Encryption is based on the science of cryptography, which is one of the most effective ways to achieve data security today. To read an encrypted file, you must have access to the key that will enable you to decipher the file.
This chapter introduces you to Oracle's Key Manager (OKM) and the components for encryption.
Are your customer accounts concerned with:
Data security?
Data protection and sensitive information?
Government regulations and retention?
Data security is a major concern for IT professionals today—what happens if and when data falls into the wrong hands?
Access to sensitive data can happen when it is:
Sent over networks
Written on disk or tape
Stored in archives
Your customers may also be required to take measures to protect their data because of government regulations or contractual obligations with business partners. A number of regulations require organizations to encrypt their data.
Encryption can occur during three points in the life of the data. When data is:
Created (host-based)
Transported (appliance-based)
Stored (device-based)
Oracle offers device-based implementations, for a "data-at-rest" encryption solution. This offering provides an excellent solution for mixed environments with a variety of operating system types—both enterprise and open systems platforms.
Choosing device-based encryption is the least disruptive to an existing system infrastructure because the encryption functionality is built directly in to the tape drive, so there is no need to maintain special software specifically for encrypted data.
Oracle's encryption solutions are based on the most current advanced industry standards and functionality, including:
Federal Information Processing Standards
FIPS PUB 140-2, Security Requirements for Cryptographic Modules
FIPS PUB 46-3, Data Encryption Standard
FIPS PUB 171, Key Management
FIPS are standards and guidelines adopted and declared under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996. FIPS defines four levels of security.
Level 1 – The basic level with production-grade requirements.
Level 2 – Adds requirements for physical tamper evidence and role-based authentication. Built on a validated operating platform.
Level 3 – Adds requirements for physical tamper resistance and identity-based authentication. Requires additional physical or logical separations.
Level 4 – Makes the physical security requirements more stringent and requires robustness against environmental attacks.
National Institute of Standards and Technology (NIST) AES-standard defining a cryptographic cipher using the Rijndael symmetric block cipher algorithm.
NIST 800-57 Part 1, Recommendations for Key Management
Institute of Electrical and Electronics Engineers IEEE 1619, working groups:
1619.1 Standard for Tape Encryption—complete
1619.2 Standard for Disk Encryption—in process
1619.3 Standard for Key Management—in process
Common Criteria (CC), an International Consortium sponsored by the National Security Agency (NSA) that sets requirements for IT security.
International Standard Organization ISO/IEC 1779 Security Techniques
CCM–AES-256 encryption
CCM = "Counter with CBC-MAC," is a mode of encryption that provides for both a strong form of privacy (security) and efficient authentication. CBC–MAC ="Cipher Block Chaining–Message Authentication Code," a message integrity method in which each block of plain text is encrypted with a cipher. AES = "Advanced Encryption Standard," a block cipher encryption algorithm that uses both cryptographic techniques, Counter mode and CBC-MAC (CCM).
Symmetric encryption, uses one key to both encrypt and decrypt data.
Nonce, a non-repeating number that is incorporated into the mode of operation to ensure that repetitive plaintext does not result in repetitive ciphertext.
Cipher-suite
TLS 1.0 = Transport layer security
RSA = A 2048-bit key encryption algorithm
SHA1 = A widely used and secure hash algorithm
HMAC = Hash message authentication code (Hash-MAC)
The Oracle Key Manager is a device-based encryption solution that uses:
An appliance (server) called the Key Management Appliance or KMA.
Network connectivity* (a clean gigabit Ethernet connection).
StorageTek automated libraries or Oracle databases.
StorageTek tape drives (T-Series and LTO) as the agents for encryption.
Components for the OKM Version 2.3 and above encryption solution consists of:
Important: Key management appliances should be installed in pairs as shown in the configuration drawings Figure 1-1 through Figure 1-4. Some key points include:
Multiple KMAs are clustered on a dedicated, private, local, or wide area network.
The servers in a OKM Cluster provide data replication so there is redundancy. This allows each key management appliance to serve as backups to others.
Tape drives and Oracle databases, called Agents, must remain connected to the network in the event an encryption key is needed.
Any KMA in the cluster can service any tape drive on the network provided there is an Ethernet connection between the two.
KMAs and agents can be logically "group" to create a site, where agents preference KMAs within the site to which they are assigned.
By default, Agents are serviced by the local KMAs if available.
Any KMA can be used for administration functions.
All changes to any KMA are replicated to all other KMAs in the cluster:
New keys generated at any site are replicated to all other KMAs in the cluster.
All administrative changes are propagated to all other KMAs in the cluster.
Encryption hardware kits come complete with Ethernet switches, cables, power distribution units, and mounting hardware for connection of the drive-types in either a library, standalone rack, or Oracle database configuration.
The type of configuration determines how the drives are installed, each configuration has its own kit, see Chapter 4, "Components" for more information.
Refer to the Oracle Key Manager Installation and Service Manual and the individual product installation manuals for specific installation instructions.
Multiple KMAsFoot 1 (two or more) must be installed together to create a clusterFoot 2 . Clusters of KMAs are able to fully replicate their data to each other KMA.
Note: Cluster size should be strongly considered when designing the system for maximum availability. |
The following figures show examples of Version 2.x configurations for the key management appliance:
Figure 1-1 Single site – local area network
Figure 1-2 Multiple sites – wide area network
Figure 1-3 Multiple sites with disaster recovery – wide area network
Figure 1-4 Disaster Recovery Configuration
Figure 1-5 Database and Automated Library configuration
This example uses a single site with a local area network for the management link. The service network for the tape drives shows all of the supported tape drives (Agents). Agents include T-Series (T10000 A, B, C, D, and T9840D) and LTO (generations 4, 5, and 6) tape drives.
In this example, the KMAs are managed over a wide area network. All four KMAs belong in the same OKM cluster.
