Spectra Logic Spectra BlueScale Vision, BlueScale Encryption User Manual
BlueScale
PN 90940012 Revision E
User Guide
™
Encryption
Notices
Unless specifically negotiated and except as expressly stated herein, Spectra Logic Corporation makes available its products and
associated documentation on an “AS IS” BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, BOTH OF
WHICH ARE EXPRESSLY DISCLAIMED. In no event shall Spectra Logic be liable for any loss of profits, loss of business, loss of use
or data, interruption of business, or for indirect, special, incidental or consequential damages of any kind, even if Spectra Logic
has been advised of the possibility of such damages arising from any defect or error.
Information furnished in this manual is believed to be accurate and reliable. However, no responsibility is assumed by Spectra
Logic for its use. Due to continuing research and development, Spectra Logic may revise this publication from time to time without notice, and reserves the right to change any product specification at any time without notice.
If you do not agree to the above, do not use the Spectra library; instead, promptly contact Spectra Logic for instructions on how to
return the library for a refund.
Copyright © 2007 Spectra Logic Corporation. All rights reserved worldwide.
License
You have acquired a Spectra library that includes software owned or licensed by Spectra Logic from one or more software
licensors (“Software Suppliers”). Such software products, as well as associated media, printed materials and “online” or
electronic documentation (“SOFTWARE”) are protected by copyright laws and international copyright treaties, as well as other
intellectual property laws and treaties.
If you do not agree to this end user license agreement (EULA) or to the terms and conditions under Notices above, do not use
the Spectra library; instead, promptly contact Spectra Logic for instructions on return of the Spectra library for a refund. Any
use of the Software, including but not limited to use on the Spectra library, will constitute your agreement to this EULA (or
ratification of any previous consent).
Grant of License. The Software is licensed on a non-exclusive basis, not sold. This EULA grants you the following rights to the
Software:
• You may use the Software only on the Spectra library.
• Not Fault Tolerant. The Software is not fault tolerant. Spectra Logic has independently determined how to use the Software in
the Spectra library, and suppliers have relied upon Spectra Logic to conduct sufficient testing to determine that the Software
is suitable for such use.
• No Warranties for the SOFTWARE. The Software is provided “AS IS” and with all faults. The entire risk as to satisfactory quality, performance, accuracy, and effort (including lack of negligence) is with you. Also, there is no warranty against interference
with your enjoyment of the Software or against infringement. If you have received any warranties regarding the SOFTWARE,
those warranties do not originate from, and are not binding on Software suppliers.
• Note on Java Support. The Software may contain support for programs written in Java. Java technology is not fault tolerant and
is not designed, manufactured, or intended for use of resale as online control equipment in hazardous environments requiring
fail-safe performance, such as in the operation of nuclear facilities, aircraft navigation or communications systems, air traffic
control, direct life support machines, or weapons systems, in which the failure of Java technology could lead directly to death,
personal injury, or severe physical or environmental damage.
• No Liability for Certain Damages. Except as prohibited by law, Software suppliers shall have no liability for any indirect, special, consequential or incidental damages arising from or in connection with the use or performance of the Software. This limitation shall apply even if any remedy fails of its essential purpose. In no event shall Software suppliers, individually, be liable
for any amount in excess of U.S. two hundred fifty dollars (U.S. $250.00).
• Limitations on Reverse Engineering, Decompilation, and Disassembly. You may not reverse engineer, decompile, or disassemble the Software, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding
this limitation.
• Software Transfer Allowed with Restrictions. You may permanently transfer rights under this EULA only as part of a perma-
nent sale or transfer of the Spectra library, and only if the recipient agrees to this EULA. If the Software is an upgrade, any
transfer must also include all prior versions of the Software.
• Export Restrictions. Export of the Software from the United States is regulated by the Export Administration Regulations (EAR,
15 CFR 730-744) of the U.S. Commerce Department, Bureau of Export Administration. You agree to comply with the EAR in the
export or re-export of the Software: (i) to any country to which the U.S. has embargoed or restricted the export of goods or
services, or to any national or any such country, wherever located, who intends to transit or transport the Software back to
such country; (ii) to any person or entity who you know or have reason to know will utilize the Software or portion thereof in
the design, development or production of nuclear, chemical, or biological weapons; or (iii) to any person or entity who has
been prohibited from participating in U.S. export transactions by any federal agency of the U.S. government. You warrant and
represent that neither the BXA nor any other U.S. federal agency has suspended, revoked or denied your export privileges. For
additional information see http://www.microsoft.com/exporting/.
