ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Encryption

2005-05-25 11:56:47
Subject: Re: Encryption
From: "Johnson, Milton" <milton.johnson AT CITIGROUP DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Wed, 25 May 2005 11:55:07 -0400 
My concerns with TSM based encryption are:

1) Since encrypted data does not compress well the TSM clients must do
both the compression and encryption.
2) TSM compression and encryption can be a performance hit on the client
increasing back-up time and further degrading performance during the
backup period.
3) With TSM encryption the data is encrypted before it leaves the client
so all copies of the data are encrypted.
4) With TSM encryption there are keys for each client that must be
managed.  This could mean hundreds-thousands of keys in some
environments.  I understand that TSM 5.3 does that management for you.
5) There is no simple way to encrypt data already backed up and on tape.

For these reasons I am investigating using an encryption appliance that
sits transparently between the TSM server and the tape drives used to
write offsite tapes:
1) The appliance does the compression & encryption in hardware so there
is no performance hit to the clients.
2) Only the backup copies going off site are encrypted, it is not all or
nothing.
3) There is only one set of encryption keys to manage.
4) Data already backed up and on tape can be encrypted using the "move
data" command.
5) Stronger encryption than that provided by TSM is available.

H. Milton Johnson

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
Henrik Wahlstedt
Sent: Wednesday, May 25, 2005 2:36 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: Encryption

Hi Eric,


Yes TSM can encrypt your data, both in 5.2 (des56) and 5.3 (aes 128).
You add the lines in a client optionset or in dsm.opt.
INCLUDE.ENCRYPT "c:\...\*"
ENCRYPTKEY      PROMPT or SAVE.

Check the client manuals for more information.


//Henrik







"Jones, Eric J" <eric.j.jones AT LMCO DOT COM>
Sent by: "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
2005-05-25 03:32
Please respond to "ADSM: Dist Stor Manager"


        To:     ADSM-L AT VM.MARIST DOT EDU
        cc:     (bcc: Henrik Wahlstedt)
        Subject:        Encryption


Good Evening.
Running TSM 5.2.2 on AIX 5.2
Clients are a mix of    Solaris 7,8,9   AIX 4.2, AIX 5.2, Windows NT,
Windows 2000 and Windows 2003 most running TSM 5.2.2.
I've been reading the forums and was thinking I would probably not have
to worry about this until now.
I was asked to check and see what it would take to encrypt our data.
I have 2 questions.
1:  Is it a problem to use an encryption device to encrypt the data
before it is sent to the TSM server?    I know I would have to have the
encryption key to restore the data but I was wondering if there were any
problems that I would face.
2:  Can TSM encrypt the data?  I've read 1 article that indicated it was
in TSM 5.3 but I did not see much on 5.2.2 which we are running.  Are
there any potential problems with using TSM to encrypt if it is
possible?  I know if you loose the key your done but other than that.

Thanks for all the help,
Eric
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Question on Daily process flow, William Rosette
Next by Date:  EXPORT NODE TOSERVER, Spendlove, Ted
Previous by Thread:  Re: Encryption, Henrik Wahlstedt
Next by Thread:  query tape occupied by a client node, nghiatd
Indexes:  [Date] [Thread] [Top] [All Lists]