Identificación de las amenazas

Tivoli Key Lifecycle Manager fetches an existing AES key from a keystore and wraps it for secure transfer to the tape drive where it is unwrapped upon arrival and used to encrypt the data being written to tape.

When an encrypted tape is read by an LTO Ultrium 4 Tape Drive, Tivoli Key Lifecycle Manager fetches the required key from the keystore, based on the information in the Key ID on the tape, and serves it, wrapped for secure transfer, to the tape drive.

3.2 IBM Encryption Key Manager

In your enterprise, a large number of symmetric keys, asymmetric keys, and certificates can exist, especially for tapes, where each tape can require its own key. All these keys and certificates must be managed. Key management can be handled either internally by an application, such as Tivoli Storage Manager, or externally by an Encryption Key Manager (EKM). In this section, we describe EKM.

Chapter 3. IBM storage encryption methods 55 LTO4, like the encryption-capable 3592 drives TS1120 and TS1130, provides three methods of encryption management from which to choose. These methods differ in where you choose to locate your EKM application. Your operating environment determines which is the best method for you, with the result that key management and the encryption policy engine might be located in any one of the following three environmental layers, as shown in Figure 3-2.

Figure 3-2 EKM architecture

The IBM Encryption Key Manager component for the Java platform is a Java software program that assists IBM encryption-enabled TS1120 tape drives and Linear Tape-Open (LTO) Ultrium 4 tape drives by providing, protecting, storing, and maintaining encryption keys that are used to encrypt information being written to, and to decrypt information being read from, tape media. EKM operates on a variety of operating systems. Currently, EKM operates on the following supported operating systems:

򐂰 z/OS

򐂰 i5/OS

򐂰 AIX

򐂰 Linux

򐂰 Hewlett-Packard UNIX (HP-UX)

򐂰 Sun Solaris

򐂰 Windows

EKM is designed to be a shared resource deployed in several locations within an enterprise. It is capable of serving numerous IBM encrypting tape drives, regardless of where those drives reside (for example, in tape library subsystems, connected to mainframe systems through various types of channel connections, or installed in other computing systems).

Important: Tivoli Key Lifecycle Manager is the follow-on product to EKM. EKM supports the management of keys for IBM tape drives only, not disk drives. However, many clients still use EKM to manage the keys for their encrypting tape drives.

IBM supplies EKM at no charge on IBM operating systems. On platforms that are not IBM platforms, you must purchase IBM Tivoli Storage Productivity Center Basic Edition to gain access to EKM. For IBM operating systems, download the current version of the IBM

Encryption Key Manager for the Java platform, the IBM System Storage Tape Enterprise Key Manager, Introduction Planning and User Guide, GA76-0418, and a sample configuration file for EKM. To download, go to this website:

http://www.ibm.com/support/search.wss?rs=1139&tc=STCXRGL&dc=D400&dtm

3.2.1 Encryption Key Manager components and resources

The sole task of the Encryption Key Manager is to handle serving keys to the encrypting tape drives. EKM does not perform any cryptographic operations, such as generating encryption keys, and it does not provide storage for keys and certificates. To perform these tasks, EKM relies on external components. In the following sections, we describe the components of EKM and the resources that are used by EKM.

Figure 3-3 shows the EKM components and external resources.

Figure 3-3 EKM components and resources

Tape drive table

The tape drive table is used by EKM to track the tape devices that it supports. The tape drive table contains the list of the drives that can communicate with EKM. You can populate this list with additional drives by using the EKM adddrive command, or you can set a variable in the configuration file so that EKM adds unknown drives to the list automatically.

The tape drive table also stores the default key labels for TS1100 drives and the active key set list for LTO drives.

Crypto services: In Figure 3-3, crypto services can refer to either Java security providers (software) or to cryptographic hardware that is installed on the system.

Encryption Key Manager

(EKM)

Config File

Drive Table

Keystore Crypto Services

Chapter 3. IBM storage encryption methods 57 The tape drive table is a non-editable, binary file whose location is specified in the

configuration file. A number of EKM commands are available to add, delete, modify, and view keys and certificates. You can change the location of the tape drive table to meet your requirements.

Configuration file

The configuration file is an editable file, which tells your EKM how to operate. You specify the keystore location and the drive table location in this file.

We describe the configuration file extensively in Chapter 14, “Planning for Encryption Key Manager and its keystores” on page 393 and, later, in Part 3, “Implementing tape data encryption” on page 189, where we describe the full set of configuration options.

Java security keystore

The keystore is defined as part of the Java Cryptography Extension (JCE) and an element of the Java Security components, which are, in turn, part of the Java Runtime Environment. A keystore holds the certificates and keys (or pointers to the certificates and keys) used by EKM to perform cryptographic operations. A keystore can be either hardware based or software based.

EKM supports several types of Java keystores, offering a variety of operational characteristics to meet your requirements:

򐂰 JCEKS: Clear symmetric keys or clear asymmetric keys

򐂰 JCE4758KS/JCECCAKS: Clear symmetric keys, clear asymmetric keys, secure symmetric keys, or secure asymmetric keys

򐂰 JCE4785RACFKS/JCECCARACFKS: Secure asymmetric keys

򐂰 JCERACFKS: Clear asymmetric keys

򐂰 PKCS11IMPLKS: The types of keys that are supported depend on the Public Key Cryptographic Standards 11 (PKCS#11) implementation

򐂰 IBMi5OSKeyStore: Clear asymmetric keys

We describe the characteristics of these keystores in 14.3, “EKM and keystore considerations” on page 400.

Cryptographic services

EKM uses the IBM Java Security components for its cryptographic capabilities. EKM does not provide cryptographic capabilities and therefore does not require, nor is allowed to obtain, FIPS 140-2 certification. However, EKM takes advantage of the cryptographic capabilities of the IBM Java Virtual Machine in the IBM Java Cryptographic Extension component and allows the selection and use of the IBMJCEFIPS cryptographic provider, which has a FIPS 140-2 Level 1 certification. In the configuration properties file, setting the FIPS configuration parameter to ON causes EKM to use the IBMJCEFIPS provider for all cryptographic functions.

Tip: The option to automatically accept unknown tape drives can facilitate the task of populating the tape drive table with your drives. For security reasons, you might want to turn off this option as soon as all your tape drives have been added to the table. In a business and continuity recovery site, however, such as Sunguard or IBM Business Continuity and Resiliency Services, it is required to accept unknown tape drives.

IBM LTO Ultrium 4 drives: Encryption on IBM LTO Ultrium 4 drives requires a keystore that supports symmetric keys.

You can obtain more information about the IBMJCEFIPS provider, its selection, and its use at this website:

http://www.ibm.com/developerworks/java/jdk/security/50/FIPShowto.html

3.3 TS1120, TS1130, and LTO4 tape drive encryption

An encryption key is typically a random string of bits generated specifically to scramble and unscramble data. Encryption keys are created using algorithms designed to ensure that each key is unique and unpredictable. The longer the key is that was constructed this way, the harder it is to break the encryption code. Both the IBM and T10 methods of encryption use 256-bit Advanced Encryption Standard (AES) algorithm keys to encrypt data. The 256-bit AES is the encryption standard currently recognized and recommended by the U.S.

Government, and AES allows three key lengths. The 256-bit keys are the longest keys allowed by AES.

The two types of encryption algorithms that can be used by EKM and Tivoli Key Lifecycle Manager are symmetric and asymmetric. Symmetric, or secret key encryption, uses a single key for both encryption and decryption. Symmetric key encryption is generally used for encrypting large amounts of data in an efficient manner. The 256-bit AES keys are symmetric keys. TS1120, TS1130, and LTO4 all use 256-bit AES symmetric keys to encrypt user data.

Asymmetric, or public-private encryption, uses a pair of keys. Data that is encrypted using one key can only be decrypted using the other key in the public-private key pair. When an asymmetric key pair is generated, the public key is typically used to encrypt, and the private key is typically used to decrypt.

The public-private encryption algorithm is also referred to as the RSA algorithm for public key cryptography, which is named after the inventors, Ron Rivest, Adi Shamir, and Leonard Adleman (Rivest-Shamir-Adleman or RSA algorithm).

EKM and Tivoli Key Lifecycle Manager use both symmetric and asymmetric keys. They use symmetric encryption for high-speed encryption of user or host data, and asymmetric encryption (which is necessarily slower) for protecting the symmetric key.

The responsibility for generating AES keys and the manner in which they are transferred to the tape drive depends on the tape drive type and the method of encryption management.

When implementing encryption using either LME or SME, EKM and Tivoli Key Lifecycle Manager and all their supported tape drives (TS1120, TS1130, and LTO4), use symmetric, 256-bit AES keys to encrypt user data. The keys that are used to encrypt client data are referred to as data keys. Important differences exist between the TS1120 and TS1130 tape drives and the LTO Ultrium 4 tape drives in handling these data keys.