3. If no alias is specified in the request and no alias is specified in the drive table,Encryption Key Manager selects an alias from the set of aliases or the keygroup in the keyAliasList.4. Encryption Key Manager fetches a corresponding DK from the keystore.5. Encryption Key Manager converts the alias to a DKi and wraps the DK with akey the drive can decrypt6. Encryption Key Manager sends the DK and DKi to the tape drive7. Tape drive unwraps the DK and writes encrypted data and DKi to tapeFigure 2-2 shows how keys are processed for encrypted read operation.1. Tape drive receives read request and sends DKi to Encryption Key Manager2. Encryption Key Manager verifies tape device in Drive Table3. Encryption Key Manager translates DKi to alias and fetches corresponding DKfrom keystore4. Encryption Key Manager wraps the DK with a key the drive can decrypt5. Encryption Key Manager sends the wrapped DK to tape drive6. Tape drive unwraps the DK and uses it to decrypt the dataBacking up Keystore DataNote: Due to the critical nature of the keys in your keystore, it is vital that youback up this data on a non-encrypted device so that you can recover it asneeded and be able to read the tapes that were encrypted using thosecertificates associated with that tape drive or library. Failure to backupyour keystore properly will result in irrevocably losing all access to yourencrypted data.There are many ways to backup this keystore information. Each keystore type hasit own unique characteristics. These general guidelines apply to all:v Keep a copy of all certificates loaded into the keystore (usually a PKCS12 formatfile).v Use system backup capabilities (such as RACF) to create a backup copy of thekeystore information (be careful not to encrypt this copy using the encryptingtape drives as it would impossible to decrypt it for recovery).ConfigFileKeystoreDriveTableKey Manager124 563 DKi AliasDKFigure 2-2. LTO 4 or LTO 5 Tape Drive Request for Encryption Read OperationChapter 2. Planning Your Encryption Key Manager Environment 2-5|