You are currently on IBM Systems Media’s archival website. Click here to view our new website.

MAINFRAME > Storage > Tape

Encrypting Tape Storage

Taking the next step in mainframe-encryption capability.

Imagine this scenario: A delivery van picks up a package of data tapes from a company and heads to its remote archival site. The tapes contain sensitive personal information for thousands of customers. When the van reaches the destination, it's discovered the data tapes are missing. Whether the box of tapes is absent due to an accident or a theft, the outcome remains the same - sensitive data is missing. In the hands of sophisticated data thieves, the tapes can be read and the data compromised, leaving the customers subject to identity theft. Because of data loss, the company is vulnerable to the scrutiny of the press and possible litigation from their clients. The company's share price drops as a result. The IT department is harangued for its archival-tape procedures. The help desk is overwhelmed with calls, and recent regulations may dictate that each customer with data on the tape be contacted and advised of the situation. A simple tape delivery has grown into a crisis of major proportions.

Is this scenario far-fetched? Not at all. Just look at recent news stories for real-world examples of the mayhem caused by lost data tapes.

But what would happen if the tapes had been encrypted? Yes, the box of tapes would still be missing. But it would be almost impossible for a determined thief to timely decrypt the tape using even the best computer technology currently available. Instead of being criticized by the press, the company would be lauded for its advanced security policy, forethought and skill. The IT department would be celebrated. It would be a success story for the company and its IT procedures. Does that sound like a scenario invented in Hollywood? Nope. It's just encryption technology from IBM* to help make tapes as secure as possible.

Encryption and Secure Key Management

IBM has had key generation and encryption to support security for mainframe servers with the z/OS* operating system for more than 15 years. Similar facilities are widely used to help secure Internet transactions. In October 2005, this capability was extended with the introduction of Encryption Facility for z/OS - a software product that's designed to leverage the mainframe encryption accelerators to encrypt data that's then written to tape drives.

In the second half of 2006, IBM plans to further extend the options for customers by offering encryption in the IBM* System Storage* TS1120 tape drives - offloading the encryption activity from the mainframe. This option is designed to allow customers to encrypt the large files intended for remote recovery sites or for data archiving at tape hardware speeds.

With the tape subsystem-level encryption, you can use z/OS centralized key management to provide a store for the tape-encryption keys - designed to offer high security and vailability, long-term key management, a single point of control and excellent disaster-recovery (D/R) capabilities. Customers can opt to store their keys for all servers in the z/OS system; the interaction between the sites would be connected by TCP/IP for the transfer of key information.

IBM has had secure key generation and encryption for mainframe servers with the z/OS* operating system for more than 15 years.

Shirley S. Savage is a Maine-based freelance writer. Shirley can be reached at



2019 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.


8 Emerging Storage Trends of 2018

Available, Integrated, Deliverable

Data Facility Storage Management Subsystem 1.10 enhancements promise to simplify data management

Encrypting Tape Storage

Taking the next step in mainframe-encryption capability.

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
Mainframe News Sign Up Today! Past News Letters