Spectra logic Spectra bluescale vision User manual

BlueScale™Encryption

User Guide

PN 90940012 Revision E

Notices

Unless specifically negotiated and except as expressly stated herein, Spectra Logic Corporation makes available its products and

associated documentation on an “AS IS” BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUD-

ING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, BOTH OF

WHICH ARE EXPRESSLY DISCLAIMED. In no event shall Spectra Logic be liable for any loss of profits, loss of business, loss of use

or data, interruption of business, or for indirect, special, incidental or consequential damages of any kind, even if Spectra Logic

has been advised of the possibility of such damages arising from any defect or error.

Information furnished in this manual is believed to be accurate and reliable. However, no responsibility is assumed by Spectra

Logic for its use. Due to continuing research and development, Spectra Logic may revise this publication from time to time with-

out notice, and reserves the right to change any product specification at any time without notice.

If you do not agree to the above, do not use the Spectra library; instead, promptly contact Spectra Logic for instructions on how to

return the library for a refund.

License

You have acquired a Spectra library that includes software owned or licensed by Spectra Logic from one or more software

licensors (“Software Suppliers”). Such software products, as well as associated media, printed materials and “online” or

electronic documentation (“SOFTWARE”) are protected by copyright laws and international copyright treaties, as well as other

intellectual property laws and treaties.

If you do not agree to this end user license agreement (EULA) or to the terms and conditions under Notices above, do not use

the Spectra library; instead, promptly contact Spectra Logic for instructions on return of the Spectra library for a refund. Any

use of the Software, including but not limited to use on the Spectra library, will constitute your agreement to this EULA (or

ratification of any previous consent).

Grant of License. The Software is licensed on a non-exclusive basis, not sold. This EULA grants you the following rights to the

Software:

• You may use the Software only on the Spectra library.

•Not Fault Tolerant. The Software is not fault tolerant. Spectra Logic has independently determined how to use the Software in

the Spectra library, and suppliers have relied upon Spectra Logic to conduct sufficient testing to determine that the Software

is suitable for such use.

•No Warranties for the SOFTWARE. The Software is provided “AS IS” and with all faults. The entire risk as to satisfactory qual-

ity, performance, accuracy, and effort (including lack of negligence) is with you. Also, there is no warranty against interference

with your enjoyment of the Software or against infringement. If you have received any warranties regarding the SOFTWARE,

those warranties do not originate from, and are not binding on Software suppliers.

•Note on Java Support. The Software may contain support for programs written in Java. Java technology is not fault tolerant and

is not designed, manufactured, or intended for use of resale as online control equipment in hazardous environments requiring

fail-safe performance, such as in the operation of nuclear facilities, aircraft navigation or communications systems, air traffic

control, direct life support machines, or weapons systems, in which the failure of Java technology could lead directly to death,

personal injury, or severe physical or environmental damage.

•No Liability for Certain Damages. Except as prohibited by law, Software suppliers shall have no liability for any indirect, spe-

cial, consequential or incidental damages arising from or in connection with the use or performance of the Software. This limi-

tation shall apply even if any remedy fails of its essential purpose. In no event shall Software suppliers, individually, be liable

for any amount in excess of U.S. two hundred fifty dollars (U.S. $250.00).

•Limitations on Reverse Engineering, Decompilation, and Disassembly. You may not reverse engineer, decompile, or disas-

semble the Software, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding

this limitation.

•Software Transfer Allowed with Restrictions. You may permanently transfer rights under this EULA only as part of a perma-

nent sale or transfer of the Spectra library, and only if the recipient agrees to this EULA. If the Software is an upgrade, any

transfer must also include all prior versions of the Software.

•Export Restrictions. Export of the Software from the United States is regulated by the Export Administration Regulations (EAR,

15 CFR 730-744) of the U.S. Commerce Department, Bureau of Export Administration. You agree to comply with the EAR in the

export or re-export of the Software: (i) to any country to which the U.S. has embargoed or restricted the export of goods or

services, or to any national or any such country, wherever located, who intends to transit or transport the Software back to

such country; (ii) to any person or entity who you know or have reason to know will utilize the Software or portion thereof in

the design, development or production of nuclear, chemical, or biological weapons; or (iii) to any person or entity who has

been prohibited from participating in U.S. export transactions by any federal agency of the U.S. government. You warrant and

represent that neither the BXA nor any other U.S. federal agency has suspended, revoked or denied your export privileges. For

additional information see http://www.microsoft.com/exporting/.

