapes. Read and understand this Encryption Kit user guide before enabling encryption.
The HP StorageWorks 1/8 G2 & MSL LTO-4 Encryption Kit provides secure generation and storage of encryption keys. The Encryption Kit may be used with any HP StorageWorks 1/8 G2 Tape Autoloader or the MSL2024, MSL4048, and MSL8096 Tape Library with at least one LTO-4 tape drive. The Encryption KitmaynotbeusedwiththeMSL6000.
The Encryption Kit includes two USB key server tokens. One key server token is intended as backup for the other.
To use the Encryption Kit, a key server token is inserted in the USB port on the back of the Autoloader or Library, and encryption is enabled and congured from the remote management interface (RMI).
The Encryption Kit supports your manual security policies and procedures by providing secure storage for encryption keys. Access to the key server tokens and their backup les is protected with user-specied passwords. You will need to create processes to protect the tokens and secure the passwords.
The Encryption Kit requires support from the Autoloader or Library rmware and the tape drive rmware. See “Autoloader or Library rmware requirements” on page 13 and “Tape drive and drive rmware requirements” on page 13. You can download Autoloader or Library rmware les from the HP Support website at h
ttp://www.hp.com/support.
IMPORTANT:
When encryption is enabled with the Encryption Kit, the Autoloader or Library will not use encryption keys from other sources, such as a key management system or application software. Disable encryption in applications writing to the Autoloader or Library when encryption is enabled with the Encryption Kit. Applications that attempt to control encryption while encryption is enabled with the Encryption Kit will not be able to do so, which can cause backups or other write operations to fail.

Considerations for using the Encryption Kit

The purpose of encryption is to protect data from unauthorized access and use. For LTO-4 tape drives, the encryption algo rithm is based on encryption keys. With the Encryption Kit, the encryption keys are stored on the key server token and access to the keys is protected by a password.
To enable, disable, and congure encryption on the Tape Autoloader or Library, you must also be logged into the Autoloader or Library remote management interface (RMI) using the administrator password for the Autoloader or Library.
To write encrypted data, you must have the key server token and the password for the key server token. Only one encryption key is used on a tape cartridge. If the tape cartridge contains previously-encrypted data, a key server token with the key for the tape must be in the Autoloader or Library.
To read encrypted data, you must have a key server token with the key for the tape and the password for the key server token. The association between the encryption key and the tape is not stored on either the key server token or the tape.
User guide
11
Page 12
CAUTION:
If you lose the key server tokens and token backup les associated with a tape, neither you nor HP will be able to recov er the encryption keys that were stored on the tokens. HP recommends that the second key server token be used as a backup of the rstkeyservertoken,andthatoneofthetokensbestored off site in a secure location.
Ifyoulosethepasswordtothekeyservertoken,neitheryounorHPwillbeabletorecoverorresetthe password to access the encryption keys. Without the password you will not be able to recover the data from tapes using the encryption keys on the token. HP recommends that you keep the password in a secure location, and that at least one copy of the password be kept off site in a secure location.
If the key server token is removed or becomes dislodged from the USB port on the back of the Autoloader or Library, the tape drive will not be able to read or write encrypted data. This could cause your backup or other data operation to fail.
Reading encrypted data from a tape cartridge requires the tape cartridge, a key server token with the encryption key for the tape, the password for the key server token, and the administrator password for an Autoloader or Library. To prevent unauthorized access to your data, HP recommends keeping these items in safe and secure locations.

LTO-4 tape drives and encryption

The LTO-4 tape drives include hardware capable of encrypting data while writing data, and decrypting data when reading. Hardware encryption can be used with or without compression while maintaining the full speed and capacity of the LTO-4 tape drive and media.
NOTE:
LT O-4 tape drives will only write encrypted data to LTO-4 tapes. LTO-4 tape drives cannot write encrypted data to LTO-3 tapes.
Encryption is the process of changing data into a form that cannot be read until it is deciphered with key used to encrypt the data, protecting the data from unauthorized access and use. LTO-4 tape drives use the 256-bit version of the industry-standard AES encrypting algorithm to protect your data.
Your company policy will determine when and how to use encryption. For example, encryption may be mandatory for company condential and nancial data, but not for personal data. Company policy will also dene how encryption keys should be generated and managed, how frequently they should be changed, and how passwords are managed.
Encryption is primarily designed to protect the media once it is ofineandtopreventitfrombeing accessed by unauthorized users. You will be able to read and append the encrypted media as long as a key server token containing the correct key is installed and the appropriate passwords are available.
For more information about AES encryption, encryption keys, and using hardware encryption with your HP Ultriumtapedrive,seetheWhitePapersath
NOTE:
Some earlier LTO-4 tape drive rmware revisions may not support the Encryption Kit functionality. Before enabling encryption, verify that the tape drive has rmware that supports the Encryption Kit. See “Tape drive and drive rmware requirements” on page 13 and update the rmware if necessary.
ttp://h18006.www1.hp.com/storage/tapewhitepapers.html.

Requirements for using the Encryption Kit

Using the Encryption Kit requires support from the Autoloader or Library rmware and the tape drive rmware, as well as a ccess to the USB port on the back of the Autoloader or Library.
12
Features and overview
Page 13
Autoloader or Library rmware requirements
To see whether your Library or Autoloader rmware supports the Encryption Kit, log into the remote management interface (RMI) for your product. If the RMI has a Status: Security tab, the rmware supports the Encryption Kit.
Figure 1 Config
If your Autolo current Autoloader and Library rmware. You can download Autoloader or Library rmware les from the HP Support website at h
uration: Securit y tab
ader or Library does not have the Status: Sec urity tab, you must download and install the
ttp://www.hp.com/support.
Tape drive and drive rmware requirements
The Autoloader or Library must have at least one LTO-4 tape drive. LTO-1, LTO-2, and LTO-3 tape drives do not support native encryption and cannot be used to encrypt or decrypt data with the Encryption Kit. When encryption is enabled, only LTO-4 tapes can be written in LTO-4 tape drives.
NOTE:
Verify that the tape drive has the correct rmware before enabling encryption. If you enable encryption with earlier versions of rmware, the Autoloader or Library will disable the tape drive port.
The tape drive must have the following or later versions of tape drive rmware:
Parallel SCSI
Ultrium 1760
Ultrium 1840
To nd the version of rmware on your tape drive, see “Verify your Autoloader or Library rmware version”onpage23.
W22W U26W
B45W
SAS
Not Applicable
Fibre Channel
Not Applicable
H44W
NOTE:
With the above LTO-4 tape drive rmware revisions, the Autoloader or Library will NOT allow LT O-3 media in LTO-4 tape drives when encryption is enabled with the Encryption Kit. Always ensure that your tape drive has the most recent rmware version. You can download tape drive rmware les from the HP Support website at h