Contents
Chapter 1. Introduction
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Shipped Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
BlueScale Encryption Overview
Chapter 2. Encryption Architecture & Strategies
BlueScale Encryption Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Site-Specific Decisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Site Security Example: Low Security Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Site Security Example: Medium Security Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Site Security Example: High Security Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Before You Begin Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Summary: Mandatory Security Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Spectra T950 and T120 BlueScale Encryption
Chapter 3. Installing and Activating Encryption in Spectra T950 and T120 Libraries
Installing Encryption: Upgrading Your Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Activating Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3
.
Chapter 4. Using Standard Edition in Spectra T950 and T120 Libraries
Using Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Configuring Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Creating an Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Assigning a Key to a Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Protecting Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Deleting a Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Restoring Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Chapter 5. Using Professional Edition in Spectra T950 and T120 Libraries
Using Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Professional Edition Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configuring Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Creating an Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Assigning a Key to a Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Protecting Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Restoring Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Deleting a Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Chapter 6. Recycling Encrypted LTO-4 Media in Spectra T950 and T120 Libraries
Recycling Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4
.
Spectra T50
BlueScale Encryption
Chapter 7. Installing and Activating Encryption in Spectra T50 Libraries
Installing Encryption: Upgrading Your Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Activating Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Encryption Icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
BlueScale Encryption Editions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Data to Encrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Media Recycling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Chapter 8. Using Standard Edition in Spectra T50 Libraries
Using Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Restoring Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Recycling Encrypted Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Chapter 9. Using Professional Edition in Spectra T50 Libraries
Using Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Professional Edition Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Configuring Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Creating an Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Assigning a Key to a Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Restoring Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Chapter 10. Recycling Encrypted Media in Spectra T50 Libraries
Recycling Encrypted Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5
.
EDU
and
BlueScale Encryption Support
Chapter 11. Endura Decryption Utility
Endura Decryption Utility Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Decrypting Data: EDU Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Using EDU to Decrypt Data: One Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Using EDU to Decrypt Data: Two Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Restoring Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Chapter 12. Technical Support & Spectra Logic Contact Information
BlueScale Encryption Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Contacting Spectra Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Index 132
6
1 Introduction
About This Guide
This guide contains information about BlueScale Encryption for Spectra T950, T120, and T50
libraries. This reviews information on the configuration and use of encryption. Note that the
encryption procedures for the Spectra T950 and T120 libraries cover both library-based and
drive-based encryption; the Spectra T50 library supports drive-based encryption only.
The guide has been divided into the following sections:
BlueScale Encryption Overview on page 10 reviews both encryption best practices and
information on using BlueScale Encryption and key management on your site, and
includes a short glossary.
Spectra T950 and T120 BlueScale Encryption on page 26 reviews using Spectra T950/T120
BlueScale Encryption and key management.
Spectra T50 BlueScale Encryption on page 71 reviews using Spectra T50 BlueScale
Encryption and key management.
EDU and BlueScale Encryption Support on page 123 reviews an optional utility that lets
you recover data without a library; this section also provides support information.
Intended Audience
This guide assumes that you are familiar with data backup and data protection strategies.
7
1. Introduction
Related Publications
This guide outlines the configuration and use of BlueScale Encryption software in your
Spectra library.
For detailed information on the configuration and use of the library itself, see the Spectra
Logic publications specific to your library.
• The library’s user guide describes the configuration and use of the library, including
specifications and troubleshooting information.
•The library’s release notes provide the most up-to-date information about the library,
drives, and media.
The most up-to-date versions of all library documentation are available on Spectra Logic’s
Web site at www.SpectraLogic.com.
Conventions Used in this Guide
Important information is called out as follows:
Note: Provides additional points or suggestions.
Caution: Provides information about how to avoid damage to equipment.
Warning: Describes ways to avoid personal injury.
A caret (>) describes a series of menu selections. For example:
Select Configuration > Network
means
Select Configuration, then select Network.
8
1. Introduction
Shipped Items
The following items are included with the purchase of BlueScale Encryption:
• One encryption activation key
• One software support agreement
•This user guide
•One t-shirt
If you ordered the Endura
®
Decryption Utility (EDU), you also receive one EDU CD.