Note: LTO encryption-capable tape drives are not supported in L-Series libraries. |
This example uses two remote sites and a local (main) site within one OKM cluster. The main site contains a partitioned SL8500 library with specific key groups that provides backup facilities for all the KMAs (1–6) and media within the entire OKM cluster.
In this example, there are two wide area networks; one for management and one for service.
The OKM communicates with all four KMAs in the cluster.
The service network consists of two interface ports, LAN 2 and LAN 3.
The KMA aggregates LAN2 with LAN 3 into an aggregated service port.
The service wide area network allows any KMA at either site to communicate with the agents.
In this example, four KMAs in a cluster are supporting both Automated Tape Libraries and an Oracle database with Advanced Security Transparent Data Encryption (TDE) solution.
Oracle Key Manager is now certified with Oracle Advanced Security Transparent Data Encryption. This means that the same encryption technology used in Oracle StorageTek tape drives is now available for managing encryption keys for Oracle 11g databases.
See Appendix B, "Encryption for Oracle Databases" for more information.
These are the types of servers for the Key Management Appliance (KMA)
Netra SPARC T4-1 (OKM 3.0)
Sun Fire X2100 M2 (OKM 2.x)
Sun Fire X2200 M2 (OKM 2.x)
Sun Fire X4170 M2 (OKM 2.x)
Notes:
Subsequent releases of the OKM appliance may use different server hardware but are guaranteed to be interoperable with other deployed KMAs.
An OKM cluster may consist of a mix of Netra SPARC T4-1 systems and Sun Fire X2100s, X2200s, and X4170s systems, as systems are added to the cluster or replaced as failed units.
Existing Sun Fire KMAs cannot be upgraded to OKM 3.0. However, they can communicate with OKM 3.0 KMAs in the same cluster. OKM 3.0 KMAs can join an existing OKM 2.x cluster using a KMA running KMS 2.2 or later.
Figure 1-6 shows a rear view of the server.
Power supplies (PS1 - PS0 top to bottom) (AC supplies shown)
Power supply status LEDs:
OK (output): (green)
Service Action Required: (amber)
AC or DC (input power): (green).
Alarm port
Expansion slot 0 (PCIe 2.0 x8 or XAUI)
Expansion slot 3 (PCIe 2.0 x8)
Expansion slot 1 (PCIe 2.0 x8 or XAUI)
Expansion slot 4 (PCIe 2.0 x8)
Expansion slot 2 (PCIe 2.0 x8)
Service LEDs:
Locator LED/Locator button (white)
Service Action Required LED (amber)
Main Power/OK LED (green).
SER MGT RJ-45 serial port
NET MGT RJ-45 network port
Network 10/100/1000 ports (NET0 to NET3) for host
Physical Presence button access hole
USB 2.0 ports (USB 0, USB 1)
Video connector (HD-15)
Grounding studs
Figure 1-7 shows a front view of the server.
Locator LED/Locator button: white
Service Action Required LED: amber
Main Power/OK LED: green
Power button
Alarm LEDs: Critical (red), Major (red), Minor (amber), and User (amber)
Fan Fault (FM 0 to FM4) LEDs: green (normal), amber (fault)
USB 2.0 port (USB 3, USB 4)
USB 2.0 port (USB 3, USB 4)
DVD drive
Radio Frequency Identification (RFID) tag
Fan modules (FM0 - FM4)
Hard drives (HDD0- HDD3)
Hard drive fan module (FM 5) (internal - not shown)
Table 1-1 shows the configuration for OKM 3.0 KMAs.
Table 1-1 Netra SPARC T4-1 Specifications
Specification |
|
CPU |
One 4-core 64 thread 2.85 GHz SPARC T4 processor |
Memory |
Four 8 GB DDR3L DIMMs |
Removable mass storage |
One 600 GB SAS drive One slim line SATA DVD+/-RW drive (disabled) |
Service Processor |
ASPEED AST2300 BMC running Oracle ILOM 3.0.x |
TPM support |
TCG TPM v1.2 functionality support with an Infineon SLB 9635 |
Expansion slots |
PCI-Express Generation 2:
|
Front I/O ports |
Two USB 2.0 port (Type A) |
Rear I/O ports |
From the motherboard:
From the PCI mezzanine board:
|
Front panel indicators and switches |
Provision for the following indicators and switches:
|
Networking |
4 Gbit Ethernet ports |
Dimensions: |
|
Height |
87.1 mm (3.43 in.) |
Width |
445 mm (17.52 in.) including bezel |
Depth |
526 mm (20.71 in.) max to PSU handles. 501 mm (19.72 in.) max to rear I/O. |
Weight |
18.6 kg (41 lb.) fully configured without PCI cards |
Environmental: |
|
Ambient temperature Foot 1 |
Maximum: 5°C to 45°C (41°F to 113°F) up to 1829 meters (6000 feet)Foot 2 Optimal: 21°C to 23°C (69.8°F to 73.4°F) Short term maximum: -5°C to 55°C (23°F to 131°F) |
Non-operating temperature |
–40°C to 70°C (–40°F to 158°F) |
Operating humidity |
5% - 85% RH, non condensing, but not to exceed 0.024 kg water/kg dry air (0.053 lb. water/2.205 lbs. dry air). Short term: 5%- 90% RH, non condensing, not to exceed 0.024 kg water/kg dry air (0.053 lb. water/2.205 lbs. dry air). |
Non-operating humidity |
93%, non condensing, 40°C (104°F) |
Altitude – company requirement (operating) |
Maximum 3000 meters (9840 feet) at 40°C (104°F) |
Altitude – company requirement (non-operating) |
Maximum 12,000 meters (39,370 feet) |
Altitude – NEBS requirement (operating) |
-60 meters to 1800 meters (-200 feet to 5905 feet) at 40°C (104°F) 1800 meters to 4000 meters (5905 feet to 13,123 feet) at 30°C (86°F) |
Altitude – NEBS requirement (non-operating) |
Up to 12,000 meters (39,370 feet) |
Footnote 1 Does not apply to removable media devices.
