Abstract: Provided are techniques for determining whether to encrypt data. It is determined whether an element is to be encrypted based on an encryption policy, wherein the element comprises one of metadata and a data set. In response to determining that the element is to be encrypted, the element is encrypted and written to a data storage medium. In response to determining that the element is not to be encrypted, the element is written in the effective clear to the data storage medium.

Abstract: Provided are a method, system, and article of manufacture in which a non-reversible signature of a symmetric cryptographic key is computed, wherein the symmetric cryptographic key is used to symmetrically encrypt data at rest in a storage device. The non-reversible signature is stored in association with the symmetrically encrypted data at rest in the storage device. The non-reversible signature is used to determine validity of a cryptographic key provided by a host for accessing the symmetrically encrypted data at rest in the storage device.

Abstract: Provided are a method, system, and article of manufacture that maintains, at a decryption unit, and expected key identifier and an expected initialization vector. A key identifier and an initialization vector are received at the decryption unit, wherein a plurality of encrypted data records are preceded by the key identifier and the initialization vector in a data stream, and wherein the plurality of encrypted data records have been encrypted with a cryptographic key that is recoverable by the decryption unit from the key identifier. An initiation is made of the reading of the plurality of encrypted data records of the data stream, in response to determining at the decryption unit that the received key identifier matches the expected key identifier. Certain embodiments are implemented in a storage library, comprising at least one storage drive, and at least one decryption unit included in the at least one storage drive, wherein in certain embodiments the storage library is a tape library.

Abstract: Provided are a method, system, and article of manufacture for configuring a storage drive to communicate with encryption and key managers. A storage drive receives a request to access a coupled removable storage media for drive operations. The storage drive obtains encryption status for the coupled removable storage media from an encryption manager. The storage drive determines from the obtained encryption status whether to encrypt the coupled removable storage media to access. The storage drive obtains at least one key from a key manager in response to determining to encrypt with respect to the coupled removable storage media. The storage drive performs data operations using the at least one key to encrypt data.

Abstract: Provided are a method, system, and article of manufacture, wherein a first write only register is maintained in an encryption engine of a cryptographic unit. A second write only register is maintained in a decryption engine of the cryptographic unit. A cryptographic key is written in the first write only register and the second write only register, wherein the cryptographic key is inaccessible for reading from any entity that is external to the cryptographic unit.

Abstract: Provided are a method, system, and article of manufacture recovering remnant encrypted data on a removable storage media. An end of data (EOD) marker is detected on a removable storage media, wherein a first encryption key is associated with data preceding the EOD marker. Following the EOD marker, an identifier of a second encryption key associated with data following the EOD marker is read in response to detecting the EOD marker. The identifier is used to access the second encryption key and the second encryption key is used to decrypt the data following the EOD marker.

Abstract: Provided are a method, system, removable storage cartridge, and article of manufacture for validating an encryption key file on a removable storage media. Copies of an encryption key file are written to multiple locations on a removable storage media, wherein data is encrypted and decrypted using an encryption key included in the encryption key file. A validation operation is performed on the copy of the encryption key file at one of the key locations, wherein the key locations comprise the locations on the removable storage media to which the encryption key files were written. In response to the copy of the encryption key file not validating, a command is sent to cause the data and valid copies of the encryption key file to be rewritten to a new storage media.

Abstract: Provided are a method, system and article of manufacture, wherein a cryptographic key generator generates a cryptographic key. The cryptographic key generator encrypts the cryptographic key with a session key that is available to both the cryptographic key generator and a cryptographic unit. The encrypted cryptographic key is transmitted across a link from the cryptographic key generator to the cryptographic unit.

Abstract: A method, system, and a device have a data storage drive for an automated data storage library in which a data storage drive may have in one embodiment, both a host-drive interface port and a host-library interface port. In one aspect, drive commands from a host system are conducted primarily through the host-drive interface port and a host-drive interface path to a drive controller of the data storage drive. In addition, library commands from the host system to a library controller may be conducted primarily through the host-library interface port and a host-library interface path to a library communication port of the data storage drive. In one embodiment, the drive commands from a host system are conducted primarily through the host-drive interface port and the host-drive interface path to a drive controller of the data storage drive.

Abstract: A magnetic tape cartridge, a recording system, and a magnetic tape drive are configured to, for example, guard against tampering with a write once overwrite protection pointer which allows a rewritable magnetic tape to be treated as write once. In one embodiment, the magnetic tape cartridge comprises a magnetic tape and a cartridge memory. The magnetic tape is configured to provide at least one overwrite protection pointer, the overwrite protection pointer identifying data to be protected from being overwritten; and the cartridge memory is configured to provide the at least one overwrite protection pointer, the overwrite protection pointer identifying magnetic tape data to be protected from being overwritten.