9
BlueScale Encryption
Overview
2 Encryption Architecture & Strategies
BlueScale Encryption Overview
BlueScale Encryption is tightly integrated into your Spectra library. Encryption can be handled
through the library’s encryption-enabled Quad Interface Processors (QIPs), if any are in use,
and through LTO-4 drives working with LTO-4 media. BlueScale encryption key management is
provided through the library’s graphical interface.
If a single library has encryption-ready QIPs and LTO-4 drives installed, both can be used for
encryption. Set up an encryption-enabled partition for each.
The system is based on two major components:
• The encryption chip on the QIP or LTO-4 drive. By implementing encryption in both types
of hardware, the encryption is extremely fast and places no burden on your network.
• Key management software through the library’s graphical interface. The interface displays
using the library’s touch-screen front panel Library Controller (LC). It also displays from
anywhere through the Web, using a Web browser to display the Remote Library Controller
(RLC). Optionally, you can secure the Web browser using SSL, which is part of the
Telescope suite of management tools.
Together, these components let you easily implement the strongest encryption available, as
recognized by the federal government: AES encryption using a 256-bit key. BlueScale
Encryption incorporates multiple layers of security, some of which are discussed in this
chapter. Others are technically implemented and invisible to the user.
Site-Specific Decisions
To determine a BlueScale Encryption strategy appropriate for your site and your data, decide
on the security level appropriate for your site, and the amount and kinds of data to encrypt.
Then you can make some choices about how best to implement BlueScale Encryption.
11
2. Encryption Architecture & Strategies
BlueScale Encryption: Standard Edition vs. Professional Edition
All data encrypted using BlueScale Encryption and Key Management—Standard and
Professional Editions, and LTO-4 drive-based encryption—is secured by the strongest
available encryption method, AES-256. Through BlueScale Encryption and Key Management,
you have additional choices in defining the level of security you can implement in your data
center. Whether to implement BlueScale Standard Edition or Professional Edition is your first
choice.
Feature Standard Edition Professional Edition
Keys - Single encryption key on a library
at a time
- Easier to manage and track
Encryption Login
Passwords
Key Export and
Import
Compression
Compatibility
between
Versions
Summary - Less secure, but less to manage - Fewer tapes through compression
- Single encryption password
- Easier to manage and track
- Import and export functions
require a single password
- Easier to manage
a
- Not available for QIP-based
encryption
- Data encrypted using either version can be decrypted by a library running the other
version.
- Data encrypted and compressed by a library using LTO-4 drives, Professional Edition, or
both, can be decrypted and decompressed by a library running Standard Edition.
- Multiple simultaneous encryption keys
(maximum is 30 keys)
- More secure, with a key for each of multiple data
sets
- Choice of either one encryption password or three
- More secure, with the option of requiring multiple
users to export and import keys, etc.
- Choice of single password or M-of-N shares with
multiple passwords to export/import keys
- More secure
- Available for QIP-based encryption
- More secure, but more to manage
a. If you are using drive-based encryption, compression is handled through the drive. Further references to compression in this
manual apply to library-based, not drive-based, encryption.
12
2. Encryption Architecture & Strategies
BlueScale Standard Edition
For sites with a primary goal of securing data while it is transported to a remote site and
stored there, or only for data that will be stored for a long period of time, BlueScale Standard
Edition works well.
For information about configuring and using BlueScale Encryption Standard Edition, see
Chapter 4. Using Standard Edition in Spectra T950 and T120 Libraries on page 30.
BlueScale Professional Edition
For sites that want to implement compression along with greater flexibility and security, to
protect data wherever it’s stored and regardless of the retention period, BlueScale Encryption
Professional Edition works well.
For information about configuring and using BlueScale Professional Edition, see Chapter 5.
Using Professional Edition in Spectra T950 and T120 Libraries on page 45.
Security on Initialization
Both editions of BlueScale Encryption give you security options at library startup. Choose
whether to start the library:
• In standard mode, so that at library startup, data is encrypted with no further action
required.
• In secure initialization mode, so that at startup, drives are not automatically enabled;
encryption is only available and backups only run after a superuser has logged in and the
encryption password is entered.
13
2. Encryption Architecture & Strategies
Multiple Encryption Password Support
The Standard Edition of BlueScale Encryption supports one encryption password.
The Professional Edition of BlueScale Encryption lets you choose whether to support one
encryption password, or three encryption passwords that enforce another level of security. If
you choose to implement the triple-password option, then:
• Three different passwords must be entered when configuring encryption.
