Abstract: A magnetic tape cartridge, a recording system, and a magnetic tape drive are configured to, for example, guard against tampering with a write once overwrite protection pointer which allows a rewritable magnetic tape to be treated as write once. In one embodiment, the magnetic tape cartridge comprises a magnetic tape and a cartridge memory. The magnetic tape is configured to provide at least one overwrite protection pointer, the overwrite protection pointer identifying data to be protected from being overwritten; and the cartridge memory is configured to provide the at least one overwrite protection pointer, the overwrite protection pointer identifying magnetic tape data to be protected from being overwritten.

Abstract: A magnetic tape cartridge, a recording system, and a magnetic tape drive are configured to, for example, guard against tampering with a write once overwrite protection pointer which allows a rewritable magnetic tape to be treated as write once. In one embodiment, the magnetic tape cartridge comprises a magnetic tape and a cartridge memory. The magnetic tape is configured to provide at least one overwrite protection pointer, the overwrite protection pointer identifying data to be protected from being overwritten; and the cartridge memory is configured to provide the at least one overwrite protection pointer, the overwrite protection pointer identifying magnetic tape data to be protected from being overwritten.

Abstract: A method, system and program are disclosed for efficiently processing host data which comprises encrypted and non-encrypted data and is to be written to a storage medium. The encrypted data is written to the storage medium in encrypted form. The non-encrypted data is encrypted by a storage device using a well known encryption key and written to the storage medium. In this way, the data that is processed by the storage device to and from the storage medium can always be processed through a single encryption engine.

Abstract: An apparatus, system, and method are disclosed for redundant identification of a storage medium format. The apparatus for redundant identification of a storage medium format is provided with a plurality of modules configured to functionally execute the necessary steps of writing a Format Identification Data Set (“FID”) to a plurality of predetermined locations on the storage medium, determining a format of the storage medium based on information in the FID, and setting a starting position on the storage medium for a subsequent operation, wherein the starting position is associated with the format of the storage medium. These modules in the described embodiments include a write module, a determination module, and a position module. In a further embodiment, the storage medium may include a data storage tape housed within a tape cartridge, wherein the tape cartridge further comprises a cartridge memory (“CM”) for storing a CM FID.

Abstract: Provided are a method, system, and article of manufacture in which a non-reversible signature of a symmetric cryptographic key is computed, wherein the symmetric cryptographic key is used to symmetrically encrypt data at rest in a storage device. The non-reversible signature is stored in association with the symmetrically encrypted data at rest in the storage device. The non-reversible signature is used to determine validity of a cryptographic key provided by a host for accessing the symmetrically encrypted data at rest in the storage device.

Abstract: Provided are a method, system and article of manufacture, wherein a cryptographic key generator generates a cryptographic key. The cryptographic key generator encrypts the cryptographic key with a session key that is available to both the cryptographic key generator and a cryptographic unit. The encrypted cryptographic key is transmitted across a link from the cryptographic key generator to the cryptographic unit.

Abstract: Provided are a method, system, and article of manufacture for configuring a storage drive to communicate with encryption and key managers. A storage drive receives a request to access a coupled removable storage media for drive operations. The storage drive obtains encryption status for the coupled removable storage media from an encryption manager. The storage drive determines from the obtained encryption status whether to encrypt the coupled removable storage media to access. The storage drive obtains at least one key from a key manager in response to determining to encrypt with respect to the coupled removable storage media. The storage drive performs data operations using the at least one key to encrypt data.

Abstract: Provided are techniques for copying data. Encrypted data from a first data storage medium is identified. A raw read of encrypted data from the first data storage medium is performed without decrypting the encrypted data. A raw write of the encrypted data to a second data storage medium is performed without again encrypting the encrypted data.

Abstract: Provided are techniques for determining whether to encrypt data. It is determined whether an element is to be encrypted based on an encryption policy, wherein the element comprises one of metadata and a data set. In response to determining that the element is to be encrypted, the element is encrypted and written to a data storage medium. In response to determining that the element is not to be encrypted, the element is written in the effective clear to the data storage medium.

Abstract: Provided are a method, system, and article of manufacture that maintains, at a decryption unit, and expected key identifier and an expected initialization vector. A key identifier and an initialization vector are received at the decryption unit, wherein a plurality of encrypted data records are preceded by the key identifier and the initialization vector in a data stream, and wherein the plurality of encrypted data records have been encrypted with a cryptographic key that is recoverable by the decryption unit from the key identifier. An initiation is made of the reading of the plurality of encrypted data records of the data stream, in response to determining at the decryption unit that the received key identifier matches the expected key identifier. Certain embodiments are implemented in a storage library, comprising at least one storage drive, and at least one decryption unit included in the at least one storage drive, wherein in certain embodiments the storage library is a tape library.

