Tivoli Storage Manager (TSM) tape drive encryption methods and limitations

Drive encryption technique protects tapes that contain critical or sensitive data. Drive encryption is particularly beneficial for tapes that are moved from the Tivoli Storage Manager server environment to an off-site location. Tivoli Storage Manager supports encryption for the following drives
  • IBM 3592 generation 2 and later
  • IBM and HP LTO generation 4 and later
  • Oracle StorageTek T10000B
  • Oracle StorageTek T10000C
Tivoli Storage Manager supports the three types of drive encryptions available with LTO generation 4 drives. These methods are defined through the hardware.
  • Application Method
  • System Method
  • Library Method
How to enable LTO drive encryption:

The DRIVEENCRYPTION parameter specifies whether drive encryption is enabled for IBM and HP LTO generation 4, Ultrium4, and Ultrium4C formats. This parameter ensures Tivoli Storage Manager compatibility with hardware encryption settings for empty volumes.

Tivoli Storage Manager supports the Application method of encryption with IBM and HP LTO-4 drives. Only IBM LTO-4 supports the System and Library methods. The Library method of encryption is supported only if your system hardware (for example, IBM 3584) supports it. 
You cannot use drive encryption with write-once, read-many (WORM) media.

The Application method is defined through the hardware. To use the Application method, in which Tivoli Storage Manager generates and manages encryption keys, set the DRIVEENCRYPTION parameter to ON. This permits the encryption of data for empty volumes. 

If the parameter is set to ON and the hardware is configured for another encryption method, backup operations will fail. The following simplified example shows the steps you would take to permit the encryption of data for empty volumes in a storage pool.
  • Define a library:
           define library TSMLIB libtype=SCSI
  • Define a device class, LTOCLASS, and specify Tivoli Storage Manager as the key manager:
         define devclass LTOCLASS library=TSMLIB devtype=lto driveencryption=on
  • Define a storage pool
          define stgpool lto_encrypt_pool LTOCLASS

Disabling LTO drive encryption:

To disable encryption on new volumes, set the DRIVEENCRYPTION parameter to OFF. The default value is ALLOW. Drive encryption for empty volumes is permitted if another method of encryption is enabled.

Limitations of Drive Encryption

  • A library can contain a mixture of drives, some of which support encryption and some that do not. (For example, a library might contain two LTO-2 drives, two LTO-3 drives, and two encrypt supported LTO-4 drives.) 
  • You can also mix media in a library using, for example, a mixture of encrypted and non-encrypted device classes having different tape and drive technologies. However, all LTO-4 drives must support encryption if Tivoli Storage Manager is to use drive encryption. 
  • In addition, all drives within a logical library must use the same method of encryption. When using Tivoli Storage Manager, do not create an environment in which some drives use the Application method and some drives use the Library or System methods of encryption.
  • When using encryption-capable drives with a supported encryption method, a different format is used to write encrypted data to tapes. When data is written to volumes using the different format and if the volumes are then returned to scratch, they contain labels that are only readable by encryption-enabled drives. 
  • To use these scratch volumes in a drive that is not enabled for encryption, either because the hardware is not capable of encryption or because the encryption method is set to NONE, you must relabel the volumes.

