Abstract: Exemplary method, system, and computer program product embodiments for cryptographic erasure of selected encrypted data are provided. In one embodiment, by way of example only, data files are configured with a derived key. The derived keys adapted to be individually shredded in a subsequent erasure operation. The derived key allows for cryptographic erasure of the selected encrypted data in the data files without necessitating at least one of removal and rewrite of retained data. Additional system and computer program product embodiments are disclosed and provide related advantages.

Abstract: Provided are a computer program product, system and method for a redundant key server encryption environment. A key server receives from at least one remote key server public keys associated with the at least one remote key server. The key server receives a request for an encryption key from a requesting device and generates the encryption key for use by the requesting device to unlock a storage. The key server generates a first wrapped encryption key by encrypting the encryption key with a requesting device public key, a second wrapped encryption key by encrypting the encryption key with a public key associated with the key server, and at least one additional wrapped encryption key by encrypting the encryption key with the at least one public key provided by the at least one remote key server. The key server transmits the generated keys to the requesting device.

Abstract: An apparatus, system, and method are disclosed for read back verification of stored data. A file CRC module calculates a first file CRC for a data file. A segmentation module segments the data file into a plurality of data blocks that comprise a copy of the data file. A block CRC module calculates a data block CRC for each data block. An aggregated CRC module calculates a second file CRC from the data block CRCs. In addition, the aggregated CRC module verifies copy of the data file if the second file CRC is substantially equivalent to the first file CRC.

Abstract: A method for determining volume coherency is disclosed herein. Upon completing a first write job to a volume partition, the method makes a copy of a volume change reference (VCR) value associated with the volume. The VCR value is configured to change in a non-repeating manner each time content on the volume is modified. Prior to initiating a second write job to the volume partition, the method retrieves the copy and compares the copy to the VCR value. If the copy matches the VCR value, the method determines that a logical object on the partition was not modified between the first and second write jobs. If the copy does not match the VCR value, the method determines that the logical object on the partition was modified between the first and second write jobs. A corresponding system and computer program product are also disclosed herein.

Abstract: Provided are a computer program product, system and method for a redundant key server encryption environment. A key server transmits public keys associated with the key server and at least one device to at least one remote key server. The key server receives from the at least one remote key server public keys associated with the at least one remote key server. The key server receives a request for an encryption key from a requesting device comprising one of the at least one device and generates the encryption key for use by the requesting device to unlock a storage. The key server generates a first wrapped encryption key by encrypting the encryption key with a requesting device public key associated with the requesting device. The key server generates a second wrapped encryption key by encrypting the encryption key with a public key associated with the key server.

Abstract: Provided are a computer program product, system and method for a redundant key server encryption environment. A key server receives from at least one remote key server public keys associated with the at least one remote key server. The key server receives a request for an encryption key from a requesting device and generates the encryption key for use by the requesting device to unlock a storage. The key server generates a first wrapped encryption key by encrypting the encryption key with a requesting device public key, a second wrapped encryption key by encrypting the encryption key with a public key associated with the key server, and at least one additional wrapped encryption key by encrypting the encryption key with the at least one public key provided by the at least one remote key server. The key server transmits the generated keys to the requesting device.

Abstract: A label corresponding to a cryptographic key is stored at a first computational device. A user provided label is received at a second computational device. The user provided label is sent from the second computational device to the first computational device. The user provided label is compared to the label stored at the first computational device. The cryptographic key is used to perform cryptographic operations on data, in response to determining that the user provided label matches the label stored at the first computational device.

Abstract: Control of the encryption of data for storage with respect to removable data storage cartridges having a recording media and having cartridge memory with at least a portion lockable to read-only, employs the steps of inspecting the read-only portion of the cartridge memory of the removable data storage cartridge for an “Encrypt-Only” flag. If the “Encrypt-Only” flag is present, writes to the recording media of the removable data storage cartridge are limited to data in an encrypted format, if any; and, else, writes to the recording media of the removable data storage cartridge are allowed for data in any of encrypted and unencrypted formats.

Abstract: Provided are a method, system, and article of manufacture for managing metadata for data blocks used in a deduplication system. File metadata is maintained for files having data blocks in a computer readable device. Data block metadata is maintained for each data block in the computer readable device. The data block metadata for one data block includes a data block reference and content identifier identifying content of the data block. The file metadata for each file includes the data block reference to each data block in the file. A determination is made of an unreferenced data block in the computer readable device that has become unreferenced. Indication is made that the data block metadata for the determined unreferenced data block as unreferenced metadata. The data block reference of the unreferenced metadata is maintained in the computer readable device in response to determining that a includes the data block indicated in the unreferenced metadata.