• Any one of the three passwords must be entered to enable encryption when the library is
in Secure Initialization mode.
• Any one of the three passwords must be entered to access
encryption key management
and configuration options, excluding key import and export.
• Two of the three passwords must be entered to import and export keys.
Data to Encrypt
Decide whether to encrypt all data or a subset; then determine if the encrypted data can be
grouped together or if it must be isolated into sets. For example, your site may store financial
data as one set, separate from consumer identity information.
If all data can be encrypted together, the library requires only a single, encryption-enabled
partition. Otherwise, create multiple encryption-enabled partitions, one for each set of data,
and one or more partitions for data that is not to be encrypted.
Users with Professional Edition typically set up multiple partitions, each with its own key. For
example, if you are encrypting all your data, you only need one partition. If you are encrypting
only some of your data, create a partition dedicated to encryption along with a non-encryption
partition. If you want to keep your encrypted data sets isolated, create an encryption-enabled
partition for each encrypted data set, along with non-encryption partitions as needed.
Note: Implementing encryption after the library has been configured to
handle encryption simply requires creating backup jobs with your
backup software, which sends data to the proper partitions. Data is
automatically encrypted as it is backed up.
14
2. Encryption Architecture & Strategies
Encryption Methods
Choose how to encrypt data. You can use encryption-enabled QIPs, LTO-4 drives, or both to
encrypt data. With QIPs, the library handles encryption, and can encrypt data written to any
tape type (such as LTO-3 and SAIT). With LTO-4 drives, the drive handles encryption, and
encrypts data written to LTO-4 tapes.
Note: If a partition uses LTO-4 drive-based encryption, the library can load
LTO-3 media into that partition. However, attempts to write to LTO-3
media fail. Note that LTO-4 drives can successfully read data on LTO-3
tapes.
Further, if an encryption-enabled QIP and a Fibre Channel LTO-4 drive share a partition, you
can only encrypt data using the LTO-4 drive.
To decrypt data encrypted using a QIP, use a partition with QIP-based encryption. To decrypt
data encrypted using an LTO-4 drive, use a partition with drive-based encryption.
Only one encryption key is allowed per LTO-4 tape. Once you stop using that key, you can no
longer directly encrypt data to any LTO-4 tape that stores data encrypted using the old key. To
write encrypted data using a different key, you must first recycle the tape. Recycling media is
easily managed through BlueScale Encryption Key Management.
LTO-4 Media Recycling
LTO-4 tapes can store only data encrypted using a single key. If you have an LTO-4 tape storing
data encrypted using a different key, or encrypted using a QIP, you have to recycle the tape
before you can re-use it in an encryption-enabled LTO-4 drive.For more information about
recycling media using a T950 or T120 library, refer to Chapter 6. Recycling Encrypted LTO-4
Media in Spectra T950 and T120 Libraries on page 68. For more information about recycling
media using a T50, refer to Chapter 10. Recycling Encrypted Media in Spectra T50 Libraries on
page 119.
15
2. Encryption Architecture & Strategies
Best Practices
To effectively use BlueScale Encryption and to ensure data security, plan an encryption
strategy and back it up with processes and best practices. Once you’ve implemented
BlueScale Encryption, which always uses the strongest keys (AES-256), build custom
strategies based on your security requirements. As stated in the NIST publication
1
Recommendation for Key Management
“Ultimately, the security of information protected by cryptography directly depends on [...]
the effectiveness of [...] protocols associated with keys, and the protection afforded the
keys.”
Sound key management policies and procedures and appropriate staff are essential to
successful encryption.
:
People
Identify the people on your site who are responsible for backing up data. They will be
responsible for encrypting data written to tape and to other portable media, such as mobile
®
RXT
Media packs. Identify:
• The person to have superuser privileges on the Spectra Logic library with BlueScale
Encryption.
• The person to have the library’s encryption password.
Next, identify how many users are to have responsibilities that involve encryption. It may be
wise to have more than a single user familiar with passwords, depending on the size of your
organization, so that if one person is not available, another can take over. Make sure only the
authorized users know the encryption passwords, and that the passwords themselves are
secure. Refer to Passwords and Other Identifiers on page 19 for more information on setting
up passwords and monikers.
