1748210 Members
2768 Online
108759 Solutions
New Discussion

Re: Encryption Key

 
IngramS
Occasional Contributor

Encryption Key

If there are multiple keys stored on a single encryption token, how do you choose which key is considered to be the "current" and active key ?

3 REPLIES 3
thomasr
Respected Contributor

Re: Encryption Key

If you're talking about the MSL Encryption Kit, the library will automatically cycle through the keys until it finds the right one.   I know it sounds kludgey, but it works, and there's no appreciable delay.


The bigger challenge will be if, for instance, you generate a new key quite frequently so that you fill up your tokens and have a box of 'em to go through.   Label your Key Server Tokens, and document which tokens were used in which time period on which library so that you won't have trial and error of the token itself.    This won't even be an issue for most people though; if you change keys once a month, that's 8 years worth of keys on one token.  Even changing once a week is almost two years of keys on one token... but label them anyway, and make sure you're backing up your keys *every* time a new key is generated.   Back up from one key to the other, and (my recommendation) also to an encrypted file on flash memory stick or archival quality CD/DVD media.

--
Liberty breeds responsibility; Government breeds dependence
IngramS
Occasional Contributor

Re: Encryption Key

That's an excellent response, thank you. The reason for my question is that I have five separate MSL libraries, each with their own tokens and unique security keys. All of the tapes from the libraries are rotated through the same off site storage location where I have another MSL library - the theory being that this will be my disaster recovery site. What I was hoping to do was store a single token at this site that could read and restore data from all of my tapes, no matter which library originally wrote the data. Will this work, or do I need to keep the original backup tokens from all five encryption kits at the disaster recovery site?

thomasr
Respected Contributor

Re: Encryption Key

This is an interesting problem in a mathematical sort of way.

 

1) Neither the key nor the token is tied to the library; if you have the correct key on any token, and the token is in the library, then you'll be able to decrypt tapes written with that key (assuming, of course, that you have both the token password and the library administrator password).

 

2) The question then becomes, "How do I get maximum use out of all my tokens?"   Each token can store up to 100 keys.  The keys are not deletable from the token.   So if you have five libraries at the data center each generating a new key each month, and one library at the disaster recovery center, you could conceivably store 20 keys from each of the five DC libraries on the DR site, and have the DR site token filled up.   That's good for a year and a half.   The challenge now is continuing -- if you kept using the five DC tokens, they'd get a 21st and 22nd key, but then you wouldn't be able to put the five sets of keys on the single token in the DR center.

 

So that's not optimal.

 

I've been trying to figure out a good way to do some sort of rotation of tokens, but I think it's going to be a challenge to do that well.   I will recommend you study the user's guide at http://h20000.www2.hp.com/bc/docs/support/SupportManual/c02074323/c02074323.pdf , particularly pages 12-18, to see how the tokens use the concept of "current key", and understand that the current key is the one used for all new tape writes (reads will use the appropriate stored key, and writes to tapes that used a previous key will continue to use the original key for future writes).

 

I'm not sure that this is what you wanted, but -- if the environment is such that the DR library is used truly for DR, that is, rarely, then it may well be enough to have a pair of empty key server tokens in the DR site, and every time a new key is generated in the DC, backup to that local library's backup token, AND, send the encrypted key backup file to the DR site, where it will be kept safely against the possibility of a restore.


When you do actually have to recover files from an encrypted tape, you can restore the appropriate backup key file to one of the blank tokens in a minute or so, and be on your way.   This avoids having the keys stored on three tokens needlessly, and gets maximum use out of each of your tokens.   I suppose that for the 'worst case', that you have to restore data from all libraries in a short period of time, you need to make sure you have enough blank tokens at the DR site to hold the entire key store -- restoring a backed up key store will attempt to restore the whole thing to that token, there's not currently a "restore just keys 42 and 61, plus 77 - 84" option.

 

Alternately, and probably "best practice" -- you have five libraries in the data center; each of them has an Encryption Kit (a pair of keys so that you create a key and immediately back it up to the second token).  Each pair of tokens is labeled: Library 1, Library 2, etc.  Then DR Site has three Encryption Kits, six total tokens, with each of tokens 1-5 labeled for the set it "belongs" to -- "Library 1", etc.

 

Now, each month (week, whatever) you generate a new key, you back Library 1's token up to Library 1's backup token, and send the encrypted key backup file to the DR site.  There, you will restore Library 1's backed up keys to the matching Library 1 token, Library 2's to the matching Library 2 token, etc.


Now you have three copies of the keys, and each token can be used to hold the entire 100 keys with no wasted space.

--
Liberty breeds responsibility; Government breeds dependence