Footnote 2 Maximum ambient operating temperature is derated by 1°C per 500m elevation.
Figure 1-8 shows a rear view of the Sun Fire X4170 M2 server.
Figure 1-9 shows a front view of the Sun Fire X4170 M2 server.
Table 1-2 lists the specifications for the Sun Fire X4170 M2 server.
AC Power connectors
Serial Management (SER MGT) RJ-45 serial port
Service Processor (NET MGT) port
Ethernet ports (0, 1, 2, 3) , from left to right these ports are labeled "Net0" thru "Net3".
USB ports (0, 1)
Video connector (VGA)
Power /OK LED
Power button
Table 1-2 lists the specifications for the Sun Fire X4170 M2 server.
Table 1-2 Sun Fire X1470 M2 Specifications
Specification |
|
Processor |
One quad-core (2.4-GHz) |
Memory |
1x4GB DDR3 DIMMs |
Management Software |
Service processor standard Integrated Lights Out Manager (ILOM) |
Mass storage |
One SATA disk drive |
PCI Slots |
Two PCI-Express slots (PCIe) PCIe-0 contains the Sun Crypto Accelerator (SCA6000) if installed |
Networking |
Four USB 2.0 connectors on the rear panel Two USB 2.0 connectors on the front panel VGA with DB-15 connectors Four 10/100/1000 Base-T Ethernet ports |
Dimensions: |
|
Height |
4.34 cm (1.71 in.) |
Width |
42.5 cm (16.75 in.) |
Depth |
68.58 cm (27.0 in.) |
Weight |
16.36 kg (36 lb) |
Environmental: |
|
Operating temperature |
5° C to 35° C (41° F to 95° F) |
Non-operating temperature |
-40° C to 70° C (-40° F to 158° F) |
Operating humidity |
10% to 90% relative humidity, non-condensing |
Non-operating humidity |
Up to 93% relative humidity, non-condensing |
Altitude (operating) |
Up to 3000 m, maximum ambient temperature is degraded by 1 degree C per 300 m above 900 m |
Altitude (non-operating) |
Up to 12,000 m |
Figure 1-10 shows a front view of the Sun Fire X2100/X2200 M2 server.
Figure 1-11 shows a rear view of the Sun Fire X2100/X2200 M2 server.
Table 1-3 lists the specifications for the Sun Fire X2100 M2 server.
Table 1-4 lists the specifications for the Sun Fire X2200 M2 server.
System identification button/LED
Fault LED
Power/OK LED
Power button
Optional hard disk drive bay (0)
USB 2.0 connectors (2)
CD/DVD drive (not populated)
Optional hard disk drive bay (1)
Power connector
Ethernet connectors (2) Top = KMA Management Network (LAN 0) Bottom = Embedded Lights Out Manager (ELOM)
System Identification LED
Fault LED
Power LED
Ethernet Service Network connections (2) Left = Service network (LAN 2) Right = Aggregated service network (LAN 3)
Serial port (DB9, RS232)
PCIe slots (2) Top = SCA6000 card (not shown) Bottom = Blank (empty)
VGA connector (if using a monitor/keyboard for the initial configuration)
USB 2.0 ports (4)
Table 1-3 lists the specifications for the Sun Fire X2100 M2 server.
Table 1-3 Sun Fire X2100 Specifications
Specification | |
---|---|
Processor |
|
Memory |
|
IPMI 2.0 |
|
Mass storage |
One SATA disk drive |
PCI Slots |
Two PCI-Express slots (PCIe) PCIe-0 contains the Sun Crypto Accelerator 6000 (SCA6000) |
Networking |
|
Height |
43 mm (1.7 in.) |
Width |
425.5mm (16.8 in.) |
Depth |
550 mm (21.68 in.) |
Weight (maximum) |
10.7 kg (23.45 lb) |
Mounting options |
19-inch rackmount kit; Compact 1 rack-unit (1.75 in.) |
Temperature |
5°C to 35°C (41°F to 95°F) |
Relative humidity |
27°C (80°F) max wet bulb |
Altitude |
Up to 3,000 m (9,000 ft) |
Power supply |
90 – 2640 VAC, 47 – 63 Hz One 6.5 Amp non-redundant power supply at 345 Watts Heat output is about 850 BTU/hour |
Regulations meets or exceeds the following requirements: |
|
Acoustic Noise Emissions declared in accordance with ISO 9296 |
|
Safety IEC 60950, UL/CSA60950, EN60950, CB scheme |
|
RFI/EMI FCC Class A, Part 15 47 CFR, EN55022, CISPR 22, EN300-386:v1.31, ICES-003 |
|
Immunity: EN55024, EN300-386:v1.3.2 |
|
Certifications: Safety CE Mark, GOST, GS Mark, cULus Mark, CB scheme, CCC, S Mark |
|
EMC CE Mark, Emissions and Immunity Class A Emissions Levels: FCC, C-Tick, MIC, CCC, GOST, BSMI, ESTI, DOC, S Mark |
Table 1-4 lists the specifications for the Sun Fire X2200 M2 server.
