HP 1/8 G2 and MSL Encryption Kit User Guide Abstract This guide provides information about developing encryption key management processes, configuring the tape autoloader or tape library to implement the security policy based on the encryption kit, using and administering the autoloader or library with the encryption kit, and troubleshooting problems with the autoloader or library when using the encryption kit.
© Copyright 2010, 2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 Features and overview................................................................................5 Considerations for using the encryption kit...................................................................................5 LTO-4 and later generation tape drives and encryption..................................................................6 Requirements for using the encryption kit.....................................................................................
Restoring encrypted data during disaster recovery.......................................................................41 Using the encryption kit with partitions or logical libraries............................................................41 Restoring the encryption configuration after a chassis or library controller replacement....................41 5 Troubleshooting........................................................................................43 Installation problems........................
1 Features and overview IMPORTANT: The encryption kit provides secure encryption of your data using key server tokens and passwords. A thorough understanding and proper use of the encryption kit operation will maintain the security of your data and ensure that only qualified persons have access to the data. Managing your key server tokens and passwords is critical for preventing unauthorized data access and for avoiding the inability of qualified personnel to access data from tapes.
To read encrypted data, you must have a key server token with the key for the tape and the password for the key server token. The association between the encryption key and the tape is not stored on either the key server token or the tape. CAUTION: If you lose the key server tokens and token backup files associated with a tape, neither you nor HP will be able to recover the encryption keys that were stored on the tokens.
Autoloader or library firmware requirements MSL6480 All versions of MSL6480 library firmware support the encryption kit. Autoloader and other libraries To see whether your autoloader or library firmware supports the encryption kit, log into the RMI for your product. If the RMI has a Status > Security tab, the firmware supports the encryption kit.
The LTO-4 tape drive must have the following or later versions of tape drive firmware: Parallel SCSI SAS Fibre Channel Ultrium 1760 W22W U26W Not Applicable Ultrium 1840 B45W Not Applicable H44W To find the version of firmware on your tape drive, see “Verify your autoloader or library firmware version” (page 18). NOTE: With the above LTO-4 tape drive firmware revisions, the autoloader or library will NOT allow LTO-3 media in LTO-4 tape drives when encryption is enabled with the encryption kit.
Figure 4 Key server token LED Table 2 Token status LED behavior Token status On The token is ready to be used by the autoloader or library. Off The token is not receiving power and must be fully inserted into the autoloader or library USB port. Flashing The device with the USB port does not have software to communicate with the key server token. If this occurs when the key server token is plugged into the autoloader or library, update the autoloader or library firmware to the current version.
Figure 5 MSL6480 Status > Security screen showing the keys on the token and their dates of creation 10 Features and overview
Figure 6 Autoloader and other libraries RMI Status > Security screen showing the Current key and key creation dates The token can hold up to 100 keys. Any tape that was written using one of the keys on the token can be read using that token. If an attempt is made to read an encrypted tape and the key is not on the installed token, an error message will be displayed when the tape drive attempts to read the tape.
The Yellow token has been initialized with a name “Yellow” but does not have any keys. Yellow token The Green token has current key F, with decryption keys F, A, and E. Key A is the same key A on the Blue token from a previous save/restore operation. Green token F = current key E A Scenario 1 In this scenario, a backup file from the Blue token is restored to the Yellow token.
two tokens with the same current key is to restore a backup onto a token that does not have any keys, as in Scenario 1.
2 Creating your key management processes The encryption kit provides encryption key generation and secure storage of the keys, and is intended to be used within a key management process. Processes should be developed to manage your encryption keys, tokens, and passwords before configuring encryption on the autoloader or library. The key management processes may be based on your company's security and audit policies.
data at a different location. If the second token contains a backup of the first token's data, it should be stored in a secure location, such as a fireproof safe in a different building. The token data backup file and the second token support several approaches to backing up the keys so that tapes can continue to be written and read if the first token is lost or destroyed. Choose an approach that best meets your organization's needs and capabilities.