1. Barker, Elaine, W. Barker, W. Burr, W. Polk, and M. Smid. Recommendation for Key Management Part 1:
General. NIST Publication 800-57, 2005, p. 25
16
2. Encryption Architecture & Strategies
Processes
On an organizational level, you need to identify the level of security your site requires, and the
data to be encrypted—for example, you may choose to encrypt all data, or any combination of
financial, identity-related information, and strategic data.
Consider the following when establishing your encryption procedure:
• Determine the level of security to use at startup. Both editions of BlueScale encryption
permit a standard mode and a secure initialization mode, described in Security on
Initialization on page 13.
• Identify any data sets that must be isolated from other encrypted data sets, described in
Data to Encrypt on page 14.
• Identify when to make copies of encryption keys. AES-256 encryption, a symmetric
encryption method, is a private key method. Users must track each key, which BlueScale
Encryption identifies only by a nickname, or moniker. The key itself is never displayed,
and is encrypted prior to export. Best practices dictate that you make copies of the key
immediately following the key’s creation.
• Identify the number of copies to make of each key, and note the location of each key copy.
Consider storing multiple copies of keys, that you then track carefully, storing the copies
away from the data encrypted using those keys. It is important to make sure that at least
one copy of each key is secure and readable (that is, uncorrupted), to make sure you can
restore your data. This is important in that keys, once deleted, are not recoverable—and
once the key is gone, the data is inaccessible; this is typically considered deleted for legal
and practical purposes.
• Identify the key rotation plan—how often to create and use new keys. BlueScale
Encryption Standard Edition stores one key on the library at a time. Professional Edition
permits multiple keys per library, with a one key per encryption-enabled partition. In
Standard Edition, you must delete the key currently on the library before you can create
another key.
• Before you delete a key, make sure that at least one copy has been exported and stored
securely.
17
2. Encryption Architecture & Strategies
• Identify methods of tracking user passwords, key passwords and monikers. If the data is
stored on a computer, make sure it is stored on a computer that enforces encryption and is
not available on a network.
• Optionally, identify a primary and secondary team, so that you have redundancy in your
encryption strategy. Although that means the information required to decrypt data is
spread across more people, it also means that restoration of encrypted data may be much
easier, and you may ultimately have more data protection given the extra layer of
coverage; for example, if a user leaves, you aren’t in a position to lose data. This returns to
your initial decisions on how tightly and in what manner to enforce security for your site.
• Run drills confirming that your data is being encrypted properly, that keys are stored
properly, and that you can recover your data efficiently. Make sure that these drills are
included with your overall organizational security strategy.
• Create procedures to handle encrypted data that has been, or may have been,
compromised. For example, you may want to take all data and decrypt it, then re-encrypt it
and store it in an alternate location. You will also need to investigate the incident
involving compromised data, and take appropriate actions if identity-related data may
have been exposed.
• Archive the Endura Decryption Utility (EDU) for emergency use, such as to recover from a
disaster. Use this utility if you have no Spectra Logic libraries on hand but need to decrypt
and write data, which you can then restore using backup software.
• If you are using Professional Edition and multiple keys, make sure that data stored to one
tape shares a common expiration date or period (e.g., fourth quarter), regardless of the
number of keys used to encrypt data written to the tape. This simplifies tape management
and re-use.
• If you are using Professional Edition, make sure that critically important data is stored
using a single key on its own tape, to simplify restoration in case of disaster recovery and
to achieve business continuity goals.
• If you are using Professional Edition, you may want to take advantage of the M-of-N
shares option. This lets you select the M-of-N (such as 2 of 3) option to split a single file of
encrypted key data into multiple parts, or shares (N, which in this example is 3), and then
requires some specified subset (M, which in this example is 2) to import the file containing
key data. This further protects data from unauthorized use.
18
2. Encryption Architecture & Strategies
Passwords and Other Identifiers
BlueScale Encryption requires that you supply passwords and monikers (key names). Your
site may want to consider whether specific rules govern these.
Superuser Login/Encryption Passwords Passwords are standard user security that restrict
access. Spectra Logic BlueScale Encryption requires that a superuser is logged in, then an
encryption password is supplied. A Professional Edition feature lets you optionally require
two of three different encryption passwords to be entered. The passwords involved with all
editions of BlueScale Encryption are:
• Superuser Password: Lets you access all administrative privileges except encryption
privileges. To access encryption features, the superuser must be logged in prior to
entering the encryption password.
