TKLM v2 – to Encrypt or not to Encrypt…

Encyption…that is the question.  However the first question is what is TKLM well it is Tivoli Key Lifecycle Manager.  It is IBM software for managing keys securely for encrypting hardware devices such as tape and disk.

In my experience encrypting data is not something that you do for fun, it is a painful process that you put yourself through because you are forced to by some regulation or other.  As a result the Encryption baton gets passed about until the music stops and the person holding has to do something about it.  It seems that even in IBM that is the case, is TKLM a storage product or a security product?

Danger, Danger!

With any process that takes a bit of clear text and scrabbles it there is an added danger that you will never be able to get your data back.  This message came over loud and clear when sat in an IBM TKLM v2 training session.  The processes and procedures that need to be wrapped around TKLM need to be bullet proof otherwise all manner of job losses are going to occur.

Tape Encryption.

I am mainly “interested” in the tape based encryption.  I am intending on doing another blog about the intricacies of symmetric and asymmetric keys but we will suffice ourselves today with a brief comparison between them:


  • Keys taken from a pre-generated list
  • Rekeying means the entire cartridge needs to be rewritten
  • This is the standard for LTO4 and 5


  • New key generated for each volume on the fly from a certificate.
  • Public, Private Keypair
  • Rekeying takes about 2 minutes per volume
  • This is used by TS1120 and TS1130 drives

As shown above, Asymmetric encryption as implemented within the enterprise drives is the better, more secure option however it comes at a price.  Most people will use the LTO symmetric method which is still FIPS 140-2 ( certified.



For those of you that are interested in TKLM and the new version (v2), here is a summary of information I picked up on my training session.  IBM’s “Vision” for encrypting in the DC using TKLM is that it will manage keys from any device on the data path.  So for instance from the filesystem, through the SAN to the disk or tape system all keys will be served by TKLM.  Data in flight from the host over the LAN or SAN will use temporary short term keys and the data at rest (disk and tape) will use a long term key rotation.

It is all very well having a vision but how have they moved closer towards it?  Well TKLM v2 now uses the KMIP v1 standard (Key Management Interoperability Protocol)  this is an open standard for multiple vendors to use the same development tools to implement encryption within their devices.  Currently Emulex HBAs and Brocade switches use this standard and others are working on it (

Other improvements in TKLM v2 are:

Role Based Access Control

  • Can define multiple administrators with different permissions
  • Can define different administrators for different groups of devices
  • Can restrict what devices can get which keys

New ease of use features

  • Pending auto – new option to capture device registration request and hold for administrative action
    • Works for devices and certificates
  • Improved silent install

 New options for Disaster Recovery

  • Flag to not serve a key until it has been backed up
  • New scripts for automating keystore backup/restore

So, to encrypt or not to encrypt that is the question…  it is really comes down to whether you are being beaten up by the auditors.  Just remember if you do, ensure you take great care over your procedures for managing keys.