Tape Libraries and Drives
cancel
Showing results for 
Search instead for 
Did you mean: 

Encryption Kits and Automatic key generation policy

SOLVED
Go to solution
Keynes Lee
Regular Advisor

Encryption Kits and Automatic key generation policy

As the user guide mentioned, to delete keys in the token is NOT allowed.
And the token can contains only 100 keys.

I just wonder, why the function "Automatic key generation policy" created??

What threats are the function intend to prevent?

Can anybody please give me an example?


3 REPLIES
Marino Meloni_1
Honored Contributor
Solution

Re: Encryption Kits and Automatic key generation policy

well, let says you are the security officer, and your policy is to change the key every first day of the month.
what happens if you are on holidays?

I think the intention is to allow policies to be followed even if you are not available on site at the specific moment.
Keynes Lee
Regular Advisor

Re: Encryption Kits and Automatic key generation policy

Thanks a lot for the reply!

And would you please let me know also,
why we should change the key periodically?

That's a AES 256 bit encryption, and the token was protecting by locking in the rack, also controlled by a PIN. A encrypted tape seems almost not possible to be cracked outside this environment.

Marino Meloni_1
Honored Contributor

Re: Encryption Kits and Automatic key generation policy

there could be various reason why you want to have different key:
Some tapes could be restored outside your environment and then you should send the key with the tape in order to restore it, having it expiring with the month, you can be sure nobody who retain the previous key may access new tapes
You may lost one key and never be able to access those tapes, then having a key per month, you only loose one month of data
You may want to show that the security officer is doing a good job, so you have multiple key for different tapes, that allow the officer to keep track of which key is paired with specific Tape

these are only some evident reason, but you know, security is not always linear....