Drive encryption protects tapes that contain critical or sensitive data (for example, tapes that contain sensitive financial information). Drive encryption is beneficial for tapes that are moved from the Tivoli® Storage Manager server environment to an offsite location.
Tivoli Storage Manager supports encryption for the following drives:
Drives must be able to recognize the correct format. With Tivoli Storage Manager, you can use the following encryption methods:
| Application method | Library method | System method | |
|---|---|---|---|
| 3592 generation 2 and later | Yes | Yes | Yes |
| IBM LTO generation 4 | Yes | Yes, but only if your system hardware (for example, 3584) supports it | Yes |
| HP LTO generation 4 | Yes | No | No |
| Oracle StorageTek T10000B | Yes | No | No |
| Oracle StorageTek T10000C | Yes | No | No |
| Oracle StorageTek T10000D | Yes | No | No |
To enable drive encryption with IBM LTO-4, you must have the IBM RMSS Ultrium device driver installed. You cannot use SCSI drives with IBM LTO-4 encryption. To enable encryption with HP LTO-4, you must have the Tivoli Storage Manager device driver installed.
Drive encryption is enabled by specifying the DRIVEENCRYPTION parameter on the DEFINE DEVCLASS and UPDATE DEVCLASS commands for the 3592, LTO, and ECARTRIDGE device types.
A library can contain a mixture of drives, some of which support encryption and some, which do not. (For example, a library might contain two LTO-2 drives, two LTO-3 drives, and two LTO-4 drives.) You can also mix media in a library by using, for example, a mixture of encrypted and non-encrypted device classes that have different tape and drive technologies. However, all LTO-4 drives must support encryption if Tivoli Storage Manager is to use drive encryption. In addition, all drives within a logical library must use the same method of encryption. When you use Tivoli Storage Manager, do not create an environment in which some drives use the Application method and some drives use the Library or System methods of encryption.
When you use encryption-capable drives with a supported encryption method, a different format is used to write encrypted data to tapes. When data is written to volumes that use the different format and if the volumes are then returned to scratch, they contain labels that are only readable by encryption-enabled drives. To use these scratch volumes in a drive that is not enabled for encryption, either because the hardware is not capable of encryption or because the encryption method is set to NONE, you must relabel the volumes.
For more information about setting up your hardware environment to use drive encryption, see your hardware documentation.
For details about the DRIVEENCRYPTION parameter, see the following topics: