Hardware encryption support is finally making its way into tape drives and tape libraries, but vendors are taking different approaches to encryption key management.
Spectra Logic announced last May that its Spectra T120 and T950 libraries would ship with hardware-based encryption. In September, IBM and Sun Microsystems rolled out their respective System Storage TS1120 and StorageTek T10000 encrypted tape drives. And the LTO Consortium announced earlier this year its plans to add encryption to the LTO-4 tape drive specification, although details won't be released until early next year, according to IBM, a key member of the consortium.
IBM's TS1120 drive uses RSA-2048 public key encryption to secure data encryption keys. The AES-256 data encryption key is encrypted with a company's public key and an optional third-party public key, both of which are then stored on four different locations on the tape. When the encrypted tape is read, the appropriate private key is used to decrypt the RSA-2048 data encryption key. "By using public key cryptography and storing the encrypted key on the tape itself, tapes can be securely shared between different parties without the need to exchange keys," says Cindy Grossman, IBM's VP of tape storage systems.
By contrast, Sun and Spectra Logic both use AES-256 encryption to secure data encryption keys. Sun stores all encryption keys within the tape library's Token module. Storing as many as 32 keys for each tape drive, the Token module also provides the network connectivity to Sun's StorageTek Crypto Key Management Station. To reference the correct encryption key, the StorageTek T10000 tape drive stores an encryption key ID with every data block written to tape. When data is read from tape, the T10000 retrieves the matching encryption key from the Token and caches it in volatile memory within the tape drive for consecutive tape read operations.
"Sun offers a single key management approach across both mainframes and open systems, so customers won't have to change applications or operating environments," says Sandy Stewart, engineering manager at Sun Storage.
Unlike IBM and Sun, Spectra Logic performs data encryption outside the tape drive in the Quad Interface Processor (QIP), a standard tape library module in the T950 library. The QIP performs both encryption and key management chores. By performing encryption and key management in the library instead of the tape drive, Spectra Logic is able to support all tape formats, says Molly Rector, Spectra Logic's VP of marketing. Like Sun, Spectra Logic stores a reference to the encryption key in the form of a user-assigned nickname on the tape, which is then used during tape read operations to retrieve the correct encryption key.
Some analysts think encrypted tape will eventually gain traction with users. "Tape encryption is in its infancy," says Jon Oltsik, senior analyst at Enterprise Strategy Group, Milford, MA. "But as tape drive specifications incorporate encryption, it will very fast become mainstream."