The hardware's encryption keys are managed within the library and can be exported via a Universal Serial Bus flash drive or via an encrypted e-mail. The keys can then be imported into another Spectra library or used within a software decryption utility, in case no library hardware is available.

Library-based security has two big benefits over software-based alternatives, according to Schreck. First, there are no performance penalties. By embedding encryption in the tape subsystem, vendors can use encryption coprocessors to process the data stream at wire speed. Second, security functions are completely transparent to the software. To outside applications and servers, they behave like just a regular tape library. No external software or operating system support is necessary.

But it also means that the tape vendor is completely responsible for managing security. So customers should look for products with strong key- management features, like quorum-based recovery, integration with backup and recovery tools, and automated replication of keys to an escrow service or tape library at a disaster recovery site.

Laptop and 'edge' encryption

While encryption efforts focus on back-end and off-site storage tapes, Preston says fewer companies are implementing edge-level encryption methods, such as encrypting data on laptops. What's more, basic laptop encryption offers little protection.