LTO Ultrium Tape and Data Encryption

LTO Ultrium tape technology enables backup and archive data to be encrypted without having to invest in software or separate devices. The data is scrambled to make it unreadable until or unless it is unlocked by the intended recipient. Encryption is an optional feature on all LTO vendors’ drives, but any standard LTO Ultrium cartridge can be used to write encrypted data.

What is data encryption?

Secret keys, known only to the sender and receiver, are used to encrypt and decrypt data. As well as protecting data confidentiality on its journey, encryption also provides a reliable way to confirm a person’s authority to see the information.

This is a far more sophisticated way of managing data transfer than the base64 encoding method, where all you need to know is the algorithm to encode/decode the data.

How does data encryption work?

Data is encrypted (scrambled) using algorithms. An algorithm is simply a process or set of rules for speeding up a repetitive process. It is a sequence of instructions that makes information unreadable until or unless it’s unlocked with a secret key.

Algorithms are used across the IT spectrum to automate and speed up a whole range of processes. Wherever and whenever security really matters, encryption algorithms are imperative to prevent data loss and corruption, rapidly transforming information into unfathomable code as it moves from A to B.

How is data encrypted?

One of two principal methods of data encryption, symmetric or asymmetric, is applied for data protection, depending on how the data is intended to be accessed and by whom.

  • Symmetric encryption uses a single, private key for encryption and decryption. Both the sender and receiver need to know this key. It is a faster method than asymmetric encryption and best used by individuals within closed systems: ideal for encrypting data stored off-site in LTO Ultrium tape archives. The most commonly used type of symmetric encryption is AES256-GCM.
  • Asymmetric or public data encryption uses paired, mathematically linked public and private keys that can only be used together. Either key can be used to encrypt data, but the paired key is required to decrypt it. This method is ideal for secure data sharing in open networks, like the internet, because you can make one of the keys well known (public), while keeping the other one secret (private). The most commonly used types of asymmetric encryption are EiGamal, RSA, DSA, and PKCS.

How is data encryption deployed on LTO tape?

LTO Ultrium tape uses a symmetric encryption system. A single secret key, known only to the sender and receiver, is sent to the tape drive at the start of the backup operation. This key is used to encrypt (and subsequently decrypt) the data as it is written to tape. The encryption key itself is never written to the cartridge, nor is it permanently retained in the backup drive itself, should it become a target for theft. 

encryption and decryption process

Backup and archive data is encrypted by the drive’s hardware, so there’s no need to invest in extra software or separate devices to get the strongest protection for data.

LTO drives use the 256-bit Advanced Encryption Standard with Galois/Counter Mode of Operation (AES256-GCM for short). It is authenticated encryption that achieves very high speeds in hardware with low cost and low latency.

Strong, hardware-based AES256-GCM provides both data confidentiality and data integrity in a single, easy-to-use solution, giving an extra layer of assurance that, in the event of deliberate or accidental damage, you can always get your data back. 

How are encryption keys managed?

While key management is not part of the LTO Ultrium drive specification, the format is compatible with third-party key management software available from LTO licensees, tape automation providers, and independent software vendors.

Licences are provided to implement an encryption and key management solution that works across the whole organization, using the OASIS Key Management Interoperability Protocol (KMIP). This allows the exchange of data between different key management servers and clients.

KMIP licences offer automated encryption for sophisticated tape customers with multiple libraries and sites. One KMIP licence is installed for each tape library and autoloader protocol and enrolled in the KMIP Key Manager.

Encryption keys are managed by a cluster of KMIP servers. At least two KMIP servers in the cluster are required for redundancy and key safety. Each KMIP server replicates keys across the cluster via ethernet (each server has a local copy of all keys). Tape libraries and autoloaders use the KMIP cluster to create and acquire encryption keys for writing and reading.

For small sites and organizations, LTO Ultrium vendors may offer kits to deliver simple, low-cost encryption without the need to invest in a separate key management server.

The benefits of using LTO encryption to protect your data

    • Insurance against data loss

Data encryption helps protect information and avoid expensive recovery processes following data loss or damage. It mitigates the risk of data theft when shipping tapes on- and off-site.

    • Double the assurance your data is safe

Saving data on air-gapped LTO Ultrium tape is a critical step to safeguard data from ransomware attack. Saving encrypted backups of the key token to a safe location mitigates the risk that ransomware may also lock primary access to key tokens.

    • No need to buy special cartridges

Encryption can be implemented on any vendor’s drive or cartridge from LTO-5 onwards. The cartridges are the same, whether or not you want to use encryption.

    • High performance and low network overhead

Native hardware encryption typically affects less than 1% of tape drive performance. This maximizes tape capacity, increases data transfer speeds and puts less of a drain on host resources. LTO-encrypting tape drives use GCM for encryption/authentication, which ensures high performance, unlike network appliance and software encryption which create latencies that can slow backup performance and require additional device management.