Abstract: Provided are a method, system, and article of manufacture recovering remnant encrypted data on a removable storage media. An end of data (EOD) marker is detected on a removable storage media, wherein a first encryption key is associated with data preceding the EOD marker. Following the EOD marker, an identifier of a second encryption key associated with data following the EOD marker is read in response to detecting the EOD marker. The identifier is used to access the second encryption key and the second encryption key is used to decrypt the data following the EOD marker.

Abstract: Provided are a method, system, and article of manufacture, wherein a first write only register is maintained in an encryption engine of a cryptographic unit. A second write only register is maintained in a decryption engine of the cryptographic unit. A cryptographic key is written in the first write only register and the second write only register, wherein the cryptographic key is inaccessible for reading from any entity that is external to the cryptographic unit.

Abstract: Provided are a method, system, removable storage cartridge, and article of manufacture for validating an encryption key file on a removable storage media. Copies of an encryption key file are written to multiple locations on a removable storage media, wherein data is encrypted and decrypted using an encryption key included in the encryption key file. A validation operation is performed on the copy of the encryption key file at one of the key locations, wherein the key locations comprise the locations on the removable storage media to which the encryption key files were written. In response to the copy of the encryption key file not validating, a command is sent to cause the data and valid copies of the encryption key file to be rewritten to a new storage media.

Abstract: Provided are techniques for key generation and retrieval. Unique identifiers of two or more key servers are stored, wherein each key server is capable of generating keys for encryption of data and of returning keys for decryption of data. A key request is received. A technique for selecting one of the key servers to which the key request is to be forwarded is identified. One of the key servers is selected using the identified technique. The key request is sent to the identified key server.

Abstract: Provided are a method, system, and program for writing data in a tape medium having wraps. A layout of the tape is provided including at least one segment within a full available length of a first set of wraps for writing user data and at least one segment within a full length of a second set of wraps for writing a work copy of the user data. User data is received to write to the tape medium and detecting is performed as to whether the data being written is occurring in a specified write mode. If the data writing is not occurring in the specified write mode, then writing the received user data to one segment in the first set of wraps. If the data writing is occurring in the specified write mode, then writing a work copy to available full length wraps not having user data.

Abstract: Synchronized data is written to magnetic tape while reducing the number of backhitches. A controller detects a pattern of synchronizing events for received data records to be written to tape; writes each transaction of data records to the magnetic; tape; accumulates the synchronized transactions in a buffer; and subsequently recursively writes the accumulated transactions of data records from the buffer to the magnetic tape in a sequence. A single backhitch may be employed to place the recursively written accumulated data records following the preceding data, maximizing performance and capacity.

Abstract: Provided are a method, system and article of manufacture for writing on a storage media. Data is received from a host. A determination is made whether the received data can potentially form a trailer record on the storage media. If the received data does not potentially form the trailer record, then the received data is written to the storage media.

Abstract: Provided are a method, system, and program for encoding data onto a storage medium. Host data is received and a plurality of device blocks are generated to include the host data. A directory is generated including entries for physical locations on the storage medium, wherein each entry identifies one device block at the physical location corresponding to the entry, and wherein the directory is used to access data on the storage medium. The directory entries are encoded in the device blocks written to the storage medium.

Abstract: A sequential buffer for a magnetic tape data storage system comprises a plurality of segments. A buffer management system buffers data in the sequential buffer, conducting a data transfer process. Subsequently, some of the buffered data is maintained in some, but less than all, the segments of the buffer. Additionally, the maintained buffered data is indicated as VALID data. Thus, a subsequent process may be conducted directly using the data maintained in the buffer, and avoids moving the tape to reread the data.

Abstract: Backspacing over data to overwrite the data as recorded on magnetic tape is provided logically, rather than by causing a magnetic tape to drive to backhitch. The data is written to the magnetic tape as it was before it was logically changed in order to insure that the data is preserved on tape. Recovery of the data is from a succeeding data set which logically invalidates the original data by a superseding identifier. Control logic arranges data transactions for writing to magnetic tape as data sets; and, in response to backspace and overwrite commands, or when transactions are accumulated into a succeeding data set, rewrites the original transaction adjusted in accordance with the commands as a superseding data set downstream from the original transaction, logically invalidating the original transaction by setting a superseding identifier in the superseding data set(s).