Contents

Chapter 1. Introduction

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Shipped Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

BlueScale Encryption Overview

Chapter 2. Encryption Architecture & Strategies

BlueScale Encryption Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Site-Specific Decisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Site Security Example: Low Security Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Site Security Example: Medium Security Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Site Security Example: High Security Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Before You Begin Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Summary: Mandatory Security Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Spectra T950 and T120 BlueScale Encryption

Chapter 3. Installing and Activating Encryption in Spectra T950 and T120 Libraries

Installing Encryption: Upgrading Your Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Activating Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Chapter 4. Using Standard Edition in Spectra T950 and T120 Libraries

Using Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Configuring Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Creating an Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Assigning a Key to a Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Protecting Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Deleting a Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Restoring Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Chapter 5. Using Professional Edition in Spectra T950 and T120 Libraries

Using Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Professional Edition Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Configuring Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Creating an Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Assigning a Key to a Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Protecting Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Restoring Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Deleting a Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Chapter 6. Recycling Encrypted LTO-4 Media in Spectra T950 and T120 Libraries

Recycling Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Spectra T50

BlueScale Encryption

Chapter 7. Installing and Activating Encryption in Spectra T50 Libraries

Installing Encryption: Upgrading Your Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Activating Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Encryption Icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

BlueScale Encryption Editions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Data to Encrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Media Recycling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Chapter 8. Using Standard Edition in Spectra T50 Libraries

Using Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Restoring Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Recycling Encrypted Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Chapter 9. Using Professional Edition in Spectra T50 Libraries

Using Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Professional Edition Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Configuring Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Creating an Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Assigning a Key to a Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Restoring Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Chapter 10. Recycling Encrypted Media in Spectra T50 Libraries

Recycling Encrypted Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

EDU

and

BlueScale Encryption Support

Chapter 11. Endura Decryption Utility

Endura Decryption Utility Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Decrypting Data: EDU Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Using EDU to Decrypt Data: One Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Using EDU to Decrypt Data: Two Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Restoring Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Chapter 12. Technical Support & Spectra Logic Contact Information

BlueScale Encryption Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Contacting Spectra Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131

Index 132

1 Introduction

About This Guide

This guide contains information about BlueScale Encryption for Spectra T950, T120, and T50

libraries. This reviews information on the configuration and use of encryption. Note that the

encryption procedures for the Spectra T950 and T120 libraries cover both library-based and

drive-based encryption; the Spectra T50 library supports drive-based encryption only.

The guide has been divided into the following sections:

BlueScale Encryption Overview on page 10 reviews both encryption best practices and

information on using BlueScale Encryption and key management on your site, and

includes a short glossary.

Spectra T950 and T120 BlueScale Encryption on page 26 reviews using Spectra T950/T120

BlueScale Encryption and key management.

Spectra T50 BlueScale Encryption on page 71 reviews using Spectra T50 BlueScale

Encryption and key management.

EDU and BlueScale Encryption Support on page 123 reviews an optional utility that lets

you recover data without a library; this section also provides support information.

Intended Audience

This guide assumes that you are familiar with data backup and data protection strategies.

1. Introduction

Related Publications

This guide outlines the configuration and use of BlueScale Encryption software in your

Spectra library.

For detailed information on the configuration and use of the library itself, see the Spectra

Logic publications specific to your library.

• The library’s user guide describes the configuration and use of the library, including

specifications and troubleshooting information.

•Thelibrary’s release notes provide the most up-to-date information about the library,

drives, and media.

The most up-to-date versions of all library documentation are available on Spectra Logic’s

Web site at www.SpectraLogic.com.

Conventions Used in this Guide

Important information is called out as follows:

Note: Provides additional points or suggestions.

Caution: Provides information about how to avoid damage to equipment.

Warning: Describes ways to avoid personal injury.

A caret (>) describes a series of menu selections. For example:

Select Configuration > Network

means

Select Configuration, then select Network.

1. Introduction

Shipped Items

The following items are included with the purchase of BlueScale Encryption:

• One encryption activation key

• One software support agreement

•Thisuserguide

•Onet-shirt

If you ordered the Endura®Decryption Utility (EDU), you also receive one EDU CD.