Table 1-4 SunFire X2200 Specifications
Specification | |
---|---|
Processor |
|
Memory |
|
IPMI 2.0 |
|
Mass storage |
One SATA disk drive 250 GB capacity |
PCI Slots |
Two PCI-Express slots (PCIe) PCIe-0 contains the Sun Crypto Accelerator 6000 (SCA6000) |
Networking |
|
Height |
43 mm (1.69 in.) |
Width |
425.5 mm (16.75 in.) |
Depth |
633.7 mm (25 in.) |
Weight |
1.6 kg (24.64 lb.) |
Mounting options |
19-inch rackmount kit; Compact 1 rack-unit (1.75 in.) |
Temperature |
5°C to 35°C (41°F to 95°F) |
Relative humidity |
27°C (80°F) max wet bulb |
Altitude |
Up to 3,000 m (9,000 ft) |
Power supply |
100 – 240 VAC, 47 – 63 Hz One 8 Amps non-redundant power supply at 500 Watts Heat output is about 850 BTU/hour |
Regulations meets or exceeds the following requirements: |
|
Safety: CE, CB Scheme, UL, CSA, CCC, BSMI, AR-S, GOST-R |
|
EMC: CE, FCC, VCCI, ICES, BSMI, CCC, MIC, C-Tick, AR-S, GOST-R |
|
Other: RoHS-compliant labeled, per WEEE (Waste Electrical and Electronics Equipment) Directive (2002/95/EC) |
Oracle recommends that customers supply a managed switch for connecting KMAs to the tape drives on private service networks. Managed switches then would supply connectivity to the supplied unmanaged tape drive switches as well as any connectivity to customer supplied routers for wide area service network.
The following managed switches have been tested and are recommended by engineering:
3COM Switch 4500G 24-Port (3CR17761-91)
Extreme Networks Summit X150-24t Switch
Brocade ICX 6430 Switch.
Other managed switches can be used; however, there is only configuration guidance on the above listed switches.
Managed switches are recommended for the following reasons:
Improved serviceability through better switch diagnostics and service network trouble shooting
Potential for minimizing single points of failure on the service network through use of redundant connections and spanning tree protocol.
Support for aggreation of the KMA service network interfaces to minimize single point of failure on the KMA's service interface.
Figure 1-12 provides an example of a managed switch configuration. In this example, if either KMA or either managed switch should fail, the drives still have a path from which they can communicate with the other KMA.
The OKM network should use a clean gigabit Ethernet connection for optimal replication and performance.
The Service Processor Network (ELOM or ILOM) should have spanning tree turned off or disabled.
Beginning with OKM 2.1 it is possible to aggregate physical Ethernet interfaces (LAN 2 and LAN 3) into a single virtual interface. Additional availability is achieved by aggregating these ports; if a failure occurs with either port, the other port maintains connectivity.
Make sure the Ethernet switch ports have the correct configuration. For example, switch ports should be:
Set to auto negotiate settings for duplex (should be full duplex).
Set to auto negotiate speed settings, the KMA ports are capable of gigabit speeds.
Using identical speeds, such as: both set to 100 Mbps (auto speed negotiating may work fine).
In this example the service network consists of two customer-provided managed switches that are cabled to three unmanaged switches, which contains redundant paths that require a spanning tree configuration. This example may be easily scaled for larger SL8500 drive configurations by adding additional KMAs, switch hardware, and tape drives.
Managed switches must be enabled for Spanning Tree whenever the cabling includes redundancy.
Unmanaged switches have two paths to the managed switches for redundancy.
Unmanaged switches are then cabled for connectivity to the tape drives (agents)
Each unmanaged switch connects 16 drives. Cabled in groups of four. Ports 1–4, 6–9, 11–14, and 16–19.
"Service Delivery Platform" (SDP) connects to each Managed Switch at Port 1.
Each key management appliance has four network connections. These include:
Management network for the X4170 M2 appliance
Service Processor (either ELOM or ILOM) network
Service network
Aggregated service network
The network ports are labeled differently between the X4170 M2 and X2100/X2100 M2 servers.
Table 1-5 KMA Network Connections - Sun Fire X2100 M2 and X2200 M2 Servers
Port | Description |
---|---|
LAN 0 |
This is a required connection. This network is called the "Management Network" and connects to the Oracle Key Manager (OKM), graphical user interface (GUI), to the KMAs in the cluster. This network can be local, remote, or a combination of both. Customers are expected to provide the management network. |
LAN 1* |
LAN 1* This is the network connection for the Service Processor, the ILOM for an X4170 M2 server or the ELOM for an X2100 M2 or X2200 M2 server. |
LAN 2 |
This is normally a required connection for the tape drives. This network is called the "Service Network" and connects to the tape drives, either directly or through Ethernet switches to create the network. |
LAN 3 |
This is an optional connection with the Oracle Key Manager. This is the "Aggregated Network" connection with NET 2 or LAN 2. Aggregation or IEEE 802.1AX-2008, is a networking term that describes the use of multiple network cables and ports in parallel to increase the link speed and redundancy for higher availability. |
* Note – The ELOM IP address is most easily configured using a serial connection. Connect a DB9-to-DB9 serial null modem cable from a laptop PC serial port to the serial port on the server. This is a one time connection for the initial configuration. |
Table 1-6 KMA Network Connections - Netra SPARC T4-1 and X4170 M2 Servers
Port | Description |
---|---|
SER MGT |
The SER MGT RJ-45 port provides a serial connection to the ILOM. The ILOM IP address is most easily configured using this serial connection. |
NET MGT |
The NET MGT RJ-45 port provides an optional Ethernet connection to the ILOM. This port is not available until you configure the ILOM IP address. |
NET 0 |
The NET 0 RJ-45 port is a required connection to the Management Network. This network connects the server to the Oracle Key Manager GUI as well as to other KMAs in the cluster. The Management Network can be local, remote, or a combination of both. Customers are expected to provide the management network. |
NET 2 |
The NET 2 RJ-45 port is a required connection to the Service Network. This network connects the server to the tape drives, either directly or through Ethernet switches, to create the network. |
NET 3 |
The NET 3 RJ-45 port is an optional connection to the Aggregated Network and provides aggregation with NET 2. Aggregation, or IEEE 802.1AX-2008, is a networking term that describes using multiple network cables and ports in parallel to increase the link speed and redundancy for higher availability. |
The initial setup of a KMA requires a terminal emulator on a laptop or monitor/keyboard assembly to access the Service Processor. The Service Processor is a remote console function that requires a network connection and IP address to use these functions.
