Dear @vija_rana2001 ,
Answering your Questions:
Question 1: 2nd key is a backup of the first USB. incase the primary USB is lost, the second key can be used.
The 2nd USB should be configured with the backup of the primary, so that it can be used
Question 2:
Encryption will work only if the USB key is installed on that MSL. If the USB key is removed, the encrypted data in the tapes cannot be read
Also, USB kit can be used between multiple MSL libraries as long as the administrator knows USB password and encryption is enabled on library.
Also, remember that the USB password is critical
if you forget that password, then you wont be able to access the Encrypted data anymore
there is no workaround to reset/recover so if the USB pin is lost, entire data is unreadable
I am an HPE Employee
Hello @vija_rana2001 , The Answer from @GaneshPrasad is correct, but I wanted to add a little clarification.
Question 1 - the second USB token is to be used as a backup. You can backup the existing token (as you've done), then restore it to the 2nd token. You can do this on a regular basis (only necessary if you are creating new keys on the token either automatically or manually), or you can just keep the backup in file format and restore it to the backup token only if needed. If you do restore each backup to the backup token, be sure to remove it, and re-insert the original token and unlock it using your token PIN in the RMI.
Question 2 - The encryption key is stored on the token permanently. The token can hold 100 keys. When you initialize a token, one key is created. That key will be used for all read and write operations (when encryption is enabled) until a new key is created (new keys can be automatically created on a schedule, or manual through the RMI). Once a new key is created, it becomes the "current key" and is used for all subsequent write operations. If you attempt to read a tape that was written with the older previous key, the library will locate that key on the token, and be able to decrypt the data. If the token is removed - or the PIN has not been entered to "unlock" the token after it's re-inserted, the library will be unable to access the keys on the token, and will not read or write, but instead return an error retrieving the key.
I hope these two answers fully answer your questions, and as @GaneshPrasad wrote, DO NOT lose the token PIN, as without that, your data is not recoverable. There is no way to recover the encrypted data without the key, and no way to access the key on the token without the PIN.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]