Access to the USB port

To use the key server tokens included in the Encryption Kit, the USB port on the back of the Autoloader or Library must be accessible. On some MSL2024 and MSL4048 Libraries you may need to remove thesilvertapecoveringtheUSBport.
ttp://www.hp.com/support.
User guide
13
Page 14
Figure 2 USB port location

The key server token LED

11868
The key serv
er token has a green status LED, which is visible through the token label.
11893
Figure 3 Key server token LED
Table 2 Token status
LED behavior Token status
On
Off
Flashing
The token is ready to be used by the Autoloader or Library.
The token is not receiving power and must be fully inserted into the Autoloader or Library USB port.
The device with the USB port does not have software to communicate with the key server token. If this occurs when the key server token is plugged into the Autoloader or Library, update the Autoloader or Library rmware to the current version. See “Encryption token LED” on page 37 for additional information about the key server token LED.
NOTE:
The key server token is not a USB ash drive and its contents cannot be read by devices other than the Autoloader or Library.

The keys on the key server token

The Encryption Kit key server token generates, stores, and retrieves keys used both to encrypt data and to decrypt data. The same key is used as both the encryption key and the decryption key for a tape, but different tapes may use different keys.
14
Features and overview
Page 15
Only one key is used at a time for encrypting data on new or formatted tapes in the Autoloader or Library. This key is called the current key. In most cases, the current key is the most recently created key. You can see the Current key and key creation dates in the RMI Status: Security page, as shown in
Figure 4. W hen you manually create a new key or when the automatic key generation policy creates a
new key, the previous current key will no longer be used to encrypt new or formatted tapes. All of the keys on the token, including the current key, are always available for decryption.
Figure 4 RMI Status: Security page showing the Current key and key creation dates
The token can hold up to 100 keys. Any tape that was written using one of the keys on the token can be read using that token.
The to
If an attempt is made to read an encrypted tape and the key is not on the installed token, an error message will be displayed when the tape drive attempts to read the tape. If your application supports appending data to a previously written tape, the original key used to write the tape must be available on the installed token to append data to the tape. Only one key is used to encrypt all of the data on a tape.
The status of each individual key in the Keys on Key Server Token section might inform you tha t a key has not had a backup operation performed on it. When you start the process to back up the token contents to a le, this status will be cleared. Also note that the backup status of the token might appear in the Key Server Token Status line in the upper portion of the page. This status means that a backup is required, even if no individual keys in the Keys on Key Server Token section have this status. This situation usually occurs when a token has keys restored to it that were not on the original token. In this case, the Autoloader or Library has information that there are keys that have not been backed up, but cannot uniquely identify them. Always create a backup of the token whenever the Key Server Token Status indicates a backup is required.
ken data backup and restore processes
cryption Kit includes a process to back up the key server token data to a password-protected le
The En and a process to restore the token backup le to a token. After the restore process, the receiving token contains a copy of each key from the backup le along with the keys it had before restore process. The receiving token will keep the same current key for writing encrypted tapes.
NOTE:
After the second and subsequent restore operations to a token, the two tokens will never have the
current write key. If you need two tokens with the same write key, restore a backup of one token
same onto a new token.
In the following example, consider the tokens named Blue, Yellow, and Green:
TheBluetokenhascurrentkeyD,withdecryptionkeysA,B,C,andD.
User guide
15
Page 16
Blue token
D=currentkey
C
B
A
The Yellow toke
Yellow token
The Green token has current key F, with decryption keys F, A, and E. Key A is the same key A on the Blue token fr
Green token
F=currentkey
E
A

Scenario 1

In this scenario, a backup le from the Blue token is restored to the Yellow token. Be cause the Yellow token does not have any keys, after the restore operation the Yellow token has all of the keys from the Blue token, with D as the current key.
Restoring to a token without keys is the only way for two tokens to have the same current key.
Yellow token (after restore)
D=curren
C
B
n has been initialized with a name “Yellow” but does not have any keys.
om a previous save/restore operation.
tkey
A

Scenario 2

In this scenario, a backup le from the Blue token is restored to the Green token. After the restore operation, the Green token contains all of the keys from both tokens. It only has one key A, which wasonbothtokens. ItretainsFasitscurrentkey.
Any tapes written with the Green token after the restore will be encrypted with a different key (F) than tapes written with the Blue token installed (D).
16
Features and overview
Page 17
Green token (after restore)
F=currentkey
E
D
C
B
A

Scenario 3

In this scenario, a backup le from the Green token (after the restore in Scenario 2) is restored to the Blue token. After the restore operation, the both tokens have an identical set of keys, but do not have the same current key used to encrypt new and formatted tapes. The only way to create two tokens with the same current key is to restore a backup onto a token that does not have any keys, as in Scenario1.
Blue token (after restore)
F
E
D=currentkey
C
B
A
User guide
17
Page 18
18
Features and overview
Page 19

2Creatingyourkeymanagement processes

The Encryption Kit provides encryption key generation and secure storage of the keys, and is intended to be used within a key management process. Processes should be developed to manage your encryption keys, tokens, and p asswords before conguring encryption on the Autoloader or Library.
The key management processes may be based on your company's security and audit policies. Following are recommendations if your company does not have security policies or the security policies do not address areas needed for the key management processes. If you have highly sensitive data or are unsure about using encryption, HP recommends that you consult with a security expert to develop policies appropriate to your situation.
When to crea
HP recommends that a new encryption key be created at least annually and at most weekly when using the Encryption Kit. The token can hold up to 100 keys. Once the key server token is full, additional key server tokens must be purchased. Keys can never be deleted from a key server token.
Your orga n your organ archivin
NOTE:
When initializing a token, you must create the rst key manually. See “Generating a new encryption key”onpage32.
te a new encryption key
ization's backup and audit policies may specify when and how often to create a new key. If ization's policies do not address creating new keys but include a frequency for replacing or
g tapes, that policy could be basis for determining when and how often to create a new key.