• Encryption Password: Lets you access encryption features. This password must be
entered after the superuser login; then you can select Security --> Encryption to display
the encryption password screen.
• Import/Export Key Password: Lets you import and export encryption keys. This feature is
only available after the superuser has logged in and the encryption password has been
entered. Optionally, in Professional Edition, you can require two different passwords prior
to importing and exporting keys.
Password(s) for Key Import and Export Passwords are also used to encrypt keys for export.
Your site may consider whether to create different rules for these passwords, such as
requiring that these passwords are longer than the encryption access password(s), and
therefore more secure.
Monikers Your site may want to create rules governing naming conventions for key
monikers, an alphanumeric identifier used to refer to the never-revealed true key value, which
is a 256-bit key.
Password and Naming Standards Examples Create password and naming standards, in part
again depending on your site’s security requirements. For example, your site may require a
high level of security for access to encryption partitions, in which case you need to require
some combination of the following:
• A long password
• A combination that requires alphabetic and numeric characters
• No password that corresponds to a dictionary entry
• Passwords to be reset at predefined schedules
19
2. Encryption Architecture & Strategies
Site Security Example: Low Security Site
Description of organization: Small company with 75 employees.
Security
Considerations
Security goals Protecting company from legal liability associated with unauthorized access to data
stored on tape, both onsite and offsite, including transport to the offsite location.
Encryption principals IT administrator, company president, corporate legal counsel.
Data to encrypt Financial and consumer identity data.
Level of security to
implement
Data sets requiring
isolation
Key escrow method Staff at company will escrow keys at a site remote from the data storage location.
Copies of each key to
store and their locations
Key rotation plan Create a new key every six months.
Tracking key monikers
and passwords
Multiple encryption
teams (optional)
Schedule and run drills Formalized approach deemed unnecessary. Instead, incorporate review of data
BlueScale Standard Edition: single key per library is sufficient.
Standard initialization mode: encryption partitions are enabled at all times.
None. A single partition for encrypted data is sufficient.
Keep three copies of each key: one with the senior IT administrator, one with the
company president, one in a corporate safety deposit box.
On a non-networked computer that supports encryption, create one or more charts
or lists with this data, including key moniker, dates used, encryption and superuser
passwords, and password used to encrypt exported key. (Because BlueScale
prompts for the required encryption key moniker when restoring encrypted data,
this company chose not to track monikers and their relationship to media.)
Deemed unnecessary given the users already identified as those responsible for
encryption.
decryption into standard six-month check to make sure that backups and restores
are working properly. This now includes a test involving data decryption.
Passwords • Password to access encryption features: minimum of 12 characters,
including at least one number and one letter
• Password to export and import encryption keys: minimum of 30 characters,
including at least one number and one letter
20
2. Encryption Architecture & Strategies
Site Security Example: Medium Security Site
Description of organization: Medium-sized organization with 250 employees.
Security Considerations
Security goals Protecting company from legal liability associated with unauthorized access to
data stored on tape onsite and offsite, including transport to the offsite location.
Encryption principals IT senior staff, chief operating officer.
Data to encrypt Intellectual property, financial, customer, and inventory data.
Level of security to
implement
Data sets requiring
isolation from other
encrypted data
Key escrow method Store key copies with corporate legal counsel and a paid, trusted, third-party
Number of copies of each
key to store, and locations
Key rotation plan Create a new key every quarter for each partition dedicated to encryption.
Tracking key monikers,
exported key passwords,
and password to permit
access to encryption
features
Multiple encryption teams Three IT administrators, along with the senior IT admin and the COO.
• BlueScale Professional Edition, with multiple keys
• Standard initialization mode: encryption partitions enabled at start-up
• Multi-user mode, with three encryption passwords
Separate partitions and keys for these data sets: financial data, inventory data,
customer data, and intellectual property data. With this requirement, the site
must use a minimum of four encryption-enabled partitions, along with partition(s)
for non-encrypted data.
escrow service.
Keep three copies of each key: store one with corporate legal counsel, two with
the key escrow service.
Send to key escrow service an encrypted document that includes the password
used to access encryption features, superuser password, and all passwords
necessary to import encryption keys. This file cannot be created or stored on a
networked computer. Delete file from computer after the document or file is
transmitted securely to key escrow service.
Schedule and run drills Annual evaluation and review, along with wider corporate security plan.