BlueScale Encryption

Overview

2 Encryption Architecture & Strategies

BlueScale Encryption Overview

BlueScale Encryption is tightly integrated into your Spectra library. Encryption can be handled

through the library’s encryption-enabled Quad Interface Processors (QIPs), if any are in use,

and through LTO-4 drives working with LTO-4 media. BlueScale encryption key management is

provided through the library’s graphical interface.

If a single library has encryption-ready QIPs and LTO-4 drives installed, both can be used for

encryption. Set up an encryption-enabled partition for each.

The system is based on two major components:

• The encryption chip on the QIP or LTO-4 drive. By implementing encryption in both types

of hardware, the encryption is extremely fast and places no burden on your network.

• Key management software through the library’s graphical interface. The interface displays

using the library’s touch-screen front panel Library Controller (LC). It also displays from

anywhere through the Web, using a Web browser to display the Remote Library Controller

(RLC). Optionally, you can secure the Web browser using SSL, which is part of the

Telescope suite of management tools.

Together, these components let you easily implement the strongest encryption available, as

recognized by the federal government: AES encryption using a 256-bit key. BlueScale

Encryption incorporates multiple layers of security, some of which are discussed in this

chapter. Others are technically implemented and invisible to the user.

Site-Specific Decisions

To determine a BlueScale Encryption strategy appropriate for your site and your data, decide

on the security level appropriate for your site, and the amount and kinds of data to encrypt.

Then you can make some choices about how best to implement BlueScale Encryption.

2. Encryption Architecture & Strategies

BlueScale Encryption: Standard Edition vs. Professional Edition

All data encrypted using BlueScale Encryption and Key Management—Standard and

Professional Editions, and LTO-4 drive-based encryption—is secured by the strongest

available encryption method, AES-256. Through BlueScale Encryption and Key Management,

you have additional choices in defining the level of security you can implement in your data

center. Whether to implement BlueScale Standard Edition or Professional Edition is your first

choice.

Feature Standard Edition Professional Edition

Keys - Single encryption key on a library

at a time

- Easier to manage and track

- Multiple simultaneous encryption keys

(maximum is 30 keys)

- More secure, with a key for each of multiple data

sets

Encryption Login

Passwords

- Single encryption password

- Easier to manage and track

- Choice of either one encryption password or three

- More secure, with the option of requiring multiple

users to export and import keys, etc.

Key Export and

Import

- Import and export functions

require a single password

- Easier to manage

- Choice of single password or M-of-N shares with

multiple passwords to export/import keys

- More secure

Compression a

a. If you are using drive-based encryption, compression is handled through the drive. Further references to compression in this

manual apply to library-based, not drive-based, encryption.

- Not available for QIP-based

encryption

- Available for QIP-based encryption

Compatibility

between

Versions

- Data encrypted using either version can be decrypted by a library running the other

version.

- Data encrypted and compressed by a library using LTO-4 drives, Professional Edition, or

both, can be decrypted and decompressed by a library running Standard Edition.

Summary - Less secure, but less to manage - Fewer tapes through compression

- More secure, but more to manage

2. Encryption Architecture & Strategies

BlueScale Standard Edition

For sites with a primary goal of securing data while it is transported to a remote site and

stored there, or only for data that will be stored for a long period of time, BlueScale Standard

Edition works well.

For information about configuring and using BlueScale Encryption Standard Edition, see

Chapter 4. Using Standard Edition in Spectra T950 and T120 Libraries on page 30.

BlueScale Professional Edition

For sites that want to implement compression along with greater flexibility and security, to

protect data wherever it’s stored and regardless of the retention period, BlueScale Encryption

Professional Edition works well.

For information about configuring and using BlueScale Professional Edition, see Chapter 5.

Using Professional Edition in Spectra T950 and T120 Libraries on page 45.

Security on Initialization

Both editions of BlueScale Encryption give you security options at library startup. Choose

whether to start the library:

• In standard mode, so that at library startup, data is encrypted with no further action

required.

• In secure initialization mode, so that at startup, drives are not automatically enabled;

encryption is only available and backups only run after a superuser has logged in and the

encryption password is entered.

2. Encryption Architecture & Strategies

Multiple Encryption Password Support

The Standard Edition of BlueScale Encryption supports one encryption password.

