If you are writting your own software that sends SCSI commands then you are looking for the SECURITY PROTOCOL IN and SECURITY PROTOCOL OUT commands. Reviewing those in your SCSI command reference should help you understand how encryption is managed from an application.
Either the software application or a tape library needs to provide the encryption parameters to the tape drive so that the encryption key is stored external to the tape drive and can be used for further reading/writing in other tape drives.
For HPE LTO-7 drives the encryption LED indicates that the data on the tape, with the possible exception of a small tape label at the start, is encrypted. If a tape is loaded and anything other than a small region at the start of the tape is unencrypted the LED is off.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
I saw the posting about needing more than the SCSI SECURITY PROTOCOL IN/OUT commands and the pointer to TCG.
That is frequently good advise when using those commands but in this case TCG doesn't define how those commands are used. Those commands can be used to tunnel TCG but for they are general pupose security tunneling commands and for tape encryption all of the command and model details are in the SCSI specifications.
If you have a tape drive vendor SCSI specification then it should have what you need in one place.
If you are using the specifications at t10.org then the trail is a little bit tricky but still not too hard.
- The SECURITY PROTOCOL IN/OUT commands are defined in the SPC specification. Go there for the basic SCSI CDB.
- In the CDB you need to set the protocol to 20h, Tape Data Encryption at that point SPC sends you to SSC-4 (the tape drive command set) for details on tape data encryption
- You can use SSC-4 or SSC-5 for the tape data encryption specifics, no changes in this area in SSC-5 yet
- Review the SSC model clause on "Logical block encryption" which is 4.2.29 in SSC5r02b
- The specific pages that you can request or send are defined in sub-clause 8.7, Security protocol parameters
- Encryption parameters are provided using the Set Data Encryption Page
- Information about current settings is in the Data Encryption Status page
- Several other interesting information pages are available - go take a look and see what you need
One tip for anybody using tape data encryption - review the material on logical block encryption key protection carefully. To help protect against possible probing for encryption parameters there are some conditions where the drive will remove and overwrite all key material. Software should considering using the lock functionality, should watch for unit attentions and confirm/reconfigure encryption parameters after things like resets, and should confirm correct parameters at key points during operation.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]