Abstract: Provided are a method, system, and article of manufacture for rekeying encryption keys for removable storage media. A rekey request is received for a coupled removable storage media, wherein encryption on the coupled removable storage media uses a first key and wherein the rekey request indicates a second key. The first key and the second key are accessed in response to the rekey request. The first key is used to perform decryption for the coupled removable storage media and the second key is used to perform encryption for the coupled removable storage media.

Abstract: Provided are a method, system, and article of manufacture for rekeying encryption keys for removable storage media. A rekey request is received for a coupled removable storage media, wherein encryption on the coupled removable storage media uses a first key and wherein the rekey request indicates a second key. The first key and the second key are accessed in response to the rekey request. The first key is used to perform decryption for the coupled removable storage media and the second key is used to perform encryption for the coupled removable storage media.

Abstract: A non-volatile redundant verifiable indication of data storage status is provided with respect to data storage operations conducted with respect to removable data storage media, and store the indication with an auxiliary non-volatile memory of the data storage media, such that the indication stays with the media. At least one state value indicating the status of the data storage operation is written to one page of the auxiliary non-volatile memory, and a redundancy check is provided with respect to at least the written state value of the one page of the auxiliary non-volatile memory; and the same state value is written to a second page of the auxiliary non-volatile memory, and a redundancy check is provided with respect to at least the written state value of the second page of the auxiliary non-volatile memory. The redundancy checks indicate the validity of the state values.

Abstract: A method is provided for utilizing target of opportunity to perform at least one special operation while a removable storage medium is mounted within a data storage drive for another purpose. A target of opportunity is recognized by determining if at least one special operation may be performed by the data storage drive. If it is determined that at least one special operation may be performed then a first notification that the data storage drive is to remain in a not ready state is sent in response. At least one special operation is performed, and in response to the at least one special operation being performed, a second notification is sent that the removable storage medium is in a ready state or an error state.

Abstract: Provided are a computer program product, system and method for a redundant key server encryption environment. A key server transmits public keys associated with the key server and at least one device to at least one remote key server. The key server receives from the at least one remote key server public keys associated with the at least one remote key server. The key server receives a request for an encryption key from a requesting device comprising one of the at least one device and generates the encryption key for use by the requesting device to unlock a storage. The key server generates a first wrapped encryption key by encrypting the encryption key with a requesting device public key associated with the requesting device. The key server generates a second wrapped encryption key by encrypting the encryption key with a public key associated with the key server.

Abstract: A method, system and program are disclosed for efficiently processing host data which comprises encrypted and non-encrypted data and is to be written to a storage medium. The encrypted data is written to the storage medium in encrypted form. The non-encrypted data is encrypted by a storage device using a well known encryption key and written to the storage medium. In this way, the data that is processed by the storage device to and from the storage medium can always be processed through a single encryption engine.

Abstract: Provided are techniques for key generation and retrieval. Unique identifiers of two or more key servers are stored, wherein each key server is capable of generating keys for encryption of data and of returning keys for decryption of data. A key request is received. A technique for selecting one of the key servers to which the key request is to be forwarded is identified. One of the key servers is selected using the identified technique. The key request is sent to the identified key server.

Abstract: Provided are techniques for determining whether to encrypt data. It is determined whether an element is to be encrypted based on an encryption policy, wherein the element comprises one of metadata and a data set. In response to determining that the element is to be encrypted, the element is encrypted and written to a data storage medium. In response to determining that the element is not to be encrypted, the element is written in the effective clear to the data storage medium.

Abstract: Provided are a method, system, and article of manufacture in which a non-reversible signature of a symmetric cryptographic key is computed, wherein the symmetric cryptographic key is used to symmetrically encrypt data at rest in a storage device. The non-reversible signature is stored in association with the symmetrically encrypted data at rest in the storage device. The non-reversible signature is used to determine validity of a cryptographic key provided by a host for accessing the symmetrically encrypted data at rest in the storage device.

Abstract: Provided is a method, system, and program for enabling access to data in a storage medium within one of a plurality of storage cartridges capable of being mounted into a interface device. An association is provided of at least one coding key to a plurality of storage cartridges. A determination is made of one coding key associated with one target storage cartridge, wherein the coding key is capable of being used to access data in the storage medium within the target storage cartridge. The determined coding key is encrypted. The coding key is subsequently decrypted to use to decode and code data stored in the storage medium.

Abstract: A computer program product for operating an automated data storage library with storage shelves, data storage drive(s), a bus bar; and a robot accessor with a drive system for moving the robot accessor, an accessor communication interface, a bus bar relay configured to engage and disengage the bus bar; and a robot control configured to operate the drive system to move the robot accessor, to operate a picker, and to operate the bus bar relay to engage the bus bar when the robot accessor is stationary, to provide communication capability with a library communication interface via the bus bar relay and the bus bar when the bus bar relay engages the bus bar. Additionally, a second communication system may be provided between the robot accessor and the automated data storage library, which is operable at least when the robot accessor is moving.