Managing the token password (PIN) The token password, called a PIN, protects access to the data on the key server token. IMPORTANT: The PIN is required to write and restore encrypted data. Neither you nor HP can recover, restore, or reset the PIN if it is lost or forgotten. The PIN is set and can be changed from the RMI. Setting the PIN the first time also requires the appropriate RMI password. Changing the PIN requires both the current PIN and the appropriate RMI password.
Maintaining encryption capability in the event of a power loss For increased security, the key server token's PIN is stored in volatile memory in the autoloader or library. Each time the autoloader or library cycles power the PIN must be entered. The autoloader or library will display a warning message on the OCP and RMI, and send periodic SNMP and email events, if those options are enabled, until the PIN is entered.
3 Installing and configuring the encryption kit Identifying product components Verify that you received all of the product components. Figure 7 Encryption kit components 1. Two key server tokens 2. Accessory bag of token id cards and holders 3. Product documentation Preparing the autoloader or library Log in to the remote management interface The key server token and autoloader or library encryption capabilities can only be configured from the RMI. • MSL6480 — Log into the RMI as the security user.
Figure 8 RMI Configuration > Security tab You can download autoloader or library firmware files from the HP Support website at http >// www.hp.com/support. Locate the USB port Locate the USB port on the back panel of the autoloader or library. Figure 9 MSL6480 rear USB port location NOTE: Only the rear USB port on the MSL6480 is used for the encryption kit token. The front port cannot be used for the token.
information about creating your encryption key management processes. HP recommends that you track at least: • Token name • Whether this token is a backup of another token • Dates used for writing data • The tape cartridges written with keys stored on the token. When possible, record the barcode label associated with the tape cartridge. • Token backup file filename and password. The encryption kit includes two methods of tracking the tokens.
Insert the key server token Insert the key server token in the USB port on the back panel of the library base module. Figure 11 Inserting the key server token into the rear MSL6480 USB port Enter the PIN When a key server token is inserted for the first time in any autoloader or library, the autoloader or library will recognize it as a new token and display a dialog on the RMI requesting that you enter a PIN.
NOTE: This option is only selectable when a token is inserted in the rear USB port of the base module. Click Refresh to update the displayed key manager options. 3. 4. Navigate to the Configuration > Encryption > USB - MSL Encryption Kit screen. If requested, enter the Token PIN, and then click Submit. Click Enable in the Enable/Disable Encryption area to enable encryption for one or more partitions.
Figure 13 Key Management area 8. Optional: Enable and configure automatic key generation. When automatic key generation is enabled, the library will automatically request the key server token to generate a new key periodically, according the policy you configure. a. Expand the Key Management section. b. Set the policy for the new key generation frequency, and the date and time this will occur. Be aware that when new keys are created automatically they are not backed up until you do so manually.
NOTE: The library uses the same write encryption key (the Current key) for all partitions with encryption enabled. If the library is writing an encrypted tape when you change the security configuration, the new configuration will take effect for the next tape loaded into an LTO-4 or later generation tape drive. Backing up the initial key The key server token contains the keys used to encrypt and decrypt your tapes.
3. 4. 5. 6. Navigate to the Configuration > Encryption > USB — MSL Encryption Kit screen. In the Restore Token Backup from File pane, enter the Token Restore File Password. (The Token Restore File Password is the Token Backup File Password used when the token backup file was created.) Click Submit Token Restore File Password. Enter the location of the token backup file. (The Browse button will be active after the token restore file password is submitted.
Figure 15 Inserting the key server token Enter the PIN When a key server token is inserted for the first time in any autoloader or library, the autoloader or library will recognize it as a new token and display a dialog on the RMI requesting that you enter a PIN. The new PIN must be between eight and 16 characters long and contain at least one capitol letter, at least one lower case letter, and at least two digits. Follow the directions in the dialog to enter your PIN.
1. Click the Encryption enabled box to enable encryption for the autoloader or library, or for one or more logical libraries that contain an LTO-4 or later generation tape drive. Logical libraries that do not contain an LTO-4 or later generation tape drive will not appear on the configuration screen. Figure 16 Security Configuration pane of the Configuration > Security screen 2. Enter the name of the token in the Token Name field. The name can have up to 126 characters.
