Tape Libraries and Drives
cancel
Showing results for 
Search instead for 
Did you mean: 

Enabling Hardware Encryption on HPE LTO Ultrium 15000

matthewgettemy
Occasional Visitor

Enabling Hardware Encryption on HPE LTO Ultrium 15000

Hi,

I am writing software that archives data to LTO-7 tapes via an HPE LTO Ultirum 15000 tape drive. I can see on the front pannel of this drive there is an LED light with the word Encryption next to it. I have not been able to, through HPE software, figure out how to enable this hardware based encryption. An HPE employee told me that in order to enable the encryption I had to purchase other software that would push an encrpytion key to the drive.

I know that this other software must use some interface to push the key to the drive. I would like to do this myself without purchasing external software. If anyone could provide any helpful information or documentation on this interface it would be greatly appreciated.

Thanks!

Matthew

3 REPLIES
Curtis_Ballard
Valued Contributor

Re: Enabling Hardware Encryption on HPE LTO Ultrium 15000

If you are writting your own software that sends SCSI commands then you are looking for the SECURITY PROTOCOL IN and SECURITY PROTOCOL OUT commands.  Reviewing those in your SCSI command reference should help you understand how encryption is managed from an application.

Either the software application or a tape library needs to provide the encryption parameters to the tape drive so that the encryption key is stored external to the tape drive and can be used for further reading/writing in other tape drives.

For HPE LTO-7 drives the encryption LED indicates that the data on the tape, with the possible exception of a small tape label at the start, is encrypted.  If a tape is loaded and anything other than a small region at the start of the tape is unencrypted the LED is off.

Dennis Handly
Acclaimed Contributor

Re: Enabling Hardware Encryption on HPE LTO Ultrium 15000

>SECURITY PROTOCOL IN and SECURITY PROTOCOL OUT commands.  Reviewing those in your SCSI command reference

 

You're going to need more than that.  Perhaps some examples from TCG:

http://www.trustedcomputinggroup.org/

Curtis_Ballard
Valued Contributor

Re: Enabling Hardware Encryption on HPE LTO Ultrium 15000

I saw the posting about needing more than the SCSI SECURITY PROTOCOL IN/OUT commands and the pointer to TCG.

That is frequently good advise when using those commands but in this case TCG doesn't define how those commands are used.  Those commands can be used to tunnel TCG but for they are general pupose security tunneling commands and for tape encryption all of the command and model details are in the SCSI specifications.

If you have a tape drive vendor SCSI specification then it should have what you need in one place.

If you are using the specifications at t10.org then the trail is a little bit tricky but still not too hard.

  • The SECURITY PROTOCOL IN/OUT commands are defined in the SPC specification.  Go there for the basic SCSI CDB.
  • In the CDB you need to set the protocol to 20h, Tape Data Encryption at that point SPC sends you to SSC-4 (the tape drive command set) for details on tape data encryption
  • You can use SSC-4 or SSC-5 for the tape data encryption specifics, no changes in this area in SSC-5 yet
  • Review the SSC model clause on "Logical block encryption" which is 4.2.29 in SSC5r02b
  • The specific pages that you can request or send are defined in sub-clause 8.7, Security protocol parameters
  • Encryption parameters are provided using the Set Data Encryption Page
  • Information about current settings is in the Data Encryption Status page
  • Several other interesting information pages are available - go take a look and see what you need

One tip for anybody using tape data encryption - review the material on logical block encryption key protection carefully. To help protect against possible probing for encryption parameters there are some conditions where the drive will remove and overwrite all key material. Software should considering using the lock functionality, should watch for unit attentions and confirm/reconfigure encryption parameters after things like resets, and should confirm correct parameters at key points during operation.