Enablingautomaticgenerationofnewkeys

You can enable the Autoloader or Library to periodically generate a new encryption key and specify the number of weeks to use ea ch key, as well as the day and time for generating new keys.
If you advance the Autoloader or Library time past a time when a new key would have been generated, the new key will not be generated. For example, if the automatic key generation policy is to generate a new key on Monday mornings and on Sunday the Library time is updated to a time on Tuesday, a new key will not be generated. When advancing the Autoloader or Library time, check the automatic key generation policy and manually generate a new key if necessary.
If the Autoloader or Library is powered off during a time when the automatic key generation policy would have generated a new key, a new key will be g enerated when the Autoloader or Library is powered on and the PIN is entered. Only one new key is generated, even if the Autoloader or Library was powered off for a time when multiple keys would have been generated had the Autoloader or Library been left on.

Backing up the key server token data

HP recommends that you back up the key server token data after a n ew key is created and before the new key is used to write tapes. The key server token d a ta can be backed up to a password-protected le from the RMI. The backup process will save all of the keys, but not the token name or PIN.
The Encryption Kit includes two key server tokens. O ne token is intended to be installed in the Autoloader or Library to encrypt and decrypt tapes. If the rst token is lost or damaged, the second token can be used in its place. The second token can also be used to read tapes with encrypted data at a different
User guide
19
Page 20
location. If the second token contains a backup of the rst token's data, it should be stored in a secure location, such as a reproof safe in a different building.
The token data backup le and the second token support several approaches to backing up the keys so that tapes ca n continue to be written and read if the rst token is lost or destroyed. Choose an approach that best meets your organization's needs and capabilities.
20
Creating your key management processes
Page 21
Table 3 Example token data backup processes
Backup process
Back up the token backup le and store the uninitialized second token in a secure location.
Back up the token data to removable media, such as a USB ash drive or CD, and store it in asecurelocation.
Back up the token data on the rst token to the second token and keep the second token in a secure location.
Restore process
Retrieve the token backup le from your organization's le backup program and restore it onto the unused second token.
Retrieve the backup media and second token from the secure location and restore the token data onto the second token.
Retrieve the second token from the secure location and insert into any supported Autoloader or Library.
Benets
Avoids having to retrieve
physical media containing the token data from an off-site location to create a new token data backup.
The token in use does not
need to be removed from the Autoloader or Library during the token data backup process.
The token backup le
can be restored onto any token.
The second token does
not need to be stored in a secure location.
By using a new token
for the restore process, the second token will have the same current key to encrypt tapes as the original token.
The token in use does not
need to be removed from the Autoloader or Library during the token backup process.
The token backup le
can be restored onto any token.
The second token does
not need to be stored in a secure location.
If your le backup process
uses an Autoloader or Library with the Encryption Kit,youwillbeableto restore the token backup le to a new token if the tokeninuseislostor damaged.
The second token may be
used immediately.
The token is easy to store
in a secure location.
Requirements
Highly-reliable le b ackup
and restore processes that store backup data off site.
NOTE:
If your le bac
kup process writes encrypted data to an Autoloader or Library using the Encrypti
on Kit, be sure to back up the token data le to a different removable media, as in t
he next case. If the rst token is lost or damaged, you will need the token backup le to restore onto a token
and you will notbeabletorestorethe token backup le from the encrypted
tape without a tokenwithakeyforthe tape.
New backup media must
be created when a new key is generated.
Token data backup les on
removable media must be stored in a secure location.
The second token must
be retrieved from the secure location to back up new keys created on the installed token.
The second token must be
retrieved from the secure location if the rst token is lost or damaged.
You must understand that
the second token may not havethesamecurrentkey used to encrypt tapes.
User guide
21
Page 22
Managing the tok
The token password, ca lled a PIN, protects access to the data on the key server token.
IMPORTANT:
The PIN is required to write and restore encrypted data. Neither you nor HP can recover, restore, or reset the PIN if
The PIN is set and can be changed from the RMI. Setting the PIN the rst time also requires the Autoloader or Library administrator password. Changing the PIN requires both the current PIN and the Autoloader or Library administrator password.
You must enter the PIN each time the Autoloader or Library cycles power, the rst time a token is inserted since the Autoloader or Library was powered on, and when a token is inserted after another is removed. The PIN does not need to be entered again if a token is removed and replaced without inserting a different token.
HP recommends that you create PIN management policies to ensure that the PIN is stored in a secure location and that it is only available to authorized p ersonnel. The PIN management policies should consider:
Ensuring that the PIN can be accessed by authorized personnel when necessary, even if the
security ofcer or administrator is unavailable.
Ensuring that the PIN is not accessible by unauthorized personnel.
Ensuring that the PIN is not lost, damaged, or destroyed.
Enabling, disabling, and conguring encryption requires both the Autoloader or Library
administrator password and the token PIN. For increased security, the administrator password and token PIN can be known by different people, requiring two people to make these critical changes.
it is lost or forgotten.
en password (PIN)

Naming key server tokens

The name of the key server token can have up to 126 characters. This is enough space to use a descriptive name, which can be helpful in determining which token has the encryption key for a particular tape if the documentation mapping the tokens and tapes is lost. For example, the name could include dates when the token was used, or the facility or department whose tapes are encrypted with keys on the token.
You can see the name of the token currently in the Autoloader or Library in the RMI Status: Security screen without the PIN or administrator password.
YoucanmodifythenameofthetokencurrentlyintheAutoloaderorLibraryintheRMIConguration: Security screen. You must log into the RMI as the administrator and enter the PIN to modify the token name.