The Professional Edition of BlueScale Encryption lets you choose whether to support one

encryption password, or three encryption passwords that enforce another level of security. If

you choose to implement the triple-password option, then:

• Three different passwords must be entered when configuring encryption.

• Any one of the three passwords must be entered to enable encryption when the library is

in Secure Initialization mode.

• Any one of the three passwords must be entered to access encryption key management

and configuration options, excluding key import and export.

• Two of the three passwords must be entered to import and export keys.

Data to Encrypt

Decide whether to encrypt all data or a subset; then determine if the encrypted data can be

grouped together or if it must be isolated into sets. For example, your site may store financial

data as one set, separate from consumer identity information.

If all data can be encrypted together, the library requires only a single, encryption-enabled

partition. Otherwise, create multiple encryption-enabled partitions, one for each set of data,

and one or more partitions for data that is not to be encrypted.

Users with Professional Edition typically set up multiple partitions, each with its own key. For

example, if you are encrypting all your data, you only need one partition. If you are encrypting

only some of your data, create a partition dedicated to encryption along with a non-encryption

partition. If you want to keep your encrypted data sets isolated, create an encryption-enabled

partition for each encrypted data set, along with non-encryption partitions as needed.

Note: Implementing encryption after the library has been configured to

handle encryption simply requires creating backup jobs with your

backup software, which sends data to the proper partitions. Data is

automatically encrypted as it is backed up.

2. Encryption Architecture & Strategies

Encryption Methods

Choose how to encrypt data. You can use encryption-enabled QIPs, LTO-4 drives, or both to

encrypt data. With QIPs, the library handles encryption, and can encrypt data written to any

tape type (such as LTO-3 and SAIT). With LTO-4 drives, the drive handles encryption, and

encrypts data written to LTO-4 tapes.

Note: If a partition uses LTO-4 drive-based encryption, the library can load

LTO-3 media into that partition. However, attempts to write to LTO-3

media fail. Note that LTO-4 drives can successfully read data on LTO-3

tapes.

Further, if an encryption-enabled QIP and a Fibre Channel LTO-4 drive share a partition, you

can only encrypt data using the LTO-4 drive.

To decrypt data encrypted using a QIP, use a partition with QIP-based encryption. To decrypt

data encrypted using an LTO-4 drive, use a partition with drive-based encryption.

Only one encryption key is allowed per LTO-4 tape. Once you stop using that key, you can no

longer directly encrypt data to any LTO-4 tape that stores data encrypted using the old key. To

write encrypted data using a different key, you must first recycle the tape. Recycling media is

easily managed through BlueScale Encryption Key Management.

LTO-4 Media Recycling

LTO-4 tapes can store only data encrypted using a single key. If you have an LTO-4 tape storing

data encrypted using a different key, or encrypted using a QIP, you have to recycle the tape

before you can re-use it in an encryption-enabled LTO-4 drive.For more information about

recycling media using a T950 or T120 library, refer to Chapter 6. Recycling Encrypted LTO-4

Media in Spectra T950 and T120 Libraries on page 68. For more information about recycling

media using a T50, refer to Chapter 10. Recycling Encrypted Media in Spectra T50 Libraries on

page 119.

2. Encryption Architecture & Strategies

Best Practices

To effectively use BlueScale Encryption and to ensure data security, plan an encryption

strategy and back it up with processes and best practices. Once you’ve implemented

BlueScale Encryption, which always uses the strongest keys (AES-256), build custom

strategies based on your security requirements. As stated in the NIST publication

Recommendation for Key Management1:

“Ultimately, the security of information protected by cryptography directly depends on [...]

the effectiveness of [...] protocols associated with keys, and the protection afforded the

keys.”

Sound key management policies and procedures and appropriate staff are essential to

successful encryption.

People

Identify the people on your site who are responsible for backing up data. They will be

responsible for encrypting data written to tape and to other portable media, such as mobile

RXT®Media packs. Identify:

• The person to have superuser privileges on the Spectra Logic library with BlueScale

Encryption.

• The person to have the library’s encryption password.

Next, identify how many users are to have responsibilities that involve encryption. It may be

wise to have more than a single user familiar with passwords, depending on the size of your

organization, so that if one person is not available, another can take over. Make sure only the

authorized users know the encryption passwords, and that the passwords themselves are

secure. Refer to Passwords and Other Identifiers on page 19 for more information on setting

up passwords and monikers.