NOTE: The autoloader or library uses the same write encryption key (the Current key) for all logical libraries with encryption enabled. If the autoloader or library is writing an encrypted tape when you change the security configuration, the new configuration will take effect for the next tape loaded into an LTO-4 or later generation tape drive. Backing up the initial key The key server token contains the keys used to encrypt and decrypt your tapes.
3. 4. 5. 6. Navigate to the Configuration > Security screen. In the Restore Token Backup from File pane, enter the Token Restore File Password. (The Token Restore File Password is the Token Backup File Password used when the token backup file was created.) Click Submit Token Restore File Password. Enter the location of the token backup file. (The Browse button will be active after the token restore file password is submitted.
4 Using the encryption kit You can access encryption kit features from the RMI. Accessing the RMI encryption kit configuration screen requires a password.
NOTE: After the RMI session ends, the PIN will still be available to the autoloader or library to access the keys on the token for writing and reading tapes. For encryption operation, the PIN only needs to be entered once when the autoloader or library is powered on or a different token is installed in the autoloader or library.
Figure 23 MSL6480 — Changing the PIN in the encryption kit configuration screen Figure 24 Autoloader and other libraries — Changing the PIN in the encryption kit configuration screen Generating a new encryption key You can generate a new encryption key from the RMI encryption kit configuration screen with the required password.
Figure 25 MSL6480 — Generating a new encryption key in the encryption kit configuration screen To generate a new encryption key, click Apply in the Key Management pane. The library will take a few seconds to generate the new key. Figure 26 Autoloader and other libraries — Generating a new encryption key in the encryption kit configuration screen To generate a new encryption key, click Apply in the Generate a new write key pane. The autoloader or library will take a few seconds to generate the new key.
Figure 27 MSL6480 — Enabling encryption in the encryption kit configuration screen Click Enable to enable encryption for the partition. Click Disable to disable encryption for the partition. Figure 28 Autoloader and other libraries — Enabling encryption in the encryption kit configuration screen Click in the Encryption enabled box to enable or disable encryption. The green check mark shows that encryption is enabled.
Figure 29 MSL6480 — Backing up the token data from the encryption kit configuration screen Figure 30 Autoloader and other libraries — Backing up the token from the Back up Token to File pane of the encryption kit configuration screen During the token backup process, the autoloader or library will write the token information to a file, which will be saved on the computer from which you are running the browser with the RMI. After the file is written, the information can be restored to a different token.
TIP: If you want two tokens to both have all of the keys, perform the backup and restore procedures twice, starting each time with a different token. Each token will retain its current key used to write new or formatted tapes, but both tokens can be used to decrypt tapes written with keys from either token. To back up the information on a token to a file: 1. Log into the RMI encryption kit screen. To do so, you will need to log into the RMI and supply the PIN for the token in the autoloader or library. 2.
Figure 31 MSL6480 — Restoring the token data from the Restore Token from File area of the encryption kit configuration screen Figure 32 Autoloader and other libraries — restoring token data from the Restore Token from File pane of the encryption kit configuration screen During the restore process, the encryption keys from the file will be merged with the keys on the token. If the number of unique keys from the two sources is greater than 100, the restore process will not be initiated.
1. 2. 3. 4. 5. 6. If you are restoring the token backup file to a different token than the one installed in the autoloader or library, pause all write operations to LTO-4 or later generation tape drives with encryption enabled. Log into the RMI. • MSL6480 — Log into the RMI as the security user. You will need the security user password. • Autoloader and other libraries — Log into the RMI as the administrator user. You will need the administrator user password.
Combining keys from multiple key server tokens You may want to combine the encryption keys from two or more key servers to read tapes encrypted in multiple autoloaders or libraries that use the encryption kit, for example, when you install the HP MSL Library Extender with two libraries that are using the encryption kit or combine the functions of two or more autoloaders or libraries into a larger library. To combine the keys from multiple key server tokens: 1.