All physical connections are from the rear of the KMA. See Figure 1-13 for Netra SPARC T4-1, Figure 1-14 for X2100 M2 and X2200 M2, and Figure 1-15 for X4170 M2.
Table 1-5 details the relationship between these connections on X2100/X2200 M2 servers and Table 1-6 shows the Netra SPARC T4-1 and X4170 M2 server connection descriptions.
Note: Each Ethernet connection (blue line) requires an IP address. |
Note: Each Ethernet connection (blue line) requires an IP address. |
Enhancements made to OKM 2.1 included support for the newest implementation of the Internet Protocol Suite, or IP.
The current version—IPv4—uses a 32-bit number written as four groups of three numbers separated by periods. Each group can be from 0 to 255, for example, 129.80.180.234.
Within these four groups are two identifiers, the network address and the host address. The first two groups (129.80) identify the network address, the second two groups (180.234) identify the host.
The new generation, IPv6, uses a 128-bit value written as eight groups of four hexadecimal characters separated by colons, for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334 2001:0db8:85a3:::8a2e:0370:7334 (means the same as above)
IPv6 addresses are typically composed of two logical parts: a 64-bit network prefix, and a 64-bit host address, which is either automatically generated or assigned.
Important:
The Key Manager supports a "dual stack" implementation where both protocols are used within the system. However, not all applications use IPv6, for example, Domain Name System (DNS); therefore, IPv4 is still necessary.
Because every customer has different needs and requirements, Oracle's StorageTek automated tape libraries provides a variety of libraries to meet these customers demands.
Table 1-7 Tape Libraries
Tape Libraries | L700 | L1400 | 9310 | SL24 | SL48 | SL500 | SL3000 | SL8500 | SL150 |
---|---|---|---|---|---|---|---|---|---|
Minimum slots |
216 |
200 |
2,000 |
1 |
1 |
30 or 50 |
200 |
1,448 |
30 |
Maximum slots |
1,344 |
1,344 |
6,000 |
24 |
48 |
440 to 575 |
5,925 |
10,000 |
300 |
Complex/ACS |
No |
No |
144,000 |
No |
No |
No |
No |
100,000 |
No |
Mixed-media |
Yes |
Yes |
Yes |
No |
No |
Yes |
Yes |
Yes |
Yes |
Pass-thru ports |
Yes (1) |
Yes (1) |
Yes |
No |
No |
No |
No |
Yes |
No |
Maximum drives |
24, 40 |
24, 40 |
80, 960 |
1 |
2 |
2, 18 |
56 |
64, 640 |
20 |
CAP size |
20–80 |
20–80 |
21 or 80 |
Mailslots |
Mailslots |
5–45 |
26 |
39 |
Mailslot |
Number of CAPs |
1–4 |
1–4 |
4x20 |
0–1 |
1–3 |
1–5 |
101 |
2 |
1 |
Interface type |
SCSI, FC |
SCSI, FC |
TCP/IP |
SCSI, FC, SAS |
SCSI, FC, SAS |
SCSI, FC |
SCSI, FC |
TCP/IP |
SCSI, FC |
Tape Technology (Encryption-capable Tape Drives Only) |
|||||||||
T9840D (StorageTek) |
Yes |
Yes |
Yes |
No |
No |
No |
Yes |
Yes |
No |
T10000A (StorageTek) |
Yes |
Yes |
Yes |
No |
No |
No |
Yes |
Yes |
No |
T10000B (StorageTek) |
Yes |
Yes |
Yes |
No |
No |
No |
Yes |
Yes |
No |
T10000C (StorageTek) |
No |
No |
No |
No |
No |
No |
Yes |
Yes |
No |
T10000D (StorageTek) |
No |
No |
No |
No |
No |
No |
Yes |
Yes |
No |
LTO4 (HP and/or IBM) |
Yes |
Yes |
No |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
LTO5 (HP and/or IBM) |
No |
No |
No |
Yes for HP, No for IBM |
Yes for HP, no for IBM |
Yes |
Yes |
Yes |
Yes for HP, no for IBM |
LTO6 (HP and/or IBM) |
No |
No |
No |
No |
No |
Yes for HP, no for IBM |
Yes |
Yes |
Yes for HP, no for IBM |
|
StorageTek provides storage solutions for:
Small to large businesses and organizations
Enterprise and client-server platforms
Stand-alone and automated tape environments.
You can choose from the following tape drive models:
StorageTek T10000A
StorageTek T10000B
StorageTek T10000C
StorageTek T10000D
StorageTek T9840 Model D only
Hewlett Packard (HP) Linear Tape-Open (LTO) Generations 4, 5, and 6
International Business Machines (IBM) Linear Tape-Open (LTO) Generations 4, 5, and 6
Beginning with Version 2.1 and the latest tape drive firmware, the following drives are FIPSFoot 3 compliant.
Table 1-8 FIPS 140-2 Compliant Tape Drives
Tape Drive | FIPS 140-2 Level |
---|---|
T10000A |
1 |
T10000B |
2 |
T10000C |
1 |
T10000D |
1 |
T9840D |
1 |
LTO4 (HP and IBM) |
No plans for FIPS* |
LTO5 (HP and IBM) |
No plans for FIPS* |
LTO6 (HP) |
No plans for FIPS* |
* LTO drives may be FIPS validated in its basic form but not necessarily in specific encryption applications. |
FIPS 140-2 levels of security for the above tape drives includes Levels 1 and 2.
