Encryption-related ASC/ASCQ codes
Table 1 provides sense codes (ASCs) and sense code qualifier (ASCQ) for encryption-related messages.
Sense Key | ASC ASCQ | Description | Impact | Explanation1 | Action |
---|---|---|---|---|---|
5 | EE 00 | Encryption - Key Service Not Enabled | N/A2 | N/A | No action is required - feature is not enabled (license needed). |
5 | EE 02 | Encryption - Key Service Not Available | N/A | The tape drive is not configured with an encryption method (application- or library-managed). Note: This status is only
presented by the drive; the key manager cannot see this status.
|
Configure the tape drive to resolve this error. |
4 | EE 0E | Encryption - Key Service Timeout | N/A | Library-managed only. The tape drive sent an encryption-related request to the library proxy server over the RS/422 connection. An ACK was received from the library, but it never received the full response from the key manager. Potential causes: loss of connection with the library after the ACK (unlikely); loss of Ethernet connection to the key manager; or key manager not running. | Run the key manager Path Check diagnostic from the library. If the Ethernet connection to the key manager is bad, verify that the correct IP address is specified and troubleshoot it as if it were a network problem. If the Ethernet connection to the key manager is good but the key manager is not responding, ask the customer to attempt to start the key manager. If the key manager reports an error, use that error to troubleshoot the problem. |
4 | EE 0F | Encryption - Key Service Failure | N/A | The tape drive sent an encryption-related request to the key manager and the key manager reported an error back to the tape drive. Potential causes: key manager software problem; problem with the key store (loss of network connection to the key store, hardware problem with the key store); or an undefined key label. | Obtain the flag data from the tape drive sense data for more specific information about the error. Analyze the flag data to determine the reason for the key manager-reported problem. |
7 | EF 10 | Encryption - Key Required | Key manager | This code is not an error if the tape drive and proxy server are configured correctly. It is sense data that is used to initiate a key request. EE 10 and EF 10 have the same cause, but EE 10 is reported when the tape drive is configured for an application-managed encryption key path. EF 10 is reported when the tape drive is configured for a system managed encryption key path. | If this sense code is associated with a job failure, verify that the tape drive is set for the correct encryption method (application-, system-, or library-managed). Also, verify that the encryption proxy server is configured correctly. If this sense code is NOT associated with a job failure, ignore this condition. |
5 | EE 10 | Encryption - Key Required | N/A | This code is not an error if the tape drive and proxy server are configured
correctly. It is sense data that is used to initiate a key request. EE 10 and EF 10 have the same
cause, but EE 10 is reported when the tape drive is configured for an application-managed encryption
key path. EF 10 is reported when the tape drive is configured for a system-managed encryption key
path. Note: If the application proactively serves a key, you will not see this code.
|
If this sense code is associated with a job failure, verify that the tape drive is set for the correct encryption method (application-, system-, or library-managed). Also, verify that the encryption proxy server is configured correctly. If this sense code is not associated with a job failure, ignore this condition. |
7 | EF 11 | Encryption - Key Generation | Key manager | This code is not an error if the tape drive and proxy server are configured correctly. It is sense data that is used to initiate a key generation request. It is similar to EF 10, but is a key-generation request instead of a request for an existing key. | If this sense code is associated with a job failure, verify that the tape drive is set for the correct encryption method (application-, system-, or library-managed). Also, verify that the encryption proxy server is configured correctly. If this sense code is not associated with a job failure, ignore this condition. |
6 | EE 12 | Encryption - Key Change Detected | N/A | Information only - SCSI Unit Attention – a key changed. | No action required. Key change detected (notification only) re-drive command. |
7 | EF 13 | Encryption - Key Translate | Key manager | This code is not an error if the tape drive and proxy server are configured correctly. It is sense data that is used to initiate a key translation request to the library key path. | If this sense code is associated with a job failure, verify that the tape drive is set for the correct encryption method (application-, system-, or library-managed). Also, verify that the encryption proxy server is configured correctly. If this sense code is not associated with a job failure, ignore this condition. |
0 | EF 13 | Encryption - Key Translate | Key manager | This code is not an error if the tape drive and proxy server are configured correctly. It is sense data that is used to initiate a key translation request to the application or system key path. | No action is required. Key translation is requested (in-band). |
6 | EE 18 | Encryption - Changed (Read) | N/A | Information only - SCSI Unit Attention - encryption characteristics (for example: key, method, etc.) were changed prior to a read operation. | No action is required. Retry the command if necessary. |
6 | EE 19 | Encryption - Changed (Write) | N/A | Information only - SCSI Unit Attention - encryption characteristics (for example: key, method, etc.) were changed prior to a write operation. | No action is required. Retry the command if necessary. |
5 | EE 23 | Encryption - Key Conflict | Key manager | An attempt was made to reuse a previously used Data Key Index (Dki). Also
known as a key collision. Note: This sense code is expected to be a rare occurrence. It
is only used in a multi-key environment.
