CA Tape Encryption and Tape Management Systems

Deactivating Keys › CA Tape Encryption and Tape Management Systems

CA Tape Encryption and Tape Management Systems

The following points outline some of the considerations relating to the requirements for retiring keys with CA Tape Encryption and your tape management system:

CA Tape Encryption works with your tape management system to automatically remove keys from the key repository that are no longer needed to decrypt data.
- The tape management system provides the status of encrypted tape files to CA Tape Encryption.
- The tape management system informs CA Tape Encryption when it no longer needs a specific key instance because all tape files encrypted with that key have been scratched and overwritten (reused) or the tape volumes have been removed from the tape management system's database.
By default, the key removal logic is not performed automatically.
- To enable the automatic key removal feature you must set the following parmlib attribute:
```
AutomaticallyRemoveKeys=Y
```
- You must also schedule an extract job for your tape management system to provide information on key usage and then run the TBEKMUTL utility to process the extract.
If you activate key removal in your configuration, CA Tape Encryption does not immediately delete a key that the tape system has identified as no longer being in use.
- A grace period of 90 days occurs before a key that is identified as no longer in use is finally removed from the key repository.
- If a key is identified as no longer in use and is then subsequently found to be in use, the key is automatically taken off the queue of keys to delete.
If you have CA Tape Encryption Option for CA Vtape or CA Tape Encryption Option for CA Disk, the keys must be tracked by your tape management system. If you have CA 1 or CA TLMS as your tape management system, your keys will be managed without your having to purchase any additional CA Tape Encryption options.
For sites that do not have CA Tape Encryption Option for CA Vtape or CA Tape Encryption Option for CA Disk, if you want to take advantage of the ability of CA Tape Encryption to deactivate old keys, you must be running a tape management system that supports CA Tape Encryption. These include the following:
- CA 1
- CA TLMS
- Any third-party tape management system that provides a PTF with BES Key Index tracking support for CA Tape Encryption.

Tell Technical Publications how we can improve this information