I received communication from an ISV today related to Encryption mode locking (4.2.21.11).  They were unable to determine if the locking applied when the data encryption parameters were set such that encryption/decryption is turned off.  In a close reading this clause refers to "...locked to that set of data encryption parameters and key instance counter value until a hard reset condition occurs or another [SPOUT command is received]"

In 4.2.21.6 Managing keys within the physical device, where it describes when to release a set of data encryption parameters, there is no mention of turning off encryption.  Therefore, the locking does apply to the saved set of encryption parameters even when encryption is turned off.  This is indeed the desired behavior.  However, it is not clear to the casual or novice standards reader that this is the case.

Proposed Solution (Editorial):
In 4.2.21.11, p2, add a new sentence after s1:
The LOCK bit in the Set Data Encryption page is set to one to lock the I_T nexus that issued the SECURITY PROTOCOL OUT command to the set of data encryption parameters established at the completion of the processing of the command.  A set of data encryption parameters are established and locked even if the ENCRYPTION MODE is set to DISABLE and the DECRYPTION MODE is set to DISABLE.

Thanks,

Kevin D. Butt
SCSI & Fibre Channel Architect, Tape Firmware
MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
Tel: 520-799-2869 / 520-799-5280
Fax: 520-799-2723 (T/L:321)
Email address: kdbutt@us.ibm.com
http://www-03.ibm.com/servers/storage/