Maintaining encryption capability in the event of a power loss

For increased security, the key server token's PIN is stored in volatile memor y in the Autoloader or Library. Each time the Autoloader or Library cycles power the PIN must be entered. The Autoloader or Library will display a warning message on the OCP and RMI, and send periodic SNMP and email events, if those options are enabled, until the PIN is entered. The Autoloader or Library will not write encrypted data when encryption is enabled until the PIN is entered.
CAUTION:
If it is critical that the Autoloader or Library maintain encryption capability in the event of a power loss, HP recommends that you plug the Autoloader's or Library's power cable into an uninterruptible power supply.
22
Creating your key management processes
Page 23
3 Installing and conguring the
TIP:
Enc ryption Kit

Identifying product components

Verify that you received all of the product co mponents.
1
2
11867
Figure 5 Encryption Kit compon ents
1. Two key server tokens
2. Bag of hol
3. Product documentation
ders and cards

Preparing the Autoloader or Library

Log in to the remote management interface

The key server token and Autoloader or Library encryption capabilities can only be congured from the web-based remote management interface (RMI) . Log into the RMI as the administrator user.
If you have n ot used the RMI on this Autoloader or Library in the past, you m ay need to congure the network on the Autoloader or Library before continuing.
See the Getting started guide that came with the Autoloader or Library, or the User and service guide on the documentation CD for instructions on conguring the network and using the R MI. You can also nd
Verify
these documents on the HP website at h
your Autoloader or Library rmware version
Verify that your Autoloader or Library has current rmware. If you see the Status: Security tab in the RMI, th rmwa the Status: Security tab.
e rmware supports the Encryption Kit. If this tab is m issing, update the Autoloader or Library
re to the current version. Neither the administrator password nor token PIN are required to see
ttp://www.hp.com/support/manuals.
User guide
23
Page 24
Figure 6 RMI Congura tion: Security tab
You can download Autoloader or Library rmware les from the HP Support website at
h
ttp://www.hp.com/support.

Locate the USB port

Locate the USB
Figure 7 USB port location
If the USB port is covered with silver tape, remove the tape.
port on the back panel of the Autoloader or Library.
11868

Preparing the key server tokens

As part of your security process, you will need to track each key server token, along with information associated with the token. If you do not have a security policy that species this information see
Chapter 2 on pag e 19 for information about creating your encryption key management processes.
The Encryption Kit includes two methods of tracking the tokens. Choose the approach that works best for your security policy and organization. HP recommends that you use both approaches.
Attached tag — The Encryption Kit includes a card and holder, which can be used to attach
information to the token.
Serial number — Each key server token has a unique serial number. You can use the serial number
to identify the key server token and correlate the tape cartridges written with keys on the token.
TIP:
TheserialnumberisonthebottomofthetokenwhenthetokenisintheAutoloaderorLibrary, making it difcult to see. You can also nd the token serial number on the RMI Status: Security page. You do not need the administrator password to see the Status: Security page.
24
Installing and conguring the Encryption Kit
Page 25
IMPORTANT:
HP recommends that you maintain a record of the tape cartridges that are written with encryption keys on the key server token. When restoring the data from an encrypted tape, you will need to use a key server token containing the encryption key for that tape. The name of the key server token is not stored on the tape and the name of the tape is not stored on the key server token. If you do not know which token contains the key for a tape, you may need to try all of your key server tokens when restoring data from an encrypted tape.
NOTE:
If you are using Encryption Kits with multiple Autoloaders or Libraries, you will need to track the Autoloader or Library used with each token as this information is not recorded on the token.
To use the attached tags to identify the tokens:
1. Write the token identication information on the paper cards.
2. Insert each card into a holder.
3. Attach the h
4. Track the tape cartridges that are written with keys stored on the token and keep a copy of this
record in a secure location.
To use the s
Record the token identication information and tape cartridges that are written with keys stored on
the token, and keep a copy of the record in a secure location.
olders to the tokens.
erial numbers to identify the tokens:
Conguring encryption
In this section, you will congurethenameandPINforthekeyservertoken,andconfigure encryption on the Autoloader or Library.
Insert th

