ADSM-L

Re: Windows 2003 Encryption

2006-10-07 12:20:38
Subject: Re: Windows 2003 Encryption
From: TSM_User <tsm_user AT YAHOO DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Sat, 7 Oct 2006 09:18:22 -0700
Roger,
  I believe the encryption key for the regular BA Client is not kept seperate 
on the TSM server. Only the Tivoli Data Protection (TDP) software, which 
supports transparent encryption, store the key on the TSM server instead of in 
the local registry. Also for them you are never prompted to enter a key 
yourself they automatically generate one. Today transparent encryption only 
works for the TDP software. (Question for Andy: When will this option become 
part of the BA Client?).
   
  So because the BA Client does not store the encryption key on the TSM server 
you are prompted for it when you perform a DR of a server to a new server 
because the key is not located in its registry.
   
  One thing you could do is choose to encrypt the client data but not the 
client OS drive.  Then you would be able to perform a system recovery without 
being promted for the key.  So long as you can successfully recovery the system 
the encryption key will be back in the registry and you should not be prompted 
for the Key.  With this option you do have some data on a tape that is not 
encrypted.  Still with transparrent encryption so long as somecan restore your 
TSM DB they can restore your data without being promted for the key.  Maybe an 
encryption option for the TSM DB would be a good idea?
   
  K
   
  
Roger Silva <rogsilva AT STANFORD DOT EDU> wrote:
  Andrew,

I changed the parameters per you email and it worked. Thank you very much.

I do, however, have one more question. My client has asked me if there
is a way to export the EncryptKey but I have not found any documention
talking about this. The reason for this I assume would be in case of a
system crash. I know the EncryptKey is kept on both the client in the
registry and I believe on the server side as well. If the system was to
crash, do you still only need the Encryption Password to restore the
data? Would this be just as if you did not use the "SAVE" option and
instead you used the "PROMPT" option?


Thanks again for your info.

Roger



Andrew Raibeck wrote:

> It isn't the encryption of one file that is the issue, it's the syntax of
> the include.encrypt line. They way it currently reads:
>
> Include.Encryption "D:\1TSMTEST\test spreadsheet.xls\...\*"
>
> says to encrypt all files in the "D:\1TSMTEST\test spreadsheet.xls"
> directory.
>
> I also just noticed you said "include.encryption" instead of
> "include.encrypt".
>
> Try:
>
> include.encrypt "d:\1tsmtest\test spreadsheet.xls"
>
> Regards,
>
> Andy
>
> Andy Raibeck
> IBM Software Group
> Tivoli Storage Manager Client Development
> Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS
> Internet e-mail: storman AT us.ibm DOT com
>
> IBM Tivoli Storage Manager support web page:
> http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliStorageManager.html
>
> The only dumb question is the one that goes unasked.
> The command line is your friend.
> "Good enough" is the enemy of excellence.
>
> Roger Silva wrote on 10/05/2006 02:11:36 PM:
>
>
>>Andy,
>>
>>The main directory in D:\1TSMTEST, spreadsheet.xls is just a file within
>
>
>>that directory that we are trying to do a test encryption on.
>>
>>Let me also state that the TSM Software is installed on the C: drive
>>along with all the other software, the D: drive is the Data drive and
>>only stores the data needed to be backed up. Ultimately, the client
>>wants ALL-LOCAL drives (C: and D:) Encrypted and backed up.
>>
>>I will make the fix the my exclude.backup line. Thanks.
>>
>>I don't know if only encrypting one file is the issue or not?
>>
>>Rog
>>
>>
>>Andrew Raibeck wrote:
>>
>>
>>>Do you actually have a directory called "test spreadsheet.xls" ?
>>>
>>>Probably not contributing to the issue, but your exclude.backup
>
> statement
>
>>>should be corrected to read:
>>>
>>>exclude.backup *:\...\*
>>>
>>>Regards,
>>>
>>>Andy
>>>
>>>Andy Raibeck
>>>IBM Software Group
>>>Tivoli Storage Manager Client Development
>>>Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS
>>>Internet e-mail: storman AT us.ibm DOT com
>>>
>>>IBM Tivoli Storage Manager support web page:
>>>http://www.ibm.
>>
>>com/software/sysmgmt/products/support/IBMTivoliStorageManager.html
>>
>>>The only dumb question is the one that goes unasked.
>>>The command line is your friend.
>>>"Good enough" is the enemy of excellence.
>>>
>>>"ADSM: Dist Stor Manager" wrote on 10/05/2006
>>>01:33:08 PM:
>>>
>>>
>>>
>>>>My client is running Windows 2003 client OS Version 5.02 and our TSM
>>>>server is 5.1.6.3
>>>>
>>>>We are trying to use the TSM Encryption Options but we are running
>
> into
>
>>>>some issues.
>>>>
>>>>We have the Encryption lines in the dsm.opt file:
>>>>
>>>>ENCRYPTIONTYPE AES128
>>>>ENCRYPTKEY SAVE
>>>>
>>>>Exclude.Backup "*\...\...\*"
>>>>INCLUDE "D:\1TSMTEST\...\*"
>>>>Include.Encryption "D:\1TSMTEST\test spreadsheet.xls\...\*"
>>>>
>>>>But when the client invokes a backup, it does not ask for the
>
> encryption
>
>>>>password the first time.
>>>>
>>>>Is this version of windows with the version of the TSM server we are
>>>>running not supported or is there some other fix needed in the dsm.opt
>>>
>>>file?
>>>
>>>
>>>>Thanks,
>>>>Roger
>>>>
>>>>
>>>>P.S. I have been successful with this exercise using Windows XP
>
> client
>
>>>>OS version 5.01 and TSM Version 5.1.6.3


                
---------------------------------
Stay in the know. Pulse on the new Yahoo.com.  Check it out.