1. Barker, Elaine, W. Barker, W. Burr, W. Polk, and M. Smid. Recommendation for Key Management Part 1:

General. NIST Publication 800-57, 2005, p. 25

2. Encryption Architecture & Strategies

Processes

On an organizational level, you need to identify the level of security your site requires, and the

data to be encrypted—for example, you may choose to encrypt all data, or any combination of

financial, identity-related information, and strategic data.

Consider the following when establishing your encryption procedure:

• Determine the level of security to use at startup. Both editions of BlueScale encryption

permit a standard mode and a secure initialization mode, described in Security on

Initialization on page 13.

• Identify any data sets that must be isolated from other encrypted data sets, described in

Data to Encrypt on page 14.

• Identify when to make copies of encryption keys. AES-256 encryption, a symmetric

encryption method, is a private key method. Users must track each key, which BlueScale

Encryption identifies only by a nickname, or moniker. The key itself is never displayed,

and is encrypted prior to export. Best practices dictate that you make copies of the key

immediately following the key’s creation.

• Identify the number of copies to make of each key, and note the location of each key copy.

Consider storing multiple copies of keys, that you then track carefully, storing the copies

away from the data encrypted using those keys. It is important to make sure that at least

one copy of each key is secure and readable (that is, uncorrupted), to make sure you can

restore your data. This is important in that keys, once deleted, are not recoverable—and

once the key is gone, the data is inaccessible; this is typically considered deleted for legal

and practical purposes.

• Identify the key rotation plan—how often to create and use new keys. BlueScale

Encryption Standard Edition stores one key on the library at a time. Professional Edition

permits multiple keys per library, with a one key per encryption-enabled partition. In

Standard Edition, you must delete the key currently on the library before you can create

another key.

• Before you delete a key, make sure that at least one copy has been exported and stored

securely.

2. Encryption Architecture & Strategies

• Identify methods of tracking user passwords, key passwords and monikers. If the data is

stored on a computer, make sure it is stored on a computer that enforces encryption and is

not available on a network.

• Optionally, identify a primary and secondary team, so that you have redundancy in your

encryption strategy. Although that means the information required to decrypt data is

spread across more people, it also means that restoration of encrypted data may be much

easier, and you may ultimately have more data protection given the extra layer of

coverage; for example, if a user leaves, you aren’t in a position to lose data. This returns to

your initial decisions on how tightly and in what manner to enforce security for your site.

• Run drills confirming that your data is being encrypted properly, that keys are stored

properly, and that you can recover your data efficiently. Make sure that these drills are

included with your overall organizational security strategy.

• Create procedures to handle encrypted data that has been, or may have been,

compromised. For example, you may want to take all data and decrypt it, then re-encrypt it

and store it in an alternate location. You will also need to investigate the incident

involving compromised data, and take appropriate actions if identity-related data may

have been exposed.

• Archive the Endura Decryption Utility (EDU) for emergency use, such as to recover from a

disaster. Use this utility if you have no Spectra Logic libraries on hand but need to decrypt

and write data, which you can then restore using backup software.

• If you are using Professional Edition and multiple keys, make sure that data stored to one

tape shares a common expiration date or period (e.g., fourth quarter), regardless of the

number of keys used to encrypt data written to the tape. This simplifies tape management

and re-use.

• If you are using Professional Edition, make sure that critically important data is stored

using a single key on its own tape, to simplify restoration in case of disaster recovery and

to achieve business continuity goals.

• If you are using Professional Edition, you may want to take advantage of the M-of-N

shares option. This lets you select the M-of-N (such as 2 of 3) option to split a single file of

encrypted key data into multiple parts, or shares (N, which in this example is 3), and then

requires some specified subset (M, which in this example is 2) to import the file containing

key data. This further protects data from unauthorized use.

2. Encryption Architecture & Strategies

Passwords and Other Identifiers

BlueScale Encryption requires that you supply passwords and monikers (key names). Your

site may want to consider whether specific rules govern these.

Superuser Login/Encryption Passwords Passwords are standard user security that restrict

access. Spectra Logic BlueScale Encryption requires that a superuser is logged in, then an

encryption password is supplied. A Professional Edition feature lets you optionally require

two of three different encryption passwords to be entered. The passwords involved with all

editions of BlueScale Encryption are:

• Superuser Password: Lets you access all administrative privileges except encryption

privileges. To access encryption features, the superuser must be logged in prior to

entering the encryption password.

