Page 3
Preface Fujitsu would like to thank you for purchasing our Key Management Function Option for the FUJITSU Storage ETERNUS LT140 tape library (hereinafter referred to as "LT140"). This manual describes the setup methods and the operation procedures that are required to use the Key Management Function Option as well as notes and other information.
Page 4
This chapter provides notes on the Key Management Function Option. Additional information on "Appendix A Logs Related to the Key Management Function" is provided as an appendix. FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
Page 5
This symbol indicates important points to note when using this product. This mark indicates additional information regarding things such as convenient functions and procedures while performing operations and settings with this product. FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
2.3.3 Setting Information of the Key Management Function for the Drive ............. 61 2.3.4 Encryption Setting Information of the Data Cartridge ..................62 FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
Page 7
How to Download Logs Related to the Key Management Function........76 Checking the Contents of the Logs Related to the Key Management Function ....76 FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED...
The data cartridge generations that can be read and written varies depending on the generation of the LTO Ultrium tape drive that is being used. For details, refer to "A.1.2 Tape Drive Compatibility with Tape Cartridges" in "FUJITSU Storage ETERNUS LT140 Tape Library User's Guide -Installation & Operation-".
During a data backup from a backup server, the tape library automatically assigns an encryption key to the specified data cartridge, encrypts the data (plain text), and saves the data. The encryption process is performed transparently during this time. FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
(*2) • Setting the same master key as the common master key for the ETERNUS LT140, LT220, LT230, LT250, LT260, LT270, and LT270 S2 (*3) will facilitate the use of encrypted tape cartridge data among all these tape libraries.
"2.1.4 Setting the Master Key" (page 35). For information on exporting the master key, refer to "2.1.4.2 Exporting the Master Key" (page 37). FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
However, note that if the encryption key is lost, the data can no longer be restored. To share data among tape libraries, Fujitsu recommends operation with a common master key. •...
1.6 Operational Examples 1.6.4 Interoperation among LT-series Models The ETERNUS LT140, LT220, LT230, LT250, LT260, LT270, and LT270 S2 tape libraries (LT-series) share compatible master keys and encryption keys, so keys and encrypted data cartridges can be shared among these LT-series.
For information on the storage and contents of the security-related logs, refer to "Appendix A Logs Related to the Key Management Function" (page 76). FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
This chapter explains the settings that are related to the key management function. The setup and operations for each function are performed from the remote panel. For details about the setup and operations, refer to "FUJITSU Storage ETERNUS LT140 Tape Library User's Guide -Panel Operation-". CAUTION •...
Since the license sheet that has the license key may be required for maintenance work, be sure to keep it in a safe place. FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED...
Figure 2.2 Account setting screen Procedure Click "security" from the account list displayed on the lower part of the screen. Select [Modify User Password] from [Actions]. FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
For password settings, passwords must satisfy the requirements. If the password setting does not succeed, check the setting requirements from [Configuration > User Accounts > User Accounts Settings]. For details about the setting items, refer to "3.4.16 Configuring Password Setting Requirements" in "FUJITSU Storage ETERNUS LT140 Tape Library User's Guide -Panel Operation-".
"2.1.2.1 Changing the Initial Password of the Security Administrator Account" (page 23). Figure 2.4 Logging in to the remote panel End of procedure FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
When SSL is enabled, https must be used to connect to the remote panel. SSL is disabled by default. Procedure Move to the [Configuration > Web Management] screen. Figure 2.5 Initial value of SSL (disabled) FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
After SSL is enabled, the method for connecting to the remote panel changes. For the connection method, refer to "2.1.2.4 Connecting to the Remote Panel after Enabling SSL" (page 29). FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
For [Password], enter the security administrator account password and click [Login]. Figure 2.9 Logging in to the security administrator account End of procedure FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
To set the key management function, you must log in to the remote panel using the security administrator account. For details about how to log in, refer to "2.1.2 Logging In with the Security Administrator Account" (page 23). FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
Figure 2.12 Setting the key management function per partition If the default settings are applied to all partitions in Step 3 without any changes, this step is not required. Click [Submit]. FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
Page 33
When the Expert Partition Wizard is used to edit the partition, the setting for the key management function can be enabled or disabled. For details, refer to "3.4.13.2 Using the Expert Partition Wiz- ard" in "FUJITSU Storage ETERNUS LT140 Tape Library User's Guide -Panel Operation-". •...
"2.1.3.1 Basic Setup of the Key Management Function" (page 31) perform basic setup. • When the key management function is disabled, data encryption depends on the backup software setting. End of procedure FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
Select the partition where the master key is to be set. If no logical libraries (or partitions) are configured, only "Partition_1" is displayed in the drop down list. FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
If a master key is not set and the imported master key does not exist, a master key is automatically created when the data is first written to the data cartridge in each partition. FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED...
The password is required to import the master key. Keep the password in a safe place. Figure 2.16 Setting a password for the master key FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED...