Passwords • Passwords to access encryption features: minimum of 12 characters,
including at least one number and one letter
• Password to export and import encryption keys: minimum of 30 characters,
including at least one number and one letter
21
2. Encryption Architecture & Strategies
Site Security Example: High Security Site
Description of organization: Enterprise organization.
Security
Considerations
Security goals Protecting all stored data.
Encryption principals IT senior staff, chief operating officer, chief security officer, chief technology officer.
Data to encrypt All.
Level of security to
implement
Data sets requiring
isolation
Key escrow method Store key copies with two remote corporate legal counsel offices and also with a
Copies of each key to
store, and the stored
key locations
Key rotation plan Create a new key every month for each partition dedicated to encryption.
Tracking key monikers
and passwords
Multiple encryption
teams (optional)
• BlueScale Professional Edition, with multiple keys
• Secure Initialization Mode: After library power is turned on, encryption user must
enter password to enable partitions dedicated to encryption
• Multi-user mode, with three encryption passwords.
Each data set is separately keyed, as defined by the department generating data.
paid, trusted third-party escrow service.
Keep three copies of each key: one to the main office of corporate legal counsel, two
to the key escrow service.
Send to the key escrow service an encrypted file with encryption access passwords
and superuser passwords. Send to corporate legal office a list of passwords used to
export keys. Files with this data cannot be created or stored on a networked
computer; delete file or files from computer once data is transmitted securely.
Senior IT admin, chief operating officer, chief security officer, chief technology
officer.
Schedule and run drills Quarterly evaluation and review, in conjunction with wider corporate security plan.
Passwords • Passwords to access encryption features: minimum of 15 characters, including at
least one number and one letter
• Password to export and import encryption keys: minimum of 40 characters,
including at least one number and one letter
22
2. Encryption Architecture & Strategies
Before You Begin Installation
Glossary
AES-256: Advanced Encryption Standard (AES) algorithm that uses a 256-bit key. AES is the
NIST-approved encryption algorithm that is used by the federal government and that is
being broadly adopted.
BlueScale: Software available on Spectra Logic libraries that supports library intelligence
along with the Spectra Logic encryption solution and key management.
Cleartext: Text that is not encrypted.
EDU: Endura Decryption Utility is a command-line data decryption utility that can be installed
on any computer running the Linux operating system, to be used if no Spectra library is
available at time of data decryption and restoration. To use EDU, attach the recommended
two tape drives to the Linux host running the utility, then use EDU to decrypt data from the
encrypted tape and write the decrypted data back to tape. If you have only one tape drive,
make sure that the Linux host has enough available disk space to store the data as it’s
decrypted from the tape. Once the data is decrypted and written to tape, it can then be
restored using backup software.
Endura Decryption Utility: See EDU.
Endura Key Management: The software that permits encryption key creation, deletion, and
management, all within the library. Use the library front panel or a Web browser to
manage the library and encryption.
Moniker: The nickname an administrator assigns to an encryption key. This moniker hides
the true value of the key, while still giving administrators a method of managing and
referring to the key.
NIST: National Institute of Standards and Technology.
Partition: A logical library; that is, a part of a physical library that appears to the external
backup environment as its own physical library.
23
2. Encryption Architecture & Strategies
Summary: Mandatory Security Procedures
The most important key management tasks are:
• Always make two or more copies of each key. The key must be protected, but it must also
be available. If you choose to store only a single copy of a key, and then something
happens to the device storing the key, you’ve lost both your key and all data encrypted
using the key.
To emphasize: if you lose the key, your data is unrecoverable. You need to balance the
number of copies of the key to store to guarantee access to the encrypted data against the
security risk associated with storing multiple keys. Make sure that the key has been
successfully stored prior to removing a key from the library.
• Store keys in a location apart from the location used to store the data encrypted using one
of the keys.
• Create a list of every password associated with each key and securely store the list. Never
keep this list as cleartext on a networked computer, or send it through email as cleartext,
etc. To decrypt and restore data, you need the data, key, and password protecting the key
and data.
• Track every copy of each key. This is critical to meet requirements that may govern data
retention and data destruction. Destroying all keys associated with encrypted data is
sufficient to satisfy data destruction requirements, since encrypted data can’t be accessed
without the key used to encrypt it.
For example, you may want to track the information about your keys. For suggestions, see the
table on page 25.
24
2. Encryption Architecture & Strategies
Spectra Logic recommends tracking the following information about every key that you create.