Enter the PIN

ekeyservertoken
Insert the key server token in the USB port on the back panel of the Autoloader or Library.
Figure 8 Inserting the key server token
11869
When a key server token is inserted for the rsttimeinanyAutoloaderorLibrary,theAutoloaderor Library will recognize it as a new token and display a dialog on the RMI requesting that you enter a PIN.
User guide
25
Page 26
ThenewPINmustbeatleasteightcharacterslongandcontainatleastonecapitolletter,atleastone lower case letter, and at least two numbers. Follow the directions in the dialog to enter your PIN.
StoreacopyofthePINinasecurelocation.
CAUTION:
The key server token protects unauthoriz ed access to the encryption keys with a PIN. If you lose the PIN, you will not be able to restore data from your encrypted tapes using that token. Neither you nor HP can recover a lost PIN. Keep a copy of the PIN in a safe place.
Conguretheencryptionmodeandfeatures
From the Conguration: Security page you can enter the name of the token, enable or disable encryption for the Autoloader or Library, and enable the Autoloader or Library to automatically generate a new key. If your Library is congured multiple logical libraries, you can enable or disable encryption independently for each logical library containing an LTO-4 tape drive. While the key server token can store up to 100 keys, only one key is used to write new and formatted tape cartridges. The same encryption key is used by all tape drives in the Library.
NOTE:
If your application appends data to existing tapes, the key originally used to write the tape is used to append additional data to the tape; a key server token holding that key must be installed in the Autoloader or Library.
To conguretheencryptionmodeandfeatures:
1. Click the Encr yption enabled box to enable encryption for the Autoloader or Library, or for one or
more logical libraries that contain an LTO-4 tape drive. Logical libraries that do not contain an LTO-4 tape drive will not appear on the conguration page.
Figure 9 Securit y Conguration pane of the Conguration: Security page
2. Enter the name of the token in the Token Name eld. The name can have up to 126 characters.
TIP:
Using a descriptive name, including the dates when the keys on the token were used, could be helpful if your log of tapes written with keys on the token is lost.
3. Click Submit in the Security Conguration pane to apply your selections.
26
Installing and conguring the Encryption Kit
Page 27
4. Generate the rst key. By default, you must manually request the key server token to generate a new
key. Click Apply in the Generate a new write key pane to generate the rst key.
Figure 10 Generate a new write key pane of the Conguration: Security page
5. Optional: Enable and congure automatic key generation. When automatic key generation is
enabled, the Autoloader or Library will automatically request the key server token to generate a new key p eriodically, according the policy you congure. Set the policy for the new key generation frequency, and the day and time this will occur. Be aware that when new keys are created automatically they are not backed up until you do so manually. To avoid only having one copy of the new key, set the automatic key generation policy for a time when you can back up the new key before tapes are written using the new key.
Click Submit in the Security Conguration pane to apply your selections.
NOTE:
A key is not generated when the Autoloader or Library time is advanced past a time when a new key would have been generated. If you advance the Autoloader or Library time, check the automatic key generation policy to see whether a new key is needed, and if so, manually generate it.
One new key is generated if the Autoloader or Library is off at a time when a new key would have been automatically generated. To prevent a new key from being generated in this case, disable automatic key generation before powering off the Autoloader or Library.
NOTE:
Only one key in the key server token is used to write new or formatted tapes in the Autoloader or Library.IftheAutoloaderorLibraryhasatapeinanLTO-4tapedrivewhenyouchangethewritekeyor enable/disable encryption for that tape drive, the new conguration for that tape drive will not take effect until after that tape is ejected from the LTO-4 tape drive.

Backing up the key server token data

The key server token contains the keys used to encrypt and decrypt your tapes. HP strongly recommends that you back up the keys on the token to allow you to access your data if a token is lost or damaged. When backing up the key server token data, the token da ta is saved to a password-protected le. You can then back up that le with a le backup process, archive it on other media, such as a USB ash drive or CD, and restore it to the second key server token. For more information about creating a process for backing up the key server token data, see “Backing up the key server token data” on page 19
CAUTION:
When a new key is created, HP recommends that you always back up the token data and store the backup in a safe place. You will not be able to restore data from your encrypted tapes without a token containing the encryption key used to write the tape and the token PIN. Neither you nor HP can recover the key used to write a tape without a token containing the key and the token PIN.
If the token data is saved to a le,youcancreateatokenfromthele at any time if you know the le password, even if the original token is not available.
To ba ck up the information on the key server token to a le:
1. Verify that the token to be backed up is in the USB port on the back of the Autoloader or Library.
User guide
27
Page 28
2. In the Back up Token to File pane of the Conguration: Sec urity screen, enter a new password to be
used to protect access to the contents of the backup le in the Enter Token Backup File Password and Repeat Token B ac kup File Password fields. For increased security, do not use the token PIN.
Figure 11 Back up Token to File pane of the Con guration: Security page
3. Click Subm it Token Backup File Password.
4. Click Save and follow the instructions as they appear on the screen to specify a location for the
token backup le.
NOTE:
If your browser has a pop-up blocker enabled, the le dialog box may not appear. Turn off your pop-up blocker before clicking Save.
5. Save the token backup file to removable media or a location where it will be backed up by your
le backup process, if applicable. Store the removable media with the token backup le in a
secure location.
NOTE:
If your le backup process backs up encrypted les to an Autoloader or Library using the Encryption Kit, keep another copy of the le on removable media, such as a USB ash drive or CD, or on the second token. If the rst token is lost or damaged you will not be able to restore the token backup le from an encrypted tape to create a replacement token.
If your token data backup policy is to back up the token data on the second token, to do so:
1. Insert the second token into the USB port on the back of the Autoloader or Library.
2. Set the P
IN and token name, as you did for the rst token.
3. In the Restore Token Backup from File pane of the Conguration: Security page, enter the Token
Restore File Password. (The Token Restore File Password is the Token Backup File Password used when
en backup le was created.)
the tok
4. Click Submit Token Restore File Password.
28
Installing and conguring the Encryption Kit
Page 29
5. Enter the location of the token backup file. (The Browse button will be active after the token restore
le password is submitted.)
Figure 12 Restore Token from File pane of the Conguration: Security page
NOTE:
Each key server token can hold up to a maximum of 100 keys. If the token backup le and the token rece initiated. Yo
iving the restore contain over 100 unique keys, the restore process will not be
u will receive warnings when the key server token is over 90% full. You should purchase new tokens and transition to using a new token when these warnings appear. Keys can never be deleted from the key server token.
6. Click Restore.
7. After the backup process is complete, return the rstkeyservertokenintheUSBportofthe
Autoloader or Library.
8. Store the second key server token in a secure location.
CAUTION:
The token must be in the USB port of the Autoloader or Library to read or write encrypted data. If the token is dislodged or removed, your backups could fail. If the token is lost, you will not be able to restore the data from your encrypted tapes unless you have a token with the keys used to write the tapes.
User guide
29
Page 30
30
Installing and conguring the Encryption Kit
Page 31

4 Usin g the Encryption Kit

NOTE:
Some RMI Conguration: Security options may not be available until the Autoloader or Library has completed its power on cycle. Buttons that are grayed out may become available when the power on cycle is completed.