Level 1 – The basic level with production-grade requirements.
Level 2 – Adds requirements for physical tamper evidence and role-based authentication. Built on a validated operating platform.
This selection provides a higher level of security for the KMAs and tape drives.
The T10000 tape drives are modular, high-performance tape drives designed for high-capacity storage.
These models of the T10000 support encryption:
T10000A
T10000B
T10000C
T10000D
Dimensions: The tape drive is:
8.89 cm (3.5 in.) high
14.6 cm (5.75 in.) wide
42.5 cm (16.75 in.) deep.
Capacity:
T10000B = 1 terabyte (TB) of uncompressed dataFoot 4
T10000C = 5 terabyte (TB) of uncompressed data
T10000D = 8 terabyte (TB) of uncompressed data
The T9840D tape drive is a small, high-performance, access-centric tape drive that has an average access time of just 8 seconds.
This drive obtains its high-performance by using a unique dual-hub cartridge design with midpoint load technology. This enables fast access and reduces latency by positioning the read/write head in the middle of the tape.
There are four models of the T9840; however, only the T9840D supports encryption.
Dimensions: The tape drive is:
8.25 cm (3.25 in.) high
14.6 cm (5.75 in.) wide
38.1 cm (15 in.) deep
Capacity: T9840D = 75 gigabytes (GB) of uncompressed data
For a variety of operating system platforms:
Enterprise mainframes (z/OS and OS/390)
Open system platforms (Windows, UNIX, and Linux)
Table 1-9 Tape Drive Comparison
Specification | HP | IBM | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
T10K-A | T10K-B | T10K-C | T10K-D | T9840D | LTO4 | LTO5 | LTO6 | LTO4 | LTO5 | LTO6 | |
Capacity (native) |
500 GB |
1 TB |
5 TB |
8 TB |
75 GB |
800 GB |
1.5 TB |
2.5 TB |
800 GB |
1.5 TB |
2.5 TB |
Transfer rates (native) |
120 MB/s |
120 MB/s |
240 MB/s |
254 MB/s |
30 MB/s |
120 MB/s |
140 MB/s |
160 MB/s |
120 MB/s |
140 MB/s |
160 MB/s |
Buffer size |
256 MB |
256 MB |
2 GB |
2 GB |
64 MB |
256 MB |
256 MB |
512 MB |
256 MB |
256 MB |
1 GB |
Load Time (seconds) |
16 |
16 |
13.1 |
13.0 |
8.5 |
19 |
12 |
22 |
15 |
12 |
12 |
Access (seconds) |
46 |
46 |
73.5 |
62.5 |
8 |
72 |
60 |
50 |
46 |
60 |
96 |
Tape speed (m/s) |
2–4.95 |
2–3.74 |
5.62 |
4.75 |
3.4 |
7.0 |
— |
7.12 |
7.0 |
— |
6.8 |
Rewind time (seconds) |
90 |
90 |
10-13 |
10-13 |
16 / 8 |
106/54 |
96/ 78 |
98/51 |
106/54 |
96/ 78 |
42 |
Unload Time (seconds) |
23 |
23 |
23 |
23 |
12 |
22 |
17 |
19 |
22 |
17 |
17 |
Interfaces |
|||||||||||
Fibre Channel |
2 & 4 Gb/s |
4 Gb/s |
4 Gb/s |
16 Gb/s |
4 Gb/s |
4 Gb/s |
8 Gb/s |
8 Gb/s |
4 Gb/s |
8 Gb/s |
8 Gb/s |
SCSI / SAS |
n/a |
n/a |
n/a |
n/a |
n/a |
Ultra-320 |
n/a |
6 Gb SAS |
Ultra-320 |
n/a |
6 Gb SAS |
FICON/ FCoE |
2 Gb/s n/a |
2 Gb/s n/a |
4 Gb/s n/a |
8 Gb/s 10Gb/s |
2 Gb/s n/a |
||||||
ESCON |
n/a |
n/a |
n/a |
n/a |
2 Gb/s |
||||||
Compatibility |
|||||||||||
Tracks |
768 |
1152 |
3,584 |
4608 |
576 |
896 |
1280 |
2176 |
896 |
1280 |
2176 |
Length–usable |
855 m (2805 ft) |
855 m (2805 ft) |
1,107 m (3,632 ft) |
1107 m 3,632 ft) |
251 m (889 ft) |
820 m (2690 ft) |
850 m (2789 ft) |
846 m (2776 ft) |
820 m (2690 ft) |
850 m (2789 ft) |
846 m (2776 ft) |
VolSafe— WORM |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
For your information, the following tables provide tape drive and media comparisons.
Table 1-10 shows the media compatibilities for the T-Series (T10000 and T9840) drives:
Encryption-capable T-Series tape drives
Non-encryption T-Series tape drives
Table 1-10 T-Series Tape Drive Media Compatibilities
Task | Enrolled for Encryption | Not Enrolled for Encryption |
---|---|---|
Write new data encrypted |
Yes |
No |
Write new data not encrypted |
No |
Yes |
Read encrypted data with key available |
Yes |
No |
Read non-encrypted data |
Yes |
Yes |
Append non-encrypted data to encrypted tape |
No |
No |
Table 1-11 shows a comparison between:
Encryption-enabled and non-encrypted tape drives
Encrypted and non-encrypted media
Table 1-11 T-Series Tape Drive and Media Support
Tape Drive Types | Media Types | |
---|---|---|
Non-encrypted Tapes | Encrypted Tapes | |
Standard drive (non-encrypted) |
|
|
Encryption-capable drive |
|
|
Note: Both HP and IBM LTO tape drives are:
|
Future compatibility:
In the future, LTO drives will be capable of:
Reading and writing tapes from the current generation
Reading and writing tapes from one earlier generation
Reading tapes from two earlier generations
Note: Encryption is only supported with LTO4 and LTO5 Data Cartridges on LTO4 and LTO5 tape drives. To avoid problems, these drives will not write in normal or native modes once the drive is enabled for encryption. |
When LTO encryption is controlled by the Oracle Key Manager, the LTO drives can behave differently from StorageTek T-Series drives. There can also be slight differences between the HP and IBM drives from each other. These differences arise from specific aspects of the IBM and HP drive architecture.
