Silver Bulletin

Who holds the keys?

Posted by: Dave White

Encryption or redemption?

Silverstring’s CTO, Steve Miller, has highlighted in a previous blog how GDPR has emphasised the importance of encrypting personal data, both in primary and in secondary storage environments. Failing to take consideration of this places your data at risk and leaves your organisation open to fines and reputation damage. Its now a cost of doing business in the digital age.

Encryption can be performed by applications for data on disk and in transit over IP networks.  Encrypted data is only legible to the parties, applications and devices holding the encryption key, and meaningless to those that do not.  The concept of a key is well: key to the process of encryption.  If you hold the key to the encrypted data, you can access it – if you don’t, you can’t

Hardware devices such as disk arrays and tape drives are capable of encrypting data.  Encryption of tape is a must for any organisation that routinely stores and transports tapes outside of their own premises via a third party.

If you’ve encrypted your tape as it was written so that nobody but yourself can read them with your encryption key – all is well.  But you must ensure that the keys used to encrypt are always available, giving you access to read your data, yet secure from unwanted snoopers.

What is a Key Lifecycle Manager?

This is where encryption key management comes in.  IBM Security Key Lifecycle Manager (ISKLM) – previously Tivoli key Lifecycle Manager (TKLM) is IBM’s solution for management of hardware encryption keys.

ISKLM is an essential component of a hardware encryption solution and serves keys for writing new media as well as previously encrypted media.

It can be configured to be highly available and redundant (pairs, or clusters of key managers) and further protects encryption keys in encrypted key stores, allowing access only to authorised devices. Custom installations can be made to comply with various standards defined by US Government agencies, such as FIPS 140-2, NSA Suite B and NIST SP 800-131

The product has evolved to be more secure and resilient with support for more operating systems and devices being added continually. For an additional layer of security, ISKLM’s own master key encrypting of the data keys and certificates, can be stored in tamper-proof HSMs (Hardware Security Module) since v2.7

Anything below and including version 2.5 is not supported as of 30th September 2018. The current version is, so users on an earlier version should consider upgrading.


Silverstring has experience of successfully implementing and upgrading ISKLM-based hardware encryption solutions and is IBM’s first-choice partner for ISKLM services. Silverstring’s three core capabilities are Data Security, Data Availability and Data Preservation. If your organisation is not encrypting offsite tapes, or if your ISKLM/TKLM key managers are out of support, please contact us for more information.

Posted by: Dave White on November 20, 2018

Listed in

We use cookies to improve your experience on our website. By browsing this website, you agree to our use of Cookies.