Entering the PIN

The PIN is a password that protects access to the data on the key server token. When you insert a different key server token or power on the Autoloader or Library, you must enter the key server token password (PIN) from the RMI Conguration: Security page before the Autoloader or Library will read or write encrypted data using keys from the token. Accessing the Conguration: Security page requires the administrator password.
Figure 13 Congura tion: Securit y page
After entering the PIN you will be able to congure the Encryption Kit for the du ration of the RMI session. The RMI session will end automatically after about ve minutes without RMI user interaction. You can click Logout in the upper right corner of the RMI page banner to end the RMI session immediately.
NOTE:
After the RMI session ends, the PIN will still be available to the Autoloader or Library to access the keys on the token for writing and reading tapes. For encryption o peration, the PIN only needs to be entered once when the Autoloader or Library is powered on or a different token is installed in the Autoloader or Library.
User guide
31
Page 32
Figure 14 RMI L
ogout link

Changing the PIN

You can change the PIN from the RMI Conguration: Security page. Accessing the Conguration: Security page requires the administrator password.
Figure 15 Changing t h e PIN in the Conguration: Security page

Generating a new encryption key

You can generate a new encryption key from the RMI Conguration: Security page. Accessing the Conguration: Security page requires the administrator password.
Figure 16 G
To generate a new encryption key, click Apply in the Generate a new write key pane. The Autoloader or Library will take a few seconds to generate the new key.
The new key will be used starting with the next new or formatted tape written. O nly one key is used to write all of the data on a tape.
NOTE:
The key server token holds a maximum of 100 keys.
enerating a new enc ryption key in the Conguration: Security page

Enabling or disabling encryption

You can enable or disable encryption from the RMI Conguration: Security page. Accessing the Conguration: Security page requires the administrator password.
32
Using the Encryption Kit
Page 33
Figure 17 Enabling encryption in the Conguration: Secu ri ty page
Click in the Encryption enabled box to enable or disable encryption. The green check mark shows that encryption is enabled.
Enabling or disabling encryption will take effect on the next tape unload for each tape drive. The encryption mode for a tape will not change while the tape is being written. Once a tape drive has started the decryption process for a tape, that tape's data will continue to be decrypted until the tape is unloaded.

Backing up the token data

You can b ack up the token data from the RMI Conguration: Security page. Accessing the Conguration: Security page requires the administrator password.
Figure 18 Ba c k up Token to File pane of the Conguration: Security pag e
During the token backup process, the Autoloader or Library will write the token information to a le, which will be saved on the computer from which you are running the browser with the RMI. After the le is written, the information can be restored to a different token.
During the restore process, the encryption keys from the le will be merged with the keys on the token. If the number of unique keys from the two sources is greater than 100, the restore process will not be initiated.
TIP:
If you want two tokens to both have all of the keys, perform the backup and restore procedures twice, starting each time with a different token. Each token will retain its current key used to write new or formatted tapes, but both tokens can be used to decrypt tapes written with keys from either token.
To back up the information on a token to a le:
1. Log into the RMI Conguration: Security page. To do so, you will need to log into the RMI as the
administrator user and supply the PIN for the token in the Autoloader or Library.
2. In the Back up Token to File pane, enter a password which will be used to secure the data le on the
computer in both elds. The second one ensures that the password was typed correctly.
User guide
33
Page 34
3. Click Set Token Backup Password.
4. Click Save. The RMI will prompt you for the location to save the le. Follow the instructions in RMI.

Restoring the token data

You can restore the token data from the RMI Conguration: Security page. Accessing the Conguration: Security page requires the administrator password.
Figure 19 Restore Token from File pane of the Conguration: Security page
During the restore process, the encryption keys from the le will be merged with the keys on the token. If the number of unique keys from the two sources is greater than 100, the restore process will not be initiated. To ensure that all of the keys are on both tokens, perform the backup and restore procedures twice, starting each time with a different key.
The write key after the restore will be the one from the token receiving the restore, unless the token receiving the restore d oes not have any keys. For more information about backing up and restoring the token data, along with examples of how these operations affect the write key, see “The token data backup and restore processes”onpage15.
To restore a token backup le to a token:
1. If you are restoring the token backup le to a different token than the one installed in the Autoloader
or Library, pause all write operations to LTO-4 tape drives with encryption enabled.
2. Log into the RMI as the administrator user. You will need the administrator password.
3. Install the token that will receive the data from the token backup le into the USB por t of the
AutoloaderorLibraryifnecessary.
4. Access the RMI Conguration: Security pag e. Enter the PIN if requested. If this is a new token,
follow the instructions on the RMI to create a PIN.
5. If this is a new token, enter the name in the Token Name eld and click Submit in that pane.
6. Enter the password used to create the token backup le. Click Submit Token Restore File Password.
Figure 20 Restore Token from File pane of the RMI Conguration: Sec urit y page
7. Browse to the location of the token backup le. Click Restore. (TheBrowsebuttonwillbeactiveafter
the token restore le password is submitted.)
NOTE:
The key server token holds up to 100 keys. If more than 100 unique keys are found on the receiving token and in the backup le,therestoreprocesswillnotbeinitiated. Youwill receive warnings when a key server token is over 90% full. You should purchase new tokens and transition to using a n ew token when these warnings appear. Keys can never be deleted from a key server token.
8. Return the original token to the USB port of the Autoloader or Library if necessary.
34
Using the Encryption Kit
Page 35
9. If you paused write operations at the beginning of the procedure, you can resume them.
Restoring encr
When you restor encryption key Library. If the token is not installed in the USB por t of the Autoloader or Library, or the key is not found on the token, the OCP and RMI will display an error message.
The key server token containing the key for the tape to be restored must be installed in the Autoloader or Library USB port before the tape is read. You will need to enter the PIN for the token when the token is inse
A Library with multiple LTO-4 tape drives will continue writing other tapes with the newest encryption key on the token installed in the Library while restoring the encrypted data.
IMPORTANT:
Pause all wri new or forma the one on the original token.
NOTE:
If the token is removed while a tape drive is reading or writing a tape, the tape drive will continue reading or writing encrypted data until the tape is removed or the tape drive is reset.
rted into the Autoloader or Library.
te operations when restoring data using a different token than the one used for writing
ypted data
e encrypted data from a tape cartridge, the Autoloader or Library will verify that the
for the tape exists on the key server token installed in the USB port of the Autoloader or
tted tapes. Not doing so can result in data written with an encryption key different than

