HP AG321A Uživatelský manuál Strana 1

HP 1/8 G2 and MSL Encryption KitUser GuideAbstractThis guide provides information about developing encryption key management processes, configuring th

Figure 5 MSL6480 Status > Security screen showing the keys on the token and their dates of creation10 Features and overview

Figure 6 Autoloader and other libraries RMI Status > Security screen showing the Current key andkey creation datesThe token can hold up to 100 keys

The Yellow token has been initialized with a name “Yellow” but does not have any keys.Yellow tokenThe Green token has current key F, with decryption k

two tokens with the same current key is to restore a backup onto a token that does not have anykeys, as in Scenario 1.Blue token (after restore)FED =

2 Creating your key management processesThe encryption kit provides encryption key generation and secure storage of the keys, and isintended to be use

data at a different location. If the second token contains a backup of the first token's data, it shouldbe stored in a secure location, such as a

Managing the token password (PIN)The token password, called a PIN, protects access to the data on the key server token.IMPORTANT: The PIN is required

Maintaining encryption capability in the event of a power lossFor increased security, the key server token's PIN is stored in volatile memory in

3 Installing and configuring the encryption kitIdentifying product componentsVerify that you received all of the product components.Figure 7 Encryptio

Figure 8 RMI Configuration > Security tabYou can download autoloader or library firmware files from the HP Support website at http >//www.hp.com

© Copyright 2010, 2014 Hewlett-Packard Development Company, L.P.Confidential computer software. Valid license from HP required for possession, use or

information about creating your encryption key management processes. HP recommends that youtrack at least:• Token name• Whether this token is a backup

Insert the key server tokenInsert the key server token in the USB port on the back panel of the library base module.Figure 11 Inserting the key server

NOTE: This option is only selectable when a token is inserted in the rear USB port of thebase module. Click Refresh to update the displayed key manage

Figure 13 Key Management area8. Optional: Enable and configure automatic key generation. When automatic key generationis enabled, the library will aut

NOTE: The library uses the same write encryption key (the Current key) for all partitions withencryption enabled. If the library is writing an encrypt

3. Navigate to the Configuration > Encryption > USB — MSL Encryption Kit screen.4. In the Restore Token Backup from File pane, enter the Token R

Figure 15 Inserting the key server tokenEnter the PINWhen a key server token is inserted for the first time in any autoloader or library, the autoload

1. Click the Encryption enabled box to enable encryption for the autoloader or library, or forone or more logical libraries that contain an LTO-4 or l

NOTE: The autoloader or library uses the same write encryption key (the Current key) for alllogical libraries with encryption enabled. If the autoload

3. Navigate to the Configuration > Security screen.4. In the Restore Token Backup from File pane, enter the Token Restore File Password. (The Token

Contents1 Features and overview...5Considerations for using the encryptio

4 Using the encryption kitYou can access encryption kit features from the RMI. Accessing the RMI encryption kit configurationscreen requires a passwor

NOTE: After the RMI session ends, the PIN will still be available to the autoloader or library toaccess the keys on the token for writing and reading

Figure 23 MSL6480 — Changing the PIN in the encryption kit configuration screenFigure 24 Autoloader and other libraries — Changing the PIN in the encr

Figure 25 MSL6480 — Generating a new encryption key in the encryption kit configuration screenTo generate a new encryption key, click Apply in the Key

Figure 27 MSL6480 — Enabling encryption in the encryption kit configuration screenClick Enable to enable encryption for the partition. Click Disable t

Figure 29 MSL6480 — Backing up the token data from the encryption kit configuration screenFigure 30 Autoloader and other libraries — Backing up the to

TIP: If you want two tokens to both have all of the keys, perform the backup and restore procedurestwice, starting each time with a different token. E

Figure 31 MSL6480 — Restoring the token data from the Restore Token from File area of theencryption kit configuration screenFigure 32 Autoloader and o

1. If you are restoring the token backup file to a different token than the one installed in theautoloader or library, pause all write operations to L

Combining keys from multiple key server tokensYou may want to combine the encryption keys from two or more key servers to read tapes encryptedin multi

Restoring encrypted data during disaster recovery...41Using the encryption kit wit

6. For each of the token backup files created from the other tokens:a. Enter the password used to create the token backup file.Click Submit Token Rest

9. Insert the new token into the USB port of the autoloader or library.10. Follow the RMI instructions to create a PIN for the new token.11. Enter the

Use the RMI screen for your device to save the configuration database to a file or restore it froma file. You will need the administrator user passwor

5 TroubleshootingInstallation problemsThe library does not have a USB portSome MSL2024 and MSL4048 Tape Libraries have silver tape covering the USB po

Troubleshooting tableYou can access encryption kit features from the RMI. Accessing the RMI encryption kit screenrequires a password.Table 5 RMI encry

Table 6 Troubleshooting table (continued)SolutionCauseProblemwriting new or formatted tapes with thewrong write key.Find the correct PIN and enter it.

Table 6 Troubleshooting table (continued)SolutionCauseProblemTry entering just the first 15 or first 16characters of the PIN or backup filepassword.So

Table 8 Informational events (continued)MessageEvent codeMSL Encryption Kit restore has been done.9023An invalid MSL Encryption Token was inserted.903

Table 10 Warning events and messages (continued)SolutionCauseMessageCodeencryption until tape drive hasfirmware that supports theLTO-4 tape drive whil

6 Support and other resourcesContacting HPBefore you contact HPBe sure to have the following information available before you contact HP:• Product mod

1 Features and overviewIMPORTANT: The encryption kit provides secure encryption of your data using key server tokensand passwords. A thorough understa

• http://www.hp.com/support/downloads• http://www.hp.com/support/mslg3stree — Troubleshooting tree• http://www.hp.com/go/tapetools — HP Library and Ta

IndexAautomatic key generation, 14Bbacking up the token data, 34backup processtoken data, 14Cconventionsdocument, 50text symbols, 50current key, 9cust

To read encrypted data, you must have a key server token with the key for the tape and thepassword for the key server token. The association between t

Autoloader or library firmware requirementsMSL6480All versions of MSL6480 library firmware support the encryption kit.Autoloader and other librariesTo

The LTO-4 tape drive must have the following or later versions of tape drive firmware:Fibre ChannelSASParallel SCSINot ApplicableU26WW22WUltrium 1760H

Figure 4 Key server token LEDTable 2 Token statusToken statusLED behaviorThe token is ready to be used by the autoloader or library.OnThe token is not