About writing an encrypted tape
BPTM receives a request to write to a tape and to use a tape from a volume pool with the ENCR_ name prefix. The ENCR_ prefix is a signal to BPTM that the information to be written to tape is to be encrypted.
BPTM contacts KMS and requests an encryption key from the key group with a name that matches the name of the volume pool.
KMS hands back to BPTM an encryption key and a key identifier (known as the encryption key tag).
BPTM places the drive in encryption mode and registers the key tag and identifier tag with the drive. This process is all done with the SCSI security protocol in or out command that has been added to the SCSI specification.
The backup then proceeds as normal.
When the backup is complete, BPTM unregisters the key and tag with the drive and sets the drive back into regular mode.
BPTM then records the tag in the NetBackup image record catalog.
Figure: Process flow for writing an encrypted tape shows how the process flows.