• Encryption Password: Lets you access encryption features. This password must be

entered after the superuser login; then you can select Security --> Encryption to display

the encryption password screen.

• Import/Export Key Password: Lets you import and export encryption keys. This feature is

only available after the superuser has logged in and the encryption password has been

entered. Optionally, in Professional Edition, you can require two different passwords prior

to importing and exporting keys.

Password(s) for Key Import and Export Passwords are also used to encrypt keys for export.

Your site may consider whether to create different rules for these passwords, such as

requiring that these passwords are longer than the encryption access password(s), and

therefore more secure.

Monikers Your site may want to create rules governing naming conventions for key

monikers, an alphanumeric identifier used to refer to the never-revealed true key value, which

is a 256-bit key.

Password and Naming Standards Examples Create password and naming standards, in part

again depending on your site’s security requirements. For example, your site may require a

high level of security for access to encryption partitions, in which case you need to require

some combination of the following:

• A long password

• A combination that requires alphabetic and numeric characters

• No password that corresponds to a dictionary entry

• Passwords to be reset at predefined schedules

2. Encryption Architecture & Strategies

Site Security Example: Low Security Site

Description of organization: Small company with 75 employees.

Security

Considerations

Security goals Protecting company from legal liability associated with unauthorized access to data

stored on tape, both onsite and offsite, including transport to the offsite location.

Encryption principals IT administrator, company president, corporate legal counsel.

Data to encrypt Financial and consumer identity data.

Level of security to

implement

BlueScale Standard Edition: single key per library is sufficient.

Standard initialization mode: encryption partitions are enabled at all times.

Data sets requiring

isolation

None. A single partition for encrypted data is sufficient.

Key escrow method Staff at company will escrow keys at a site remote from the data storage location.

Copies of each key to

store and their locations

Keep three copies of each key: one with the senior IT administrator, one with the

company president, one in a corporate safety deposit box.

Key rotation plan Create a new key every six months.

Tracking key monikers

and passwords

On a non-networked computer that supports encryption, create one or more charts

or lists with this data, including key moniker, dates used, encryption and superuser

passwords, and password used to encrypt exported key. (Because BlueScale

prompts for the required encryption key moniker when restoring encrypted data,

this company chose not to track monikers and their relationship to media.)

Multiple encryption

teams (optional)

Deemed unnecessary given the users already identified as those responsible for

encryption.

Schedule and run drills Formalized approach deemed unnecessary. Instead, incorporate review of data

decryption into standard six-month check to make sure that backups and restores

are working properly. This now includes a test involving data decryption.

Passwords • Password to access encryption features: minimum of 12 characters,

including at least one number and one letter

• Password to export and import encryption keys: minimum of 30 characters,

including at least one number and one letter

This manual suits for next models

Table of contents

Other Spectra Logic Recording Equipment manuals

Spectra Logic

Spectra Logic T-Series Spectra T120 Instruction Manual

Popular Recording Equipment manuals by other brands

future.retro

future.retro ORB Operation manual

1010music

1010music fxbox quick start guide

Lamarche

Lamarche 21Q instructions

One Remote

One Remote 2415 quick start guide

Abus

Abus AZWG10001 Installation and operating instructions

ICON

ICON I-stage owner's manual

SimCom

SimCom SIM800H Hardware Design Guide

Konan Labs

Konan Labs KSP-M61FS instruction manual

Pro-face

Pro-face GP-2401T user manual

ECU Master

ECU Master USBtoCAN manual

USASPEC

USASPEC PA11-VW owner's manual

digi-tech

digi-tech S100 user guide

red lion

red lion GRAPHITE G12C0000 installation guide

Data Video

Data Video AD-100 instruction manual

BOSSCO

BOSSCO BR-1600CD Basic operation gude

Pro-face

Pro-face ST3200 Series installation guide

Clear-Com

Clear-Com LQ series quick start guide

Caraudio-Systems

Caraudio-Systems c.LOGiC lite C1-MFD3 manual

Spectra Logic Spectra BlueScale Vision User manual

Popular Recording Equipment manuals by other brands