>We have one node that the customer has requested that we use the
>encryption feature on. Two questions:
>
>1)     Once the key has been set does it ever change like the client
>password? We are using the save option for the key. From the manual --
>The encryption key password is saved to the TSM.PWD file in encrypted
>format.

The key is static, from all that I have ever seen.  Indeed, the B/A Client
manual talks about migrating it from earlier releases.  Why, one carefully
kept key could be passed from generation to generation.  (Apologies to
Mr. Marx.)

>2)     If we lose the TSM.PWD file for whatever reason best I can tell
>there is no way to restore data to the client. If the key never changes
>that we could copy that file somewhere else and copy it back in the
>event that it was lost. If it changes on some interval then obviously
>the copy of that file will also need to be refreshed..... Thoughts on
>how to use this feature and at the same time ensure that you don't lose
>the key and as a result access to all of the clients data.

I would use some, um, backup facility to assure not losing the key.
Such a backup would obviously not use encryption itself.
A more insidious issue for client administrators is when ENCryptkey PROMPT
is in effect, where there is no one key, and it's up to each user to
remember what they used to back up the file: If the password is lost or
forgotten, the encrypted data cannot be decrypted, which means that the data
is lost.

The TSM 3.7.3 & 4.1 Technical Guide gives a good overview of the facility,
as it was introduced for Windows.

   Richard Sims, http://people.bu.edu/rbs