6. For each of the token backup files created from the other tokens: a. Enter the password used to create the token backup file. Click Submit Token Restore File Password. b. Browse to the location of the token backup file. Click Restore. (The Browse button will be active after the token restore file password is submitted.) NOTE: The key server token holds up to 100 keys. If more than 100 unique keys are found on the receiving token and in the backup file, the restore process will not be initiated.
9. Insert the new token into the USB port of the autoloader or library. 10. Follow the RMI instructions to create a PIN for the new token. 11. Enter the password used to create the token backup file. Click Submit Token Restore File Password. 12. Browse to the location of the token backup file containing the seed keys. Click Restore. (The Browse button will be active after the token restore file password is submitted.) 13. If you paused write operations at the beginning of the procedure, you can resume them.
Use the RMI screen for your device to save the configuration database to a file or restore it from a file. You will need the administrator user password.
5 Troubleshooting Installation problems The library does not have a USB port Some MSL2024 and MSL4048 Tape Libraries have silver tape covering the USB port. Remove the tape to locate the USB port in the location shown in Figure 37 (page 43). Figure 37 USB port location Operation problems Encryption token LED The LED on the encryption token should be lit when the token is plugged into the back of the autoloader or library when the autoloader or library is powered on.
Troubleshooting table You can access encryption kit features from the RMI. Accessing the RMI encryption kit screen requires a password.
Table 6 Troubleshooting table (continued) Problem Cause Solution writing new or formatted tapes with the wrong write key. Token does not recognize the PIN. You entered the incorrect PIN. Find the correct PIN and enter it. A different token has been installed in Check the RMI encryption kit screen to the autoloader or library. verify that the correct token is installed in the autoloader or library. Either replace the token with the correct token or enter the PIN for the currently-installed token.
Table 6 Troubleshooting table (continued) Problem Cause Solution A PIN or backup file password longer Some earlier versions of the RMI than 15 or 16 characters is not allowed longer passwords to be accepted. entered, but the firmware only stored the first 15 or 16 characters when encrypting the PIN or password. Try entering just the first 15 or first 16 characters of the PIN or backup file password. Automatic key generation is enabled but a key was not generated at the specified time.
Table 8 Informational events (continued) Event code Message 9023 MSL Encryption Kit restore has been done. 9030 An invalid MSL Encryption Token was inserted. 9039 Token key creation attempt failed due to media being loaded in one or more drives. Autoloader and other library event codes Table 9 Error codes Error code Message Cause Solution E1 Key server token backup not A key server token restore successful — not enough space is process was attempted but the available on the token.
Table 10 Warning events and messages (continued) Code Message Cause Solution LTO-4 tape drive while encryption encryption until tape drive has is enabled. firmware that supports the encryption kit. See “Tape drive and drive firmware requirements” (page 7).
6 Support and other resources Contacting HP Before you contact HP Be sure to have the following information available before you contact HP: • Product model names and numbers • Technical support registration number (if applicable) • Product serial numbers • Error messages • Operating system type and revision level • Detailed questions HP contact information For worldwide technical support information, see the HP support website: http://www.hp.
• http://www.hp.com/support/downloads • http://www.hp.com/support/mslg3stree — Troubleshooting tree • http://www.hp.com/go/tapetools — HP Library and Tape Tools Document conventions and symbols Table 11 Document conventions Convention Element Blue text: Table 11 (page 50) Cross-reference links and e-mail addresses Blue, underlined text: http://www.hp.
Index A automatic key generation, 14 logical libraries, 41 P backing up the token data, 34 backup process token data, 14 PIN, 16 changing, 31 entering, 30 power cycle, 31 power loss, 17 C R conventions document, 50 text symbols, 50 current key, 9 customer self repair, 50 related documentation, 49 restoring encrypted data, 38 restoring the encryption configuration, 41 restoring the token data, 36 RMI encryption kit screen, 44 B D disaster recovery, 41 document conventions, 50 related documentation,