Configuring tape drive encryption

You can use drive encryption to protect tapes that contain critical or sensitive data, for example, tapes that contain confidential financial information. Drive encryption can be useful when you move tapes from the IBM Spectrum Protect™ server environment to an onsite or offsite location.

About this task

To determine which encryption methods can be used with various drive types, see the following table.

Table 1. Available encryption methods
	Application method	Library method	System method
3592 Generation 2 and later	Yes	Yes.	Yes
HP LTO-4 and later	Yes	No.	No
IBM® LTO-4 and later	Yes	Yes, but only if your system hardware (for example, a TS3500 tape library) supports it.	Yes
Oracle StorageTek T10000B	Yes	No.	No
Oracle StorageTek T10000C	Yes	No.	No
Oracle StorageTek T10000D	Yes	No.	No

A library can contain a mixture of drives, some of which support encryption and some of which do not. For example, a library might contain two LTO-2 drives, two LTO-3 drives, and two LTO-4 drives. You can also mix media in a library by using, for example, encrypted and non-encrypted device classes that have different tape and drive technologies.

Restrictions:

To apply encryption to LTO-4 or later drives, all of the drives must support encryption.
To apply encryption to a logical library, you must use the same method of encryption for all drives within the library. Do not create an environment in which some drives use the Application method and some drives use the Library or System methods of encryption.

For more information about setting up your hardware environment to use drive encryption, see your hardware documentation.

Procedure

Install a device driver that supports drive encryption:
- To enable encryption for an IBM LTO-4 or later drive, you must install the IBM RMSS Ultrium device driver. SCSI drives do not support IBM LTO-4 or later encryption.
- To enable encryption for an HP LTO-4 or later drive, you must install the IBM Spectrum Protect device driver.
Enable drive encryption by specifying the DRIVEENCRYPTION parameter on the DEFINE DEVCLASS or UPDATE DEVCLASS command for the 3592, LTO, or ECARTRIDGE device types.

What to do next

When you use encryption-capable drives with a supported encryption method, a different format is used to write encrypted data to tapes. When data is written to volumes that use the different format and if the volumes are then returned to scratch, they contain labels that can be read only by encryption-enabled drives. To use these scratch volumes in a drive that is not enabled for encryption, either because the hardware is not capable of encryption or because the encryption method is set to NONE, you must relabel the volumes.