1. Field of the Invention
The invention relates in general to tape storage systems and more particularly to the use of a device driver to function as a proxy between an encryption capable tape drive and a key manager.
2. Description of the Related Art
It is known to use high density, removable media storage libraries within a data storage system to provide large quantities of storage in networked computer systems. Typically, such data storage systems are employed for backup or other secondary storage purposes, but the data storage system may also be used as primary storage in circumstances that are conducive to sequential data access and the like. Often the data is stored on media cartridges, such as magnetic tapes or optical disks. Known media cartridges are capable of storing large quantities of data. A storage system may include a plurality of legacy storage devices (i.e., devices which are not specifically designed to work with a more current data storage system.)
It is known for encryption capable drives to obtain keys either in-band (e.g., via a Fiber Channel) from an application or out-of-band (e.g., over an interface with a library (such as a RS-422 interface)). These modes of obtaining keys allow application managed keys and library managed keys, respectively.
However, an issue with encryption capable tape drives relates to when data from legacy applications (i.e., applications which have not been modified to serve keys) is provided to the encryption capable tape drive. An additional issue with encryption capable tape drives relates to when the encryption capable tape drives are located within legacy automated tape libraries (i.e., tape libraries which have not been modified to obtain keys from the drive transparently of the application). In either or both of these situations, the encryption capable tape drive may not able to obtain an encryption key. This issue may also be present in other environments. E.g., if the encryption capable tape drive is in a bridge box or is rack mounted (and thus is not in automation) or if the encryption capable tape drive is in a hostile environment (such as in a silo of a manufacturer other than the manufacturer of the tape drive). It is likely that the hostile environment would not be motivated to enable key passing to the encryption capable tape drive.
In each of these situations, it is desirable to provide the ability to provide keys to the encryption capable tape drive so that encryption can be performed transparently of any application executing within the data storage system.