ADSM-L

Re: Windows 2003 Encryption

2006-10-12 16:35:49
Subject: Re: Windows 2003 Encryption
From: Andrew Raibeck <storman AT US.IBM DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Thu, 12 Oct 2006 14:32:59 -0600
Since Windows 2003 system state backup is an "all or nothing" affair, 
unchecking "Back up the Registry" has no effect (that should actually come 
out, since it applies only to NT 4.0, which is not supported by the 5.3 
client).

If you encrypt all data, e.g.:

   include.encrypt *

Then the system state (which includes registry) will be encrypted as well.

If you need more targeted encryption try this:

include.encrypt *:\adsm.sys\...\*
include.encrypt 
*:\WINDOWS\Repair\Backup\BootableSystemState\Registry\...\*

Regards,

Andy

Andy Raibeck
IBM Software Group
Tivoli Storage Manager Client Development
Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS
Internet e-mail: storman AT us.ibm DOT com

IBM Tivoli Storage Manager support web page: 
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliStorageManager.html

The only dumb question is the one that goes unasked.
The command line is your friend.
"Good enough" is the enemy of excellence.

"ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU> wrote on 10/10/2006 
08:17:18 AM:

> Thanks Andy,
> 
> From what I understand, you cannot encrypt the systemobjects which would
> include the registry, is this the case and if so, is there a way around
> this in order to secure that your registry is not sent across the wire
> un-encrytpted when you are not using