The LTO-4 format has the capability to encrypt/decrypt data within the tape drive hardware. The LTO 4 ultrium backup tape does not require the software based encryption and its inherent performance overheads. The LTO-4 Ultrium Tape Drive allows data to be encrypted following compression maintaining optimum storage efficiency. Through compression, the tape drive hardware-based data encryption also improves the efficient use of available storage capacity. The other methods of encryption leave compression until after the encryption process has taken place, often producing random data that cannot be compressed.
Encryption is a standard part of the Ultrium LTO4 format which requires that all drives must be encryption aware. All LTO 4 tape drives from any vendor will return the appropriate sense codes when presented with an encrypted LTO4 backup cartridge tape. The implementation of the encryption capability is, however, optional and consequently some manufacturer's LTO-4 drives may not have this capability. Where drives have encryption enabled, interchange of encrypted data is made possible by the standard nature of the format specification, regardless of manufacturer.
The Ultrium LTO4 backup tape drive can read the LTO2 format tapes and on other hand, reads and writes LTO3 format tapes. However, encryption is not a supported feature of either the LTO3 or LTO2 tape format or drives. The encryption function of the tape drive is controlled by two new SCSI commands that are approved by the SCSI T10 standards committee, Security Protocol In (SPIN) and Security Protocol Out (SPOUT). SPOUT is used to enable encryption and sets the key, while SPIN is used to obtain the encryption status of the drive.
The Ultrium LTO 4 Tape Drive encryption standard is AES Galois Counter Mode with a 256-bit key. This is a secret key (or symmetric) algorithm, requiring the same key encrypt and decrypt data. To maintain security the key is not transferred to the tape cartridge under any circumstances and is only retained by the drive while power is retained, otherwise a new key is selected. Keys are supplied using the SPOUT SCSI command. Typically, a new key would be provided for a backup session, or for each tape. The key associated data (additional authentication data (ADD), sometimes known as authenticated key-associated data (AKAD) is written in plaintext on the tape and is used by software applications or key management appliances as a reference to the required key. This enables a backup and recovery application to reference the correct key for the tape to be read. While reading encrypted data, the correct key must be supplied or a check condition is returned and the subsequent status indicates that either the wrong key has been supplied or to notify the user that the data on tape is encrypted (for example, if decrypt has not been selected).
|