Table 1-12, Table 1-13, and Table 1-14 list LTO4, LTO5, and LTO6 HP and IBM drive behavior.
Table 1-12 LTO4 Encryption Behavior
LTO4 Drive Performance | HP Implementation | IBM Implementation |
---|---|---|
Not Enrolled for Encryption |
||
Read LTO4 non-encrypted data |
OK non-encrypted |
OK non-encrypted |
Read LTO4 encrypted data |
Error |
Error |
Write LTO4 from BOT |
OK non-encrypted |
OK non-encrypted |
Read LTO3 tape |
OK non-encrypted |
OK non-encrypted |
LTO4 append write to non-encrypted data (Space EOD and write) |
OK non-encrypted |
OK non-encrypted |
LTO4 append write to non-encrypted data (Read to EOD and write) |
OK non-encrypted |
OK non-encrypted |
LTO4 append write to encrypted data (Space EOD and write) |
OK non-encrypted |
OK non-encrypted |
LTO4 append write to encrypted data (Read to EOD and write) |
Error |
Error |
Enrolled for Encryption |
||
Read LTO4 non-encrypted data |
OK non-encrypted |
OK - non-encrypted |
Read LTO4 encrypted data |
OK* encrypted |
OK* encrypted |
Write LTO4 from BOT |
OK* encrypted |
OK* encrypted |
LTO4 append write to encrypted data |
OK* encrypted |
OK* encrypted |
Write LTO3 tape |
OK non-encrypted (Note 4) |
Error (Note 5) |
Read LTO3 tape |
OK non-encrypted |
OK non-encrypted |
LTO4 append write to non-encrypted data (Space EOD and write) |
OK* encrypted (Note 2) |
Error (Note 1) |
LTO4 append write to non-encrypted data (Read to EOD and write) |
OK* encrypted (Note2) |
Error (Note 1) |
LTO4 append write to encrypted data (Space EOD and write) |
OK* encrypted |
OK* encrypted |
LTO4 append write to encrypted data (Read to EOD and write) |
OK* encrypted |
OK* encrypted – but with prior read key (Note 3) |
* If the correct key is available. |
Note 1
IBM LTO drives do not allow the mixing of encrypted and non-encrypted data on a single tape.
Note 2
While this scenario allows appending encrypted data behind non-encrypted data, this has an operational benefit since it allows tapes pre-labeled with non-encrypted data to be used in HP LTO drives in the encrypting environment without having to re-label them.
Note 3
In this scenario, IBM drives will write encrypted data but will use the same key as they used to read the prior encrypted data on tape. The drive will not request a new key from the OKM when the write command is issued and this will ignore the Key Expiration Policy set by the OKM.
Note 4
HP drives will write tapes in non-encrypted mode. The LTO3 format does not support encryption and this could be considered a security violation since an HP LTO4/LTO5 drives can be made to write non-encrypted data simply by inserting a LTO3 cartridge.
Note 5
IBM drives will report an error if an attempt is made to write LTO3 tapes.
Table 1-13 LTO5 Encryption Behavior
LTO5 Drive Performance | HP Implementation | IBM Implementation |
---|---|---|
Not Enrolled for Encryption |
||
Read LTO5 non-encrypted data |
OK non-encrypted |
OK non-encrypted |
Read LTO5 encrypted data |
Error |
Error |
Write LTO5 from BOT |
OK non-encrypted |
OK non-encrypted |
Read LTO4 non-encrypted data |
OK non-encrypted |
OK non-encrypted |
Read LTO4 encrypted data |
Error |
Error |
Write LTO4 from BOT |
OK non-encrypted |
OK non-encrypted |
Read LTO3 |
OK non-encrypted |
OK non-encrypted |
LTO5 append write to non-encrypted data (Space EOD and write) |
OK non-encrypted |
OK non-encrypted |
LTO5 append write to non-encrypted data (Read to EOD and write) |
OK non-encrypted |
OK non-encrypted |
LTO5 append write to encrypted data (Space EOD and write) |
OK non-encrypted |
OK non-encrypted |
LTO5 append write to encrypted data (Read to EOD and write) |
Error |
Error |
LTO4 append write to non-encrypted Data (Space EOD and write |
OK non-encrypted |
OK non-encrypted |
LTO4 append write to non-encrypted Data (Read to EOD and write) |
OK non-encrypted |
OK non-encrypted |
LTO4 append write to encrypted data (Space EOD and write) |
OK non-encrypted |
OK non-encrypted |
LTO4 append write to encrypted data (Read to EOD and write) |
Error |
Error |
Enrolled for Encryption |
||
Read LTO5 non-encrypted data |
OK non-encrypted |
OK - non-encrypted |
Read LTO5 encrypted data |
OK* encrypted |
OK* encrypted |
Write LTO5 from BOT |
OK* encrypted |
OK* encrypted |
LTO5 append write to encrypted data |
OK* encrypted |
OK* encrypted |
Read LTO4 non-encrypted data |
OK non-encrypted |
OK non-encrypted |
Read LTO4 encrypted data |
OK* encrypted |
OK* encrypted |
Write LTO4 from BOT |
OK* encrypted |
OK* encrypted |
LTO4 append write to encrypted data |
OK* encrypted |
OK* encrypted |
LTO5 append write to non-encrypted data (Space EOD and write) |
OK* encrypted (Note 2) |
Error (Note 1) |
LTO5 append write to non-encrypted data (Read to EOD and write) |
OK* encrypted (Note2) |
Error (Note 1) |
LTO5 append write to encrypted data (Space EOD and write) |
OK* encrypted |
OK* encrypted |
LTO5 append write to encrypted data (Read to EOD and write) |
OK* encrypted |
OK* encrypted – but with prior read key (Note 3) |
LTO4 append write to non-encrypted Data (Space EOD and write) |
OK* encrypted (Note 2) |
Error (Note 1) |
LTO4 append write to non-encrypted Data (Read to EOD and write) |
OK* encrypted (Note2) |
Error (Note 1) |
LTO4 append write to encrypted data (Space EOD and write) |
OK* encrypted |
OK* encrypted |
LTO4 append write to encrypted data (Read to EOD and write) |
OK* encrypted |
OK* encrypted – but with prior Read key (Note 3) |
Read LTO3 non-encrypted data |
OK non-encrypted |
OK non-encrypted |
* If the correct key is available. |
Note 1
IBM LTO drives do not allow the mixing of encrypted and non-encrypted data on a single tape.
