- Community Home
- >
- Storage
- >
- Data Protection and Retention
- >
- StoreEver Tape Storage
- >
- HPE Encryption Kit for HP MSL4048 Library - initia...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2019 01:37 PM
03-11-2019 01:37 PM
HPE Encryption Kit for HP MSL4048 Library - initial Configuration.
Hi Folks
This is my first query on HPE community.
We just have installed HPE StoreEver MSL4048 tape library, done initial configuration and tape backups are working fine as expected.
Configuring tape encryption token kit first time so wan't to make sure if I havn't missed anything or not configured it wrongly as this very crucial and may be dangerous if not configured correctly.
So far I have perfromed :
1. Plugged Server token key (device) on library - Done
2. Configured PIN to login in security tab on RMI page - Done.
3. Created Token Name - Done
4. Backup token to file - Done
5. Enable encryption on library - Done.
I have saved a file generated with extension .tok and password, PIN as well.
I want to 2 question:
1. In which scenario, second USB key token will come in picture. In that case, what configuration I need to make on this second key which hasn't been inserted yet.
2. The first key token which I have inserted, do I need always keep this inserted ? Is the key restored on this device permanently ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-16-2019 08:00 AM - last edited on 03-18-2019 03:28 AM by Parvez_Admin
03-16-2019 08:00 AM - last edited on 03-18-2019 03:28 AM by Parvez_Admin
Re: HPE Encryption Kit for HP MSL4048 Library - initial Configuration.
Dear @vija_rana2001 ,
Answering your Questions:
Question 1: 2nd key is a backup of the first USB. incase the primary USB is lost, the second key can be used.
The 2nd USB should be configured with the backup of the primary, so that it can be used
Question 2:
Encryption will work only if the USB key is installed on that MSL. If the USB key is removed, the encrypted data in the tapes cannot be read
Also, USB kit can be used between multiple MSL libraries as long as the administrator knows USB password and encryption is enabled on library.
Also, remember that the USB password is critical
if you forget that password, then you wont be able to access the Encrypted data anymore
there is no workaround to reset/recover so if the USB pin is lost, entire data is unreadable
I am an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-22-2019 09:00 AM
03-22-2019 09:00 AM
Re: HPE Encryption Kit for HP MSL4048 Library - initial Configuration.
Hello @vija_rana2001 , The Answer from @GaneshPrasad is correct, but I wanted to add a little clarification.
Question 1 - the second USB token is to be used as a backup. You can backup the existing token (as you've done), then restore it to the 2nd token. You can do this on a regular basis (only necessary if you are creating new keys on the token either automatically or manually), or you can just keep the backup in file format and restore it to the backup token only if needed. If you do restore each backup to the backup token, be sure to remove it, and re-insert the original token and unlock it using your token PIN in the RMI.
Question 2 - The encryption key is stored on the token permanently. The token can hold 100 keys. When you initialize a token, one key is created. That key will be used for all read and write operations (when encryption is enabled) until a new key is created (new keys can be automatically created on a schedule, or manual through the RMI). Once a new key is created, it becomes the "current key" and is used for all subsequent write operations. If you attempt to read a tape that was written with the older previous key, the library will locate that key on the token, and be able to decrypt the data. If the token is removed - or the PIN has not been entered to "unlock" the token after it's re-inserted, the library will be unable to access the keys on the token, and will not read or write, but instead return an error retrieving the key.
I hope these two answers fully answer your questions, and as @GaneshPrasad wrote, DO NOT lose the token PIN, as without that, your data is not recoverable. There is no way to recover the encrypted data without the key, and no way to access the key on the token without the PIN.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]