Encryption Key Manager
Quick Start Guide for LTO Ultrium 4 and LTO Ultrium 5
This guide gets you started with a basic configuration for encryption on LTO Gen 4 and LTO Gen 5 tape
drives. Visit http://support.dell.com to download the latest library and drive firmware prior to installing
and configuring the Dell PowerVault Encryption Key Manager to ensure that there are no issues.
The Dell PowerVault Encryption Key Manager (referred to as the Encryption Key Manager from this
point forward) is a Java
software program that assists encryption-enabled tape drives in generating,
protecting, storing, and maintaining encryption keys. These keys are used to encrypt information being
written to, and decrypt information being read from, LTO tape media. The Encryption Key Manager
operates on Linux
, and is designed to be a shared resource deployed in several locations
within an enterprise.
This document shows how quickly you can install and set up the Encryption Key Manager using the
graphical user interface (GUI) or using commands. This document shows how to use the JCEKS keystore
type because the JCEKS keystore type is the easiest and most transportable of the keystores supported. If
you want more information about a particular step or another supported keystore type, see the Dell
Encryption Key Manager User's Guide, which can be found at: http://support.dell.com or on the Dell
Encryption Key Manager media provided with your product.
Note: IMPORTANT Encryption Key Manager HOST SERVER CONFIGURATION INFORMATION: It is
recommended that machines hosting the Dell Encryption Key Manager program use ECC memory
in order to minimize the risk of data loss. The Encryption Key Manager performs the function of
requesting the generation of encryption keys and passing those keys to the LTO-4 and LTO-5 tape
drives. The key material, in wrapped (encrypted form) resides in system memory during
processing by the Encryption Key Manager. Note that the key material must be transferred without
error to the appropriate tape drive so that data written on a cartridge may be recovered
(decrypted). If for some reason key material is corrupted due to a bit error in system memory, and
that key material is used to write data to a cartridge, then the data written to that cartridge will
not be recoverable (i.e. decrypted at a later date). There are safeguards in place to make sure that
such data errors do not occur. However, if the machine hosting the Encryption Key Manager is not
using Error Correction Code (ECC) memory there remains a possibility that the key material may
become corrupted while in system memory and the corruption could then cause data loss. The
chance of this occurrence is small, but it is always recommended that machines hosting critical
applications (like the Encryption Key Manager) use ECC memory.
Do This First: Install Encryption Key Manager Software
1. Insert your Dell Encryption Key Manager CD. If installation does not start automatically in Windows,
navigate to the CD and double click on Install_Windows.bat.
For Linux, installation does not start automatically. Go to the CD root directory and enter
An end user license agreement is displayed. You must acknowledge this license agreement in order
for installation to continue.
The installation copies all contents (documentation, GUI files, and configuration property files)
appropriate to your operating system from the CD to your hard drive. During installation, your
system is checked for the correct IBM Java Runtime Environment. If not found, it is automatically
When installation is complete, the Graphical User Interface (GUI) is started.