|
Retry the command if necessary. If the problem persists, obtain a drive dump and key manager (or application, if no key manager is involved) traces, then contact your next level of support. |
5 | EE 25 | Encryption - Key Format Not Supported | Key manager | The tape drive received a corrupted or unrecognized message from the key
manager. The most likely causes are a key manager code bug or incompatible code versions on the
drive and key manager. Note: This sense code is expected to be a rare occurrence.
|
Retry the command if necessary. If the problem persists, verify that the key manager and drive code versions are compatible. As an example, if the key manager code were updated to include a new function but the drive code version does not recognize the new key manager function, then the code versions are incompatible. If the problem still persists, obtain a drive dump and key manager (or application, if no key manager is involved) traces, then contact your next level of support. |
5 | EE 26 | Encryption - Unauthorized Request - dAK | Key manager | Key usage error. An invalid Drive Authentication Key (dAK) was used or a valid dAK was used incorrectly. This code might indicate an authorized attempt to access data. | This sense code might be reported after Service replaces a tape drive. If so, then it might be automatically corrected to support the new tape drive. If the problem persists, ensure that the Drive Authentication Keys are correct. |
5 | EE 27 | Encryption - Unauthorized Request - dSK | Key manager | Key usage error. An invalid Drive Session Key (dSK) was used or a valid dSK was used incorrectly. This code might indicate an unauthorized attempt to access data. | Retry the command if necessary. This sense code might be reported after Service replaces a tape drive. If so, then it might be automatically corrected to support the new tape drive. If the problem persists, ensure that the Drive Session Keys are correct. |
5 | EE 28 | Encryption - Unauthorized Request - eAK | Key manager | Key usage error. An invalid External Authentication Key (eAK) was used or a
valid eAK was used incorrectly. This code might indicate an unauthorized attempt to access data.
Note: A private key is needed for External Authentication.
|
Retry the command if necessary. If the problem persists, ensure that the External Authentication Keys are correct. |
5 | EE 29 | Encryption - Authentication Failure | Key manager | A corrupted or incorrectly signed message was detected. Potential causes: invalid signature on a message; key manager code bug; tape drive code bug; or drive hardware problem (unlikely). This code might indicate an unauthorized attempt to access data. | Retry the command if necessary. If the problem persists, ensure that the signatures are correct. If the problem still persists, use tape drive diagnostics to ensure that the tape drive encryption hardware is functional. |
5 | EE 2B | Encryption - Key Incorrect | N/A | An incompatible key was written in an unsupported format. Note: This code is
expected to be a rare occurrence.
|
Ensure that the encryption keys are correct, then retry the command. If the problem persists, obtain a drive dump and key manager (or application, if no key manager is involved) traces, then contact your next level of support. |
5 | EE 2C | Encryption - Key Wrapping Failure | Key manager | The key manager has a problem, which resulted in building the Session
Encrypted Data Key (SEDK) incorrectly. Note: The SEDK is a structure that is used to wrap a key or
keys to send them to the tape drive. It is typically reported with ASC/ASCQ EE 0F, so this sense
code is typically only found in internal logging.