Note 2
While this scenario allows appending encrypted data behind non-encrypted data, this has an operational benefit since it allows tapes pre-labeled with non-encrypted data to be used in HP LTO drives in the encrypting environment without having to re-label them.
Note 3
In this scenario, IBM drives will write encrypted data but will use the same key as they used to read the prior encrypted data on tape. The drive will not request a new key from the OKM when the write command is issued and this will ignore the Key Expiration Policy set by the OKM.
Table 1-14 LTO6 Encryption Behavior
LTO6 Drive Performance | HP Implementation | IBM Implementation |
---|---|---|
Not Enrolled for Encryption |
||
Read LTO6 non-encrypted data |
OK non-encrypted |
OK non-encrypted |
Read LTO6 encrypted data |
Error |
Error |
Write LTO6 from BOT |
OK non-encrypted |
OK non-encrypted |
Read LTO5 non-encrypted data |
OK non-encrypted |
OK non-encrypted |
Read LTO5 encrypted data |
Error |
Error |
Write LTO5from BOT |
OK non-encrypted |
OK non-encrypted |
Read LTO4 non-encrypted data |
OK non-encrypted |
OK non-encrypted |
LTO6 append write to non-encrypted data (Space EOD and write) |
OK non-encrypted |
OK non-encrypted |
LTO6 append write to non-encrypted data (Read to EOD and write) |
OK non-encrypted |
OK non-encrypted |
LTO6 append write to encrypted data (Space EOD and write) |
OK non-encrypted |
OK non-encrypted |
LTO6 append write to encrypted data (Read to EOD and write) |
Error |
Error |
LTO5 append write to non-encrypted Data (Space EOD and write |
OK non-encrypted |
OK non-encrypted |
LTO5 append write to non-encrypted Data (Read to EOD and write) |
OK non-encrypted |
OK non-encrypted |
LTO5 append write to encrypted data (Space EOD and write) |
OK non-encrypted |
OK non-encrypted |
LTO5 append write to encrypted data (Read to EOD and write) |
Error |
Error |
Enrolled for Encryption |
||
Read LTO6 non-encrypted data |
OK non-encrypted |
OK - non-encrypted |
Read LTO6 encrypted data |
OK* encrypted |
OK* encrypted |
Write LTO6 from BOT |
OK* encrypted |
OK* encrypted |
LTO6 append write to encrypted data |
OK* encrypted |
OK* encrypted |
Read LTO5 non-encrypted data |
OK non-encrypted |
OK non-encrypted |
Read LTO5 encrypted data |
OK* encrypted |
OK* encrypted |
Write LTO5 from BOT |
OK* encrypted |
OK* encrypted |
LTO5 append write to encrypted data |
OK* encrypted |
OK* encrypted |
Read LTO4 non-encrypted data |
OK non-encrypted |
OK non-encrypted |
Read LTO4 encrypted data |
OK* encrypted |
OK* encrypted |
LTO6 append write to non-encrypted data (Space EOD and write) |
OK* encrypted (Note 2) |
Error (Note 1) |
LTO6 append write to non-encrypted data (Read to EOD and write) |
OK* encrypted (Note2) |
Error (Note 1) |
LTO6 append write to encrypted data (Space EOD and write) |
OK* encrypted |
OK* encrypted |
LTO6 append write to encrypted data (Read to EOD and write) |
OK* encrypted |
OK* encrypted – but with prior read key (Note 3) |
LTO5 append write to non-encrypted Data (Space EOD and write) |
OK* encrypted (Note 2) |
Error (Note 1) |
LTO5 append write to non-encrypted Data (Read to EOD and write) |
OK* encrypted (Note2) |
Error (Note 1) |
LTO5 append write to encrypted data (Space EOD and write) |
OK* encrypted |
OK* encrypted |
LTO5 append write to encrypted data (Read to EOD and write) |
OK* encrypted |
OK* encrypted – but with prior Read key (Note 3) |
* If the correct key is available. |
Note 1
IBM LTO drives do not allow the mixing of encrypted and non-encrypted data on a single tape.
Note 2
While this scenario allows appending encrypted data behind non-encrypted data, this has an operational benefit since it allows tapes pre-labeled with non-encrypted data to be used in an HP LTO drives in the encrypting environment without having to re-label them.
Note 3
In this scenario, IBM drives will write encrypted data but will use the same key as they used to read the prior encrypted data on tape. The drive will not request a new key from the OKM when the write command is issued and this will ignore the Key Expiration Policy set by the OKM.
Footnote Legend
Footnote 1: Multiple KMAs: Exceptions to this standard configuration must be made with the approval of Encryption Engineering, Professional Services, and Support Services.