Step 4 and onward. Partitions cannot be selected if the master key is not set. Figure 2.17 Exporting the master key FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
Move to the [Configuration > Encryption > LT Encryption] screen. Select [Master Keys] > [Import Key] on the center pane. Select the master key file to be imported. FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
Enter the password that was set when the master key was exported. For details, refer to "2.1.4.2 Exporting the Master Key" (page 37). Click [Submit]. Figure 2.19 Importing the master key FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
If the "Master key was successfully imported" message disappears, the master key has been imported. Figure 2.21 Status of importing the master key End of procedure FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
Only a single master key can be deleted at a time. When deleting the master keys of multiple partitions, repeat the procedure from Step 3 and onward. Figure 2.22 Deleting the master key FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
Deleted master keys cannot be restored even by a maintenance engineer or the manufacturing plant. Carefully consider whether to delete the master key. Figure 2.23 Confirmation screen for deleting the master key End of procedure FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
The password is required to import the encryption key. Keep the password in a safe place. Figure 2.24 Encryption key password settings FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
If no logical libraries (or partitions) are configured, only "Partition_1" is displayed in the drop down list. Figure 2.25 Selecting the partition to export the target data cartridges FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
Multiple data cartridges can be moved at the same time. Figure 2.26 Selecting the data cartridges that are to be exported FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED...
To remove the data cartridges from the export target field, select the relevant data cartridge. The color of the selected data cartridge changes. Click [] to remove the selected data cartridge. Figure 2.27 Removing the export target data cartridges FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
The default file name for the exported encryption key is determined by the "ID_x_EncryptionKey_yyyymmdd_xxxxxxxxxx.key" format. The file size is 128 bytes. Figure 2.29 Saving the encryption key to export End of procedure FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
Enter the password that was set when the encryption key was exported. For details about the password, refer to "2.1.5.1 Exporting the Encryption Key" (page 45). Click [Submit]. Figure 2.30 Importing the encryption key FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
If the "Encryption key/s were successfully imported" message disappears, the encryption key has been imported. Figure 2.32 Progress status screen for importing the encryption key End of procedure FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
If no logical libraries (or partitions) are configured, only "Partition_1" is displayed in the drop down list. Figure 2.33 Selecting the partition where the deletion target encryption key exists FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
In this screen, only the data cartridges with an imported encryption key are displayed. Figure 2.34 Selecting data cartridges with deletion target encryption keys FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED...
Information of the data cartridge disappears. The deletion of the imported encryption keys is complete. Figure 2.38 Deletion confirmation of the imported encryption key End of procedure FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
For the procedure to back up the setting information, refer to "Saving the library configuration to a file" of "3.4.2 Saving, Restoring and Resetting the Library Configuration" in "FUJITSU Storage ETERNUS LT140 Tape Library User's Guide -Panel Operation-".
In [Security Encryption Status], if "Enabled" is displayed for [LT Encryption], the key management function is enabled. Figure 2.40 [Status > Security > Security Encryption Status] screen End of procedure FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
An imported encryption key is used. An encryption key is not assigned. Figure 2.44 [Status > Cartridge Inventory > List View (detailed)] screen FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
Page 64
LT Encryption Key Auto An automatically generated encryption key is used. Import An imported encryption key is used. An encryption key is not assigned. FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
Figure 2.45 [Status > Cartridge Inventory > Graphical View] screen For Ultrium3 or earlier data cartridges, all the items above are displayed as "N/A". End of procedure FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
For information on how to set the master key, refer to "2.1.4 Setting the Master Key" (page 35). Management console Tape library 01 Tape library 02 Tape library 03 FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
Export the set master key to the management console. For information on how to export the master key, refer to "2.1.4.2 Exporting the Master Key" (page 37). FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
Page 69
However, if the encryption key is deleted or lost by mistake, the data can no longer be read. Therefore, Fujitsu recommends that the same master key be set for the tape libraries sharing data. For information on the encryption key export or import function, refer to "2.1.5...
Page 70
For information on how to eject a data cartridge, refer to "3.5 Loading and Ejecting Cartridges" in "FUJITSU Storage ETERNUS LT140 Tape Library User’s Guide -Installation & Operation-". Primary-site Master key A FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
Page 71
For information on how to import an encryption key, refer to "2.1.5.2 Importing the Encryption Key" (page 52). For information on how to insert a data cartridge, refer to "3.5 Loading and Ejecting Cartridges" in "FUJITSU Storage ETERNUS LT140 Tape Library User’s Guide -Installation & Operation-". Primary-site Secondary-site...
A drive, tape library, or media may be faulty. Reuse of Data Cartridges To reuse an encrypted data cartridge, use backup software to erase the data. FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
4.4 Connectivity with Backup Software Connectivity with Backup Software On a system using the key management function, Fujitsu recommends using verified backup software. If unverified backup software is used, encryption may not work normally. For more information, contact your sales representative.
For information on how to download logs, refer to "3.5.6 Downloading Log and Trace Files" in "FUJITSU Storage ETERNUS LT140 Tape Library User’s Guide -Panel Operation-".
Page 79
LT Encryption encryption keys deleted The encryption keys were deleted. 9059 LT encryption Key retrieved by tape drive The tape drive received the encryption key. FUJITSU Storage ETERNUS LT140 Tape Library Key Management Function Option User’s Guide Copyright 2019 FUJITSU LIMITED P3AG-3762-02ENZ0...
Page 80
However, Fujitsu shall assume no responsibility for any operational problems as the result of errors, omissions, or the use of information in this manual. • Fujitsu assumes no liability for damages to third party copyrights or other rights arising from the use of any information in this manual.