When to obtain a new key server token

The Autoloader or Library will issue warnings when the key server token is 90% full. When the token reaches 90% capacity, purchase additional key server tokens.
When the to with keys on the token.
ken is 100% full, keep it in a secure location to use when restoring data from tapes encrypted

Restoring encrypted data during disaster recovery

When restoring encrypted data after a disaster, you will need:
The tape cartridges containing the encrypted data.
Depending on your token data backup process, you will need one of the following:
• A token data backup le, with the password for the le, and a token with room for the keys on the data backup le. If the token has been initialized, you will need its PIN.
• A token containing the encryption keys used to write the tapes and the PIN for the token. If new keys were restored to the second token as the keys were made, the second token will contain all of the keys and can be used to restore the data.
An HP StorageWorks 1/8 G2 Tape Autoloader or MSL2024, MSL4048, or MSL8096 Tape
Library suppor ted by your backup application with at least one LTO-4 tape drive.
The administrator password for the Autoloader or Library.
The key server tokens work with any HP StorageWorks 1 /8 G2 Tape Autoloader or MSL2024, MSL4048, or MSL8096 Tape Library with at least one LTO-4 tape drive. If you have an Autoloader or Library with an older generation tape drive, you can upgrade to an LTO-4 tape drive for the recovery operation. You may need to update the rmware in the Autoloader or Library and tape drive to support the Encryption Kit. You will need the administrator p assword for the Autoloader or Library.
User guide
35
Page 36
For examples of token data backup and restore processes, see “Backing up the key server token data” on page 19.

Using the Encryption Kit with logical libraries

When a Library with multiple LTO-4 tape drives is partitioned into multiple logical libraries, encryption can be enabled or disabled for each logical library containing an LTO-4 tape drive, but all other encryption se
ttings apply to the entire Tape Library.
Only one write
key is used for all new or formatted tapes in all of the LTO-4 tape drives in the Tape Library.
Restoring the encryption conguration after a chassis or library controller replacement
The encryption congu ration is saved when you save the Autoloader or Library conguration database to a le or USB ash drive. The saved cong uration database will make it easier to recover the Autoloader or Library conguration, including the encryption conguration, if you need to replace the chassis or library controller.
Use the RMI Conguration: Save/Restore page to save the conguration database to a le or restore it from a le.
Figure 21 RMI Conguration: Save/Restore tab
Use the OCP Support > Save Config menu item to save the conguration database to a USB ash drive. Use the OCP Support > Restore Config menu item to restore the conguration database from a USB ash drive.
NOTE:
You cannot restore a saved conguration or the factory defaults while encryption is enabled. This
ion ensures that encryption cannot be disabled without a token and its PIN. Disable encryption
restrict before restoring a saved conguration or the factory defaults.
36
Using the Encryption Kit
Page 37

5 Troubleshooting

Installation problems

The Library does not have a USB port

Some MSL2024 and MSL4048 Tape Libraries have silver tape covering the USB port. Remove the tape to locate the US
B port in the location shown in Figure 22.
Figure 22 USB port location

Operation problems

Encrypti
on token LED
The LED on the encryption token should be lit when the token is plugged into the back of the Autoloader or Librar
If the LED is not lit, the token is not receiving power through the USB port. To determine whether the problemiswiththetokenortheAutoloaderorLibrary:
1. Remove a
2. Insert
3. Inser t the key server token into the USB port of a computer. The token LED will ashwhenthetoken
y when the Autoloader or Library is powered on.
nd then insert the token in the Autoloader or Library USB port.
•IftheLEDflashes for five to ten seconds and then does not light, the token may be defective. Contact your HP Service representative.
•IftheLE
•Ifthegoodflash drive receives power, the problem could be with the token.
• If the good ash drive does not receive power, the problem could be with the Autoloader or Lib
receives power but the computer will not be able to read the contents of the token.
•Ifthe
• If the token LED remains unlit, the problem could be with the token.
D does not ash or light, continue to step 2.
agoodUSBash drive in the Autoloader or Library USB port.
rary.
token LED lights or ashes, the problem could be with the Autoloader or Library.
11868
User guide
37
Page 38
If the L ED ashes continuously, the device into which the key server token is plugged cannot communicate with the key server token. If the key ser ver token is plugged into the Autoloader or Library, verify that the AutoloaderorLibraryrmware supports the Encryption Kit. See Requirements for using the Encryption Kit.

