Results 1 to 5 of 5
  1. #1
    Member
    Join Date
    May 2006
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default DRM Tape Encryption Keys

    We do our Disaster Recovery at a remote site and we restore a mix of about 30 servers, Win 2003, HP-UX, AIX, Linux. These servers are not identical to the original servers so the restores use the -virtualnodename parameter to identify the original server. I have a set of scripts that run the restore jobs within their collocation groups using a tape library with six drives. This avoids having to manually start and monitor every restore. All this has been tested many times and works well.

    Now, I am required to encrypt the DRM tapes. All my dsm.opt files specify "encryptkey save". This works fine until I run a DR test. I find that each directory I restore on each server will prompt me for the encryption key before it restores any encrypted files. Even though I use the same key for every backup on every server, I specify "encryptkey save", and I establish that key on each DR server, I am still prompted to enter the password manually for every directory I restore. This is extremely labor-intensive for a large DR that runs for two days. And tiring!

    I might overcome this with a "Here document" on the Unix servers (haven't tested that yet, but it should work), but there's no such thing for Windows.

    Does anyone know a way to overcome this limitation? Some way to persuade the DR server to accept the stored encryption key, or stop prompting after the first entry, or any other method that might help?

    Does anyone know a way to persuade the DR servers to

  2. #2
    Moderator
    Join Date
    Sep 2002
    Location
    Indiana
    Posts
    2,560
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Default

    Have you tried to change the nodename in the dsm.opt/dsm.sys file rather than use the virtualnodename option? The TSM nodename doesn't have to match the OS hostname and it might work better with the encryption if the host encryption key matched the TSM nodename.

    -Aaron
    Three things are certain:
    Death, taxes, and lost data.
    Guess which has occurred.

  3. #3
    Member
    Join Date
    May 2006
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Good idea, HEADA. However, we are doing application stacking at DR, which means we are restoring the applications from several servers onto one server at DR (we have several servers at the DR site, but not as many as we have in the originating data center). I think that would require we modify the dsm.opt file for every restore in order to have the appropriate name in place. It's probably worse than entering the encryption key.

  4. #4
    Moderator
    Join Date
    Sep 2002
    Location
    Indiana
    Posts
    2,560
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Default

    Have multiple dsm.opt files and have your restore point to the one you are restoring from.

    -Aaron
    Three things are certain:
    Death, taxes, and lost data.
    Guess which has occurred.

  5. #5
    Member
    Join Date
    May 2006
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Thanks. I'm gonna try that. Sounds like it might work. I'll post results.

Similar Threads

  1. TS3500 and TSM (tape encryption)
    By rankink in forum Tape / Media Library
    Replies: 2
    Last Post: 11-04-2008, 08:41 AM
  2. Replies: 1
    Last Post: 10-06-2008, 10:55 AM
  3. DRM tape retention
    By raj2989 in forum Disaster Recovery Module
    Replies: 5
    Last Post: 08-27-2007, 10:02 AM
  4. tape encryption
    By chandar_adsm in forum Tape / Media Library
    Replies: 0
    Last Post: 05-09-2006, 11:26 PM
  5. Encryption keys in a cluster environment
    By tsm_nbc.gov in forum TSM Server
    Replies: 0
    Last Post: 03-09-2006, 03:57 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •