1. Library Guide
  2. Drives
  3. Drive Encryption
  4. Library-Managed Encryption (LME)

Library-Managed Encryption (LME)

Library-Managed Encryption (LME) allows you to enroll the library as an agent with OKM instead of enrolling individual drives. The library then manages the keys for any encryption-enabled IBM LTO 6+ drives within the library.

Supported Drive Types

IBM LTO 6 and higher drives.

Currently, the library does not support library-managed encryption for IBM LTO 5, HP LTO, or T10000 drives. You should continue to use drive-enrolled encryption if you want to use encryption with these drive types. You cannot mix library-managed encryption with drive-enrolled encryption.

Benefits of LME

  • You only need to enroll the library as an agent with OKM, not individual drives.
  • The drives do to not require an encryption card (BEL or LKMD). Since the library handles the interface with OKM, the encryption card and permit is no longer needed to handle key requests.
  • The drives do not require encryption permits.

Configuration

LME requires minimum library firmware 1.1.0. Before enabling LME, all drives must be un-enrolled with OKM. Then, you must enable encryption on the library, enroll the SL4000 as an agent with OKM, and then enable encryption on specific drives within the library.

Can I use library-managed encryption and have drives individually enrolled with OKM?

No, you cannot have a mix of drives enrolled individually with OKM and drives enabled with library-managed encryption. You can only use either library-managed encryption or only drive-enrolled encryption, not both.

Before enabling library-managed encryption, you must un-enroll all drives with OKM. Likewise, before using drive-enrolled encryption, you must disable library-managed encryption. The library will automatically disable encryption on all drives when you disable encryption using the Configuration Wizard. However, you should verify that all drives have encryption disabled before enrolling individual drives with OKM.

To use encryption on a mixture of LTO and T10000 drives, you should continue to only use drive-enrolled encryption. You cannot use library-managed encryption at this time for IBM LTO 5, HP LTO, or T10000 drives.

Related Topics