Troubleshooting table

Table 4 Troubl
eshooting table
Problem
Both backup to and restore from an LTO-4 tape drive are not working.
Cannot write encrypted data to a tape.
Cause
The tape drive ports are disabled because encryption is enabled and the tape drive rmware does not support the Encryption Kit.
Thetokendoesnothaveakey.
The token has not been initialized.
The PIN has not been entered.
An L TO-3 being u enable neithe LTO-3
Thetapeand/orthetapedrive are not LTO-4.
tape cartridge is
sed. When encryption is
d, an LTO-4 tape drive will
rreadfromnorwritetoan
tape cartridge.
Solution
Use the RMI or USB ash drive to update the drive rmware to the latest version. Enable encryption after the rmware is updated. See “Tape drive and drive rmware
requirements”onpage13for
minimum drive rmware revisions that support the Encryption Kit.
Create an encryption key from the RMI Conguration: Security page.
Set the PIN and generate a key from the RMI Conguration: Security page.
Enter the PIN from the RMI Conguration: Security page.
UseanLTO-4tapecartridgeto write data with an LTO-4 tape drive. Disable encryption to read data from an LTO-3 tape cartridge.
Both the tape and tape drive must be LTO-4 to write encrypted data. When encryption is enabled, an LTO-4 tape drive will not write an LTO-3 tape.
Cannot append encrypted data to an LTO-4 tape.
Cannot restore encrypted data from an LTO-4 tape.
Direct append operations are not supported by the application.
e token currently installed in the
Th
toloader or Library does not
Au
ve the key used to write the
ha
ape.
t
The tape has unencrypted data on it.
The token currently installed in the Autoloader or Library does not have the key used to write the tape.
The application or script writing thedatamustreadthetape header before appending data.
Install the token with the correct write key for the tape in the Autoloader or Library. Suspend other write operations while the other token is installed to avoid writing new or formatted tapes with the wrong write key.
Replace the tape or disable encryption while the tape is being written. TheAutoloaderorLibrary will not write both encrypted and unencrypteddataonthesame tape.
Install the token with the write key for the tape in the Autoloader or Library. Suspend other write operations while the other token is installed to avoid writing new or formatted tapes with the wrong write key.
38
Troubleshooting
Page 39
Problem
Token does not recognize the PIN.
Token requests a new PIN.
Cause
You entered the incorrect PIN. Find the correct PIN and enter it.
A different token has been installed intheAutoloaderorLibrary.
A new token has been installed in the Autoloader.
Solution
Check the RMI Status: Security page to verify that the correct
token is installed in the Autoloader or Library. Either replace the token with the correct token or enter the PIN for the currently-installed token.
Either replace the token with the correct token or initialize the new token from the RMI Conguration: Security page.
Lost password to the token backup le.
The Autoloader or Library will not restore the token backup le to a token.
The token PIN has been lost.
One or more logical libraries is not shown in the RMI Conguration: Security page.
The person who knew the password has forgotten it or is unavailable.
Thenumberofuniquekeysinthe token backup le and the token is greater than 100.
The receiving token has not been initialized.
ThepersonwhoknewthePINhas forgotten it or is unavailable.
The logical library does not have an LTO-4 tape drive or the tape drive rmware does not support the Encryption Kit.
Back up the token to a different le or restore the keys from a different recent backup le with a known password.
Check the RMI Status: Security page to verify that the correct token is installed in the Autoloader or Library. Either replace the token with the correct token or restore the token backup le to a new token. Keys can never be deleted from a token.
UsetheRMItosetthePIN.
Restore the latest token backup le to a new token and be sure not to lose the PIN for the new token.
gure the logical libraries
Con
ape drives so the logical
and t
aries that need encryption have
libr
east one LTO-4 tape drive.
at l
ify that the LTO-4 tape drives
Ver
earmware revision that
hav
pports the Encryption Kit. See
su
ape drive and drive rmware
T
quirements”onpage13for
re
minimum drive rmware revisions that suppor t the Encryption Kit.
The Autoloader or Library is unable to apply encryption settings.
The backup application disabled encryption on the tape drive.
Disable the backup application, power cycle the Autoloader or Library, and then try enabling encryptionagainintheRMI.
User guide
39
Page 40

Error codes

Table 5 Error codes
Error code
E1
E3
E4
E5
Message
Key server token backup not successful — not enough space is available on the token.
Error during key server token backup; the backup process was not successful.
Drive rmware does not support encryption.
Drive generation does not support encryption.
Cause
A key server token restore process was attempted but the receiving token did not have enough room for the keys in the token backup le.
An attempt was made to enable encryption with a version of tape drive rmware that does not support native encryption.
An attempt was made to enable encryption with a tape drive that does not support native encryption.
Solution
Restore the token backup le to a token with enough space for the keys on the token and the keys in the token backup le.
Retry the restore process
with a different token.
Make a new token
backup le and retry the restore process with the new backup le.
Contact HP Service.
Verify th correct version
drive an requir
for minimum drive rmware revisions that support the Encryption Kit.
Only enable encryption on LTO-4 tape drives.
at you have the tape drive rmware installed. See “Tape
ddrivermware
ements” on page 13
40
Troubleshooting
Page 41
Warning events a
Table 6 Warning events and messages
nd messages
Code
51
56
57
5A
Message
Incompatible medium
No decryption key available on token
Key server token PIN required
Unable to downgrade rmware while encryption enabled.
Cause
The LTO-4 tape drive is trying to read or write an LTO-3 o r earlier ge n e ration tape while encryption is enabled.
The key needed to restore a decrypted tape is not available on the token currently installed in the Autoloader.
The Autoloader or Library needs the PIN to access the data on the token.
An attempt was made to load tape drive rmware that does not support the EncryptionKitonanLTO-4 tape drive while encryption is enabled.
Solution
Only use LTO-4 tape cartridges to read or write data in an LTO-4 tape drive when encryption is enabled. An LTO-4 tape drive will not read or write LTO-3 tape cartridges when encryption is enabled.
Installthetokenwiththe key used to encrypt the key into the Autoloader or Library and retry the restore operation.
Enter th e
Congura
page.
Either upgrade the tape drive rmware to a version that supports the Encryption Kit or disable encryption. Do not enable encryption until tape drive has rmware that supports the Encryption Kit. See “Tape
drive and drive rmware requirements”onpage13.
PIN from the RMI
tion: Security
User guide
41
Page 42
42
Troubleshooting
Page 43

Index

A
audience,7 automatic key generation,19
B
backing up the token data,33 backup process
token data,19
C
conventions
document,8 current key,14 customer self repair,9
D
disaster recovery,35 document
conventions,8
prerequisites,7
related documentation,7 documentation
HP website,7
providing feedback,9
I
installation
backing up the token data,27 conguring encryption,25 identifying product components,23 preparing key server tokens,24 preparing the Autoloader or Library,23
L
LED,14
troubleshooting,37
logical libraries,36
P
PIN,22
changing,32
entering,31 power loss,22 prerequisites,7
R
related documentation,7 restoring encrypted data,35 restoring the encryption conguration,36 restoring the token data,34
E
encryption
enabling or disabling,32
F
rmware requirements
AutoloaderorLibrary,13 tape drive,13
G
generating a new encryption key,32
H
help
obtaining,8
HP
technical support,8
S
Subscriber's Choice, HP,9
T
technical support
HP,8
service locator website,9 token data backup process,19 token naming,22 troubleshooting
error codes,40
LED,37
no USB port,37
troubleshooting table,38
warning events and messages,41
U
USB port,13
User guide
43
Page 44
W
websites
customer self repair,9 HP ,9 HP Subscriber's Choice for Business,9 product manuals,7
44
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use