Today's business environment demands effective security procedures, and that makes encryption one of the hottest topics in the marketplace. Most states now require that companies disclose breaches of security. Such notifications have direct costs, including fines and penalties, as well as expenses incurred for customer notification, public relations, and legal actions. There are also indirect costs, such as loss of reputation, decreased customer goodwill, and government investigations. Without a doubt, it is within your best interest to protect sensitive data from unauthorized viewers.

A big security exposure is the potential loss of backup tape media that contains customer personal data such as credit card numbers. Moving backup media off site for safekeeping incurs the risk of losing media during transport, making encryption of sensitive data an essential safeguard. Three primary techniques exist to encrypt backup data: encrypting data directly in SQL table columns via an application using cryptographic APIs, using third-party software to encrypt selected objects or a third-party appliance attached between the System i server and the tape device, and employing encryption capabilities built into the tape device itself.

IBM's TS1120 and LTO4 tape devices now provide built-in tape encryption. For tape encryption on the System i, the TS1120 and LTO4 tape devices must reside in a tape library and must be fiber attached. The TS1120 tape must exist in a 3494, TS3400, or TS3500 tape library; the LTO4 tape device must be housed in a TS3100, TS3200, TS3310, or TS3500 tape library.

Performance is a big concern with any encryption implementation. With IBM's TS1120 and LTO4 tape encryption, there is less than 1 percent degradation in save performance.

Tape Devices and Libraries

Your encryption options vary based on which tape library you choose. The 3494 tape library can contain TS1120 tape devices. You can control tape encryption with this library by the volume serial number, and you can have a mixture of encrypted and nonencrypted tape devices.

The TS3500 tape library can contain LTO4 and/or TS1120 tape devices. As with the 3494 tape library, you can control tape encryption with the TS3500 tape library by the volume serial number as well. By using the Advanced Library Management System (ALMS) feature, you can employ a mixture of encrypted and nonencrypted tape devices with the TS3500. ALMS is a separate feature that must be purchased at an additional cost.

With the 3494 and TS3500 tape libraries, you tell the tape library which tape volume serial ranges to use for encrypted and nonencrypted saves. When you perform a save, the tape library contacts an Encryption Key Manager (EKM) server, obtains the encryption keys, and then performs an encrypted save to the tape media. If the tape volume serial does not require encryption, the tape library performs a nonencrypted save to the tape media.

The TS3400 tape library is a smaller tape library that can contain TS1120 tape devices. With this library, you control tape encryption by turning it on or off using a web interface. The TS3100, TS3200, and TS3310 are smaller tape libraries that can run LTO4 tape devices. These tape libraries also require the Transparent LTO Encryption feature for Library Managed Encryption (FC5900).

As with the TS3400 tape library, you control tape encryption by turning it on or off using a web interface. All tape devices in a tape library partition of the TS3200, TS3310, or TS3400 tape libraries must have the same setting for tape encryption.

Encryption Key Manager

In addtion to an encryption-capable tape device, you need to have an EKM server. The EKM server runs using Java code on a variety of platforms and supports many IBM operating systems, including i5/OS V5R3 and later, AIX V5R2 and later, and System z operating systems. It also supports non-IBM operating systems, such as Windows, Linux, HP, and Sun.

To get the IBM Java Runtime Environment plus the EKM code to IBM operating systems, you must have the IBM Developer Kit for Java (5722-JV1). For non-IBM operating systems, you need the "TotalStorage Productivity Center" CD. You can download the latest copy of the EKM code for free at ibm.com/support/docview.wss?&uid=ssg1S4000504.

For installation instructions and other details about the EKM server, read the Introduction, Planning and User's Guide (GA76-0418), which you can download from the same site as the EKM code.

You'll find there are differences with the EKM server depending on whether you use TS1120 or LTO4 tape devices. With TS1120 tape devices, you have a choice of using either the i5/OS or Java keystore; with LTO4 tape devices, you can use only the Java keystore. Every TS1120 tape will have a different data key, but LTO4 tapes can use the same data key.

With TS1120, you acquire and load public keys for your company and partners. These public keys are then stored in the keystore, and the EKM randomly generates data keys. The data key is then encrypted with the public key, linked to the key label, and stored on the tape in three places as well as in the cartridge memory.

If you use LTO4, you acquire and load the data keys by using the keytool command. The data keys are housed in the keystore with the data key labels that are stored with each block of data on the tape.

I strongly recommend that you run multiple EKM servers so that backups or restores can still run if one of your servers is down. You must export and synch the keys on all your EKM servers whenever you change the keys, and you should keep off-site backups of your EKM servers.

For disaster recovery, you need to either run an EKM server or be prepared to recover your EKM server before recovering your System i-encrypted backups. You also need to ensure that your disaster recovery site can let you have your EKM server on site, or provide access to a server for you to recover your EKM environment. Be sure to run your EKM on a server or LPAR where none of the saves are encrypted. At your recovery site, you also need the same type of encryption-capable tape device (e.g., TS1120, LTO4) in a tape library.

Sharing Tapes with Other Companies

If you must share your TS1120 tapes with another company, you need to write the tape media with the other company's public key. After you do so, the other company can then decrypt and read the tape media using its private key.

Re-Key Tape Media

You may need to re-key your tape media if your original keys become exposed or if your company splits into different companies. If you re-key your TS1120 tape media, a new wrapper is placed on the data key, and the data key overwrites the tape from the start. The rewrite process takes a few minutes per tape to complete. If you need to re-key your LTO4 tape media, the entire tape must be rewritten with a new data key — a process that typically requires several hours per tape.

Tape Encryption BRMS

Backup Recovery and Media Services (BRMS) is recommended when your System i is connected to a tape library. Because tape encryption on the System i requires encrypted-tape devices in a tape library, you should consider BRMS as part of your tape-encryption solution.

The TS1120 tape media has a special density of FMT3592A2E for encrypted media. To distinguish between encrypted and nonencypted tape densities or volumes, you need to create a separate media class (e.g., ENCRYPTED) in BRMS that specifies the new media density of FMT3592A2E. Specify the new media class when you enroll encryption-capable media with the FMT3592A2E density in the BRMS media inventory.

Backups performed using the new encrypted media class are encrypted. Always ensure that you enroll encrypted tapes with the FMT3592A2E density in the encrypted media class and non-encrypted tapes in the nonencrypted media class. The LTO4 tape media does not have a special density for encryption.

If you have a TS3200, TS3310, or TS3400 tape library set up with logical partitions for encrypted and nonencrypted tape devices, you must define a media class for encryted tape media and a separate media class of nonencrypted tape media.

Tape Encryption Is a Wise Choice

Tape encryption with the TS1120 and LTO4 tape devices protects your backup media without harming performance on your backups or recoveries. An essential aspect of backup planning is to ensure that decryption keys (the private keys associated with the public keys used to encrypt backups) are readily available at all sites where your data may be restored — via an EKM server. After you implement tape encryption, be sure to always test your recovery strategy using your new tape encryption solution.

Debbie Saugen is the technical owner of System i Backup and Recovery in IBM's Rochester, Minnesota, development lab. She is also a senior recovery architect/consultant with IBM Business Continuity and Resiliency Services. Debbie enjoys sharing her knowledge by speaking at COMMON, technical conferences, and business continuity and resiliency conferences, and by writing for various magazines and websites.