Key Moniker:
_______________________
Number of key copies ______
and location of each copy:
Password(s) associated with
exported copy of the moniker:
Location of data stored on
mobile media, which has been
encrypted using this moniker:
Dates of moniker creation and
proposed expiration:
Detailed Information
1.
2.
3.
. . .
25
Spectra T950 and T120
BlueScale Encryption
3 Installing and Activating Encryption in
Spectra T950 and T120 Libraries
Installing Encryption: Upgrading Your Library
If your library uses BlueScale 9.5 firmware or higher, then your library supports BlueScale
Encryption that is library-based (handled by QIPs); no firmware upgrade is required for this
encryption method. For drive-based encryption, you must install a minimum firmware level of
BlueScale 10.0, if it is not already installed.
Check with SpectraGuard
your library.
Encryption is handled either through the library or through LTO-4 drives. Configuring
encryption and managing encryption keys are handled through the LC or RLC.
1. Make sure that you have the appropriate library hardware installed:
• A QIP that supports encryption (such as the G3 or G5 F-QIP)
or
• An LTO-4 tape drive is installed and LTO-4 media loaded
or
• Both are installed and LTO-4 media loaded if you intend to use drive-based
encryption for a partition with both types of hardware installed.
If you intend to use library-based encryption, any type of supported media can be
loaded.
2. Update your library firmware level to BlueScale 9.5 or higher. See the description
above for more information.
Note that the firmware upgrade may require up to twelve minutes or more to
complete, during which time the library enters a quiescent state.
®
Support to see if upgrades to this firmware should be installed for
Warning: Do not turn off the library once you begin the firmware upgrade.
3. Have on hand the activation key code that came with your BlueScale Encryption
package to enable encryption features and key management on your library.
27
3. Installing and Activating Encryption in Spectra T950 and T120 Libraries
Activating Encryption
Once your library has an encryption-enabled QIP installed, or an LTO-4 tape drive installed and
LTO-4 media loaded, you can activate encryption with a BlueScale Encryption key.
To activate encryption for the Spectra T950 and T120 libraries:
1. Log in as superuser and then select Configuration > System. The System Setup
screen displays.
2. To enable encryption, enter the BlueScale Encryption activation key in the Key field
(circled above) and then select Save.
The screen refreshes to show Encryption in the list of activated keys. Encryption is
now activated and can be configured.
28
3. Installing and Activating Encryption in Spectra T950 and T120 Libraries
Next Steps
Once you have activated BlueScale Encryption, you can configure and use it.
Configuration
Encryption configuration entails selecting an encryption mode and creating one or more
encryption passwords (the number of passwords depends on if you have BlueScale Standard
Edition or BlueScale Professional Edition). The encryption password enables you to access the
encryption features.
Configuring encryption is described in Configuring Encryption on page 30 for BlueScale
Standard Edition and Configuring Encryption on page 47 for BlueScale Professional Edition.
Accessing and Using Encryption Features
To access BlueScale Encryption features, the following steps are required for every session
(that is, every time a user logs in using the library front panel or every instance of running the
RLC through a Web browser).
• A user with superuser privileges logs in and selects Security
The Encryption User Login screen displays.
• A user who is entrusted with the password(s) enters an encryption password in the
Password field, then selects OK.
The Encryption Configuration screen that enables access to all encryption features
displays.
Note that security is greatly enhanced when the user who knows the password is different
than the one logging into the system. If you have three passwords, consider having different
individuals responsible for each password.
Working with the encryption features is described in Using Encryption on page 30 for
BlueScale Standard Edition and Using Encryption on page 45 for BlueScale Professional
Edition.
> Encryption.
29
4 Using Standard Edition in Spectra
T950 and T120 Libraries
Using Encryption
Once BlueScale Encryption is configured on your library, configure your backup software so
that data to be encrypted while it is backed up is sent to a partition that has encryption
enabled and has been assigned an encryption key.
Restoring data is also transparent. If the encryption key required to decrypt the data is not on
the library, the library displays the moniker of the key to import. Restoring Data on page 40
contains information about data restoration.
Configuring Encryption
Accessing Encryption Features
for the First Time
1. Log in as a superuser, then select
Security
Encryption User Login screen
displays.
2. Select OK. No login or password is
required the first time you log in.
The Encryption Configuration
screen displays.
> Encryption. The
30
Loading...