- Community Home
- >
- Storage
- >
- Data Protection and Retention
- >
- StoreEver Tape Storage
- >
- Enabling Hardware Encryption on HPE LTO Ultrium 15...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-28-2016 06:33 AM
тАО09-28-2016 06:33 AM
Enabling Hardware Encryption on HPE LTO Ultrium 15000
Hi,
I am writing software that archives data to LTO-7 tapes via an HPE LTO Ultirum 15000 tape drive. I can see on the front pannel of this drive there is an LED light with the word Encryption next to it. I have not been able to, through HPE software, figure out how to enable this hardware based encryption. An HPE employee told me that in order to enable the encryption I had to purchase other software that would push an encrpytion key to the drive.
I know that this other software must use some interface to push the key to the drive. I would like to do this myself without purchasing external software. If anyone could provide any helpful information or documentation on this interface it would be greatly appreciated.
Thanks!
Matthew
- Tags:
- encryption
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-28-2016 07:44 AM
тАО09-28-2016 07:44 AM
Re: Enabling Hardware Encryption on HPE LTO Ultrium 15000
If you are writting your own software that sends SCSI commands then you are looking for the SECURITY PROTOCOL IN and SECURITY PROTOCOL OUT commands. Reviewing those in your SCSI command reference should help you understand how encryption is managed from an application.
Either the software application or a tape library needs to provide the encryption parameters to the tape drive so that the encryption key is stored external to the tape drive and can be used for further reading/writing in other tape drives.
For HPE LTO-7 drives the encryption LED indicates that the data on the tape, with the possible exception of a small tape label at the start, is encrypted. If a tape is loaded and anything other than a small region at the start of the tape is unencrypted the LED is off.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-01-2016 02:34 PM
тАО10-01-2016 02:34 PM
Re: Enabling Hardware Encryption on HPE LTO Ultrium 15000
>SECURITY PROTOCOL IN and SECURITY PROTOCOL OUT commands. Reviewing those in your SCSI command reference
You're going to need more than that. Perhaps some examples from TCG:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-03-2016 07:51 AM - edited тАО10-03-2016 07:56 AM
тАО10-03-2016 07:51 AM - edited тАО10-03-2016 07:56 AM
Re: Enabling Hardware Encryption on HPE LTO Ultrium 15000
I saw the posting about needing more than the SCSI SECURITY PROTOCOL IN/OUT commands and the pointer to TCG.
That is frequently good advise when using those commands but in this case TCG doesn't define how those commands are used. Those commands can be used to tunnel TCG but for they are general pupose security tunneling commands and for tape encryption all of the command and model details are in the SCSI specifications.
If you have a tape drive vendor SCSI specification then it should have what you need in one place.
If you are using the specifications at t10.org then the trail is a little bit tricky but still not too hard.
- The SECURITY PROTOCOL IN/OUT commands are defined in the SPC specification. Go there for the basic SCSI CDB.
- In the CDB you need to set the protocol to 20h, Tape Data Encryption at that point SPC sends you to SSC-4 (the tape drive command set) for details on tape data encryption
- You can use SSC-4 or SSC-5 for the tape data encryption specifics, no changes in this area in SSC-5 yet
- Review the SSC model clause on "Logical block encryption" which is 4.2.29 in SSC5r02b
- The specific pages that you can request or send are defined in sub-clause 8.7, Security protocol parameters
- Encryption parameters are provided using the Set Data Encryption Page
- Information about current settings is in the Data Encryption Status page
- Several other interesting information pages are available - go take a look and see what you need
One tip for anybody using tape data encryption - review the material on logical block encryption key protection carefully. To help protect against possible probing for encryption parameters there are some conditions where the drive will remove and overwrite all key material. Software should considering using the lock functionality, should watch for unit attentions and confirm/reconfigure encryption parameters after things like resets, and should confirm correct parameters at key points during operation.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
