Chapter 2. Planning Your Encryption Key ManagerEnvironmentThis section is intended to provide information to allow you to determine the bestEncryption Key Manager configuration for your needs. Many factors must beconsidered when you are planning how to set up your encryption strategy.Encryption Setup Tasks at a GlanceBefore you can use the encryption capability of the tape drive, certain software andhardware requirements must be met. The following checklists are intended to helpyou meet these requirements.Encryption Key Manager Setup TasksBefore you can encrypt tapes, the Encryption Key Manager must first beconfigured and running so that it can communicate with the encrypting tapedrives. The Encryption Key Manager need not be running while tape drives arebeing installed, but it must be running in order to perform encryption.v Decide what system platform(s) to use as Encryption Key Manager server(s).v Upgrade server operating system if necessary. (See “Hardware and SoftwareRequirements” on page 2-2.)v Install Java Unrestricted Policy Files. (See “Hardware and SoftwareRequirements” on page 2-2.)v Upgrade the Encryption Key Manager JAR. (See “Downloading the LatestVersion Key Manager ISO Image” on page 3-1.)v Create keys, certificates, and key groups.“Using the GUI to Create a Configuration File, Keystore, and Certificates” onpage 3-5“Creating and Managing Key Groups” on page 3-14v These steps are not required if you follow the procedure in “Using the GUI toCreate a Configuration File, Keystore, and Certificates” on page 3-5, unless youwish to take advantage of additional configuration options:– If necessary, import keys and certificates. (See “Importing Data Keys UsingKeytool -importseckey ” on page 3-12.)– Define the configuration properties file. (See Chapter 4, “Configuring theEncryption Key Manager,” on page 4-1.)– Define tape drives to the Encryption Key Manager or setdrive.acceptUnknownDrives configuration property value on. (See“adddrive” on page 5-8 to define drives explicitly, or see “AutomaticallyUpdate Tape Drive Table” on page 4-1.)– Start the Encryption Key Manager server. (See “Starting, Refreshing, andStopping the Key Manager Server” on page 5-1.)– Start the command line interface client. (See “The Command Line InterfaceClient” on page 5-5.)Planning for Library-Managed Tape EncryptionIn order to perform encryption, you require:v Encryption-capable LTO 4 and LTO 5 Tape Drive(s)2-1||