table of contents
| TAPE390_CRYPT(8) | System Manager's Manual | TAPE390_CRYPT(8) |
NAME¶
tape390_crypt - encryption support for zSeries tape devices.
SYNOPSIS¶
tape390_crypt [OPTION] [DEVICE]
DESCRIPTION¶
tape390_crypt exploits encryption features available in zSeries tape devices. It can be used to enable or disable tape encryption and to set KEK (Key Encrypting Key) labels.
OPTIONS¶
- -h or --help
- Print help information, then exit.
- -v or --version
- Print version information, then exit.
- -q or --query
- Print current encryption status of the specified tape device and of the loaded medium. If encryption is on and the medium is encrypted , additional information on the encryption keys is displayed.
- -e {on|off} or --encryption={on|off}
- sets tape encryption on or off.
- -k <value>[<char>label|<char>hash] or --key=<value>[<char>label|<char>hash]
- sets tape encryption keys.
<value> specifies the KEK (Key Encrypting Key), which can be maximal 64 characters long.
The store type (either label or hash) specifies how the KEK in <value> is to be stored on the tape medium. Since labels are human readable strings and hence more user friendly than hashes, the default store type is label.
The -k option can only be specified, if the tape medium is at load point.
While processing the -k option, the tape medium is initialized and all data eventually contained on the tape medium is lost. To avoid inadvertent data loss a prompt message is issued asking the user whether he or she really wants to proceed.
The -k option can be specified maximal twice, because on the tape medium maximal two EEDKs (External Encrypted Data Keys) can be stored. If specified once, two identical EEDKs are stored.
<char> is a character separating the KEK in <value> from the store type (either label or hash). This delimiter can be specified with the -d option as explained below. - -d <char> or --delimiter=<char>
- specifies the character which separates the KEK in <value> from the store type (either label or hash). The default delimiter is : (colon). The -d option can only be specified together with the -k option.
- -f or --force
- specifies that no prompt message is to be issued before writing the KEK information and initializing the tape medium. The -f option can only be specified together with the -k option.
- device
- specifies the device node of the tape device.
EXAMPLES¶
1. Scenario:
mount non-encrypted tape and write data with the default KEKs:
tape390_crypt -e on /dev/ntibm0
tar cfz /dev/ntibm0 /data
2. Scenario:
mount non-encrypted tape and write data with specific KEKs:
tape390_crypt -k my_first_key -k my_second_key:hash /dev/ntibm0
tar cfz /dev/ntibm0 /data
3. Scenario:
mount tape and display current encryption status:
tape390_crypt -q /dev/ntibm0
| Apr 2006 | s390-tools |