Abstract: Provided is a data storage drive for encrypting data, comprising a microprocessor and circuitry coupled to the microprocessor and adapted to receive a session encrypted data key and to decrypt the session encrypted data key using a session key, wherein a result is a data key that is capable of being used to encrypt clear text and to decrypt cipher text written to a storage medium. Also provided is a system, comprising a microprocessor and circuitry coupled to the microprocessor and adapted to receive a session encrypted data key and to decrypt the session encrypted data key using a private key, wherein a result is a secret key that is capable of being used to encrypt clear text and to decrypt cipher text written to a storage medium.

Abstract: A label corresponding to a cryptographic key is stored at a first computational device. A user provided label is received at a second computational device. The user provided label is sent from the second computational device to the first computational device. The user provided label is compared to the label stored at the first computational device. The cryptographic key is used to perform cryptographic operations on data, in response to determining that the user provided label matches the label stored at the first computational device.

Abstract: A method, system, and computer program product are provided for utilizing target of opportunity to perform at least one special operation while a key session is opened with a key manager for another purpose. The method of recognizing a target of opportunity includes receiving a command to be performed on a removable storage medium and determining if the command requires interaction with the encryption key manager. If it is determined that the command requires interaction with the key manager the command is held off. A request is sent to the encryption key manager. A target of opportunity is recognized by determining if at least one special operation may be performed. If it is determined that at least one special operation may be performed then the at least one special operation and the request are performed.

Abstract: A method is provided for utilizing target of opportunity to perform at least one special operation while a removable storage medium is mounted within a data storage drive for another purpose. A target of opportunity is recognized by determining if at least one special operation may be performed by the data storage drive. If it is determined that at least one special operation may be performed then a first notification that the data storage drive is to remain in a not ready state is sent in response. At least one special operation is performed, and in response to the at least one special operation being performed, a second notification is sent that the removable storage medium is in a ready state or an error state.

Abstract: A system and computer program product are provided for utilizing target of opportunity to perform at least one special operation while a removable storage medium is mounted within a data storage drive for another purpose. The system comprises a tape library and a tape drive coupled to the tape library. The tape library receives a command to mount a tape cartridge in the tape drive. If it is determined by the tape library that at least one special operation may be performed, then tape library has recognized that a target of opportunity exists. In response to determining that at least one special operation may be performed, the tape library sends a first notification that the tape drive is to remain in a not ready state. The tape library mounts the tape cartridge in the tape drive after determining that at least one special operation may be performed.

Abstract: A system and computer program product are provided for utilizing target of opportunity to perform at least one special operation while a removable storage medium is mounted within a data storage drive for another purpose. The system for recognizing a target of opportunity comprises a tape drive. The tape drive receives a command to mount a tape cartridge in the tape drive, and in response the tape drive mounts the tape cartridge in the tape drive. The tape drive determines if at least one special operation may be performed. If it is determined that at least one special operation may be performed, the tape drive recognizes that a target of opportunity exists. In response to determining that at least one special operation may be performed, the tape drive sends a first notification that the tape drive is to remain in a not ready state.

Abstract: Provided are a method, system, and article of manufacture for writing data in a tape medium having wraps. A layout of the tape is provided including at least one segment within a full length of first set of wraps for writing user data and at least one segment within a full length of a second set of wraps for writing a work copy of the user data. User data is received to write to the tape medium. Detection is made of whether data writing is occurring in a specified write mode. A work copy is written to available segments in the second set of wraps not having user data in response to the data writing occurring in the specified write mode.

Abstract: Disclosed is a method for eliminating access to data on removable storage media of a removable storage media cartridge. A key is stored on the removable storage media cartridge, such that data on the removable storage media is accessible with the key. Upon receiving a command to eliminate access to data on the removable storage media the key is shredded such that access to data on the removable storage media is eliminated.

Abstract: A system and a computer program product are disclosed for eliminating access to data on removable storage media of a removable storage media cartridge. The system comprises a data storage drive that stores a key on the removable storage media cartridge, such that data on the removable storage media is accessible with the key. Upon receiving a command to eliminate access to data on the removable storage media the data storage drive shreds the key such that access to data on the removable storage media is eliminated.

Abstract: An apparatus, system, and method are disclosed for redundant identification of a storage medium format. The apparatus for redundant identification of a storage medium format is provided with a plurality of modules configured to functionally execute the necessary steps of writing a Format Identification Data Set (“FID”) to a plurality of predetermined locations on the storage medium, determining a format of the storage medium based on information in the FID, and setting a starting position on the storage medium for a subsequent operation, wherein the starting position is associated with the format of the storage medium. These modules in the described embodiments include a write module, a determination module, and a position module. In a further embodiment, the storage medium may include a data storage tape housed within a tape cartridge, wherein the tape cartridge further comprises a cartridge memory (“CM”) for storing a CM FID.