|
If a higher version of key manager is available, update the key manager. If the problem persists, obtain a drive dump and key manager (or application, if no key manager is involved) traces, then contact your next level of support. |
5 | EE 2E | Encryption - Unsupported Type | Key manager | The tape drive received a corrupted or unrecognized message from the key
manager. The most likely causes are a key manager code bug or incompatible code versions on the
drive and key manager. Note: This code is expected to be a rare occurrence.
|
Retry the command if necessary. If the problem persists, verify that the
versions of the key manager and drive code are compatible. As an example, if the key manager code
were updated to include a new function but the drive code version does not recognize the new key
manager function, then the code versions are incompatible. If the problem still persists, obtain a
drive dump and key manager (or application, if no key manager is involved) traces, then contact your
next level of support. Note: The byte and bit pointers might be used to indicate the first bad field
in the message.
|
5 | EE 30 | Encryption - Prohibited Request | N/A | The requested operation was not allowed, due to the current mode or state. As an example, a key path diagnostic was not allowed because there was a cartridge in the tape drive. | Ensure that the requirements for the requested operation are met. As an example, before you run a key path diagnostic, ensure that the tape drive is empty. If the problem persists, obtain a drive dump, then contact your next level of support. |
5 | EE 31 | Encryption - Key Unknown | N/A | A key operation was not allowed because the key was not known (not a currently tracked key). The key that was used is not a match for this tape cartridge. | Retry the command by using the correct encryption key for the cartridge. |
3 | EE 60 | Encryption - Proxy Command Error | N/A | A command resulted in a key transition that cannot be handled by the
application or system proxy server. The proxy server reports this condition; this sense code
combination is typically not produced by the tape drive. Note: This code is expected in test
environments only, not in the field.
|
If the problem persists, obtain a drive dump and traces from the proxy server, then contact your next level of support. |
3 | EE D0 | Encryption - Data Read Decryption Failure | N/A | The tape drive was unable to decrypt data by using an application-provided key. The probable cause is use of the wrong encryption key. In rare cases, this code might also be caused by a failure in the tape drive's encryption hardware. | Retry the command by using the encryption key that was used when the cartridge was written. If the problem persists, use the tape drive diagnostics to determine whether there is a problem with the encryption hardware. |
3 | EE D1 | Encryption - Data Read after Write Decryption Failure | N/A | The tape drive wrote encrypted data and was unable to decrypt it after you read it back. The most likely cause is a tape drive code or hardware problem. | Obtain a drive dump. Use the tape drive diagnostics to determine whether there is a problem with the encryption hardware. If the diagnostics do not indicate a problem, contact your next level of support. |
3 | EE E0 | Encryption Key Translation Failure | Key manager | A permanent error occurred during a key translation operation. The cartridge is in an indeterminate state. | The cartridge might need to be accessed with the old key or with the new key. This tape must be copied and retired. |
5 | EE E2 | Encryption - Key Translation Disallowed | N/A | An encryption key translation was requested, but the encryption proxy server rejected the request. Possible causes: a prior translation is pending and is not yet complete, or the Externally-Encrypted Data Key (EEDK) on the cartridge is persistently unencrypted. | Verify that the tape drive is set for the correct encryption method (application-, system-, or library-managed). Also, verify that the encryption proxy server is configured correctly. |
3 | EE F1 | Encryption - Encryption Fenced (Write) | N/A | The key manager set an encryption fence condition that prevents further
writing. This fence condition is cleared when the cartridge is demounted. Note: This code occurs
with the library-managed encryption method only. Possible causes: a mismatch between the cartridge's
volume serial (VOLSER) number and the VOLSER ranges used for an encryption policy.
|
Ensure that the cartridge's VOLSER is in the correct VOLSER range (because VOLSER ranges are associated with an encryption policy). |
Notes:
|