Verifying data Encrption---

[Fattire]

running TSM 6.1.4.2. on windows 2003 server with ibm 3583 tape library with LTO2 drives. (i know, they're a bit old, upgrading soon)
Q status shows Encryption strength: AES, also,
The device class for the LTO2 drives has DRIVEENCRYPTION=ALLOW
On the clients: 'Save encryption key password locally' is selected, as is '128-bit AES', which are defaults when installing the client.

Question: How else can I verify my data is being encrypted? any way I can dump a tape volume?

thanks in advance for any help, tips, advice.

[Trident]

Hi,

This is only valid for client based encryption.

Code:

dsmc query backup "filepath/filename" -detail -traceflags=query

[Fattire]

I'm looking for some way to verify its encrypted on the tape volumes....Is there a way to dump some data from the tape to see if its readable or not?

[Trident]

If you know TSM tape format, then you can check. Otherwise you need to check if tsm has stored node data in an encrypted format.

You can also check a volume in the library with w vol XXX f=d. If any encryption is done per tape/library, it will be shown there.

[Fattire]

well, I don't know TSM tape format, and not sure how to check if 'TSM has stored node date in an endcrypted format',
I did check some of the 'private' volumes with F=D command and it shows 'Drive Encryption Key Manager: None
That is all it said about encryption. Unfortunately I wasn't involved with original set up of our Tivioli system, but our State auditors now
want us to verify that our tapes are encrypted for security purposes.

[Trident]

The data stored is probably encrypted client side. This can be verified using the dsmc command shown earlier. The output from the dsmc command should be enough for the auditers. If you want tapedrive encryption, you need lto4 or higher (or some other drives).

[Fattire]

Thank you Trident, that dsmc command worked. It also showed that "Encryption Type: None". So now my question is what is easiest way to turn on encryption? I do know that any data already stored on TSM would not get automatically encrypted.

[Trident]

Hi,

These need to be present with parameters

Encryptiontype
Encryptkey

you need this line in


your dsm.opt file (top line of your incl and excl)

include.encrypt *:\...\*


http://pic.dhe.ibm.com/infocenter/ts...2574%2522%2520

[Fattire]

Thanks again!! all I have been mising is the include.encrypt in my include/exclude list. But i read there are other ramifications such as losing compression on data at tape drive level? if i set compression at client i wonder how much slower backups will be.
And why would people opt for 'generate' encryption key? seems it would be easy to let TSM handle it as aposed to 'save' option where the user has remember key in case something bad happens.

[Trident]

Hi,

I strongly recommend that you enable comression on the client side. Encrypted data is not very (if all) compressable. I actually think that your backups will go faster. I have enabled compression as default on all my nodes (about 1000). Most modern servers have no issues with the extra cpu required to compress data on the fly.

Besides, the network/firewall guys are generally happier if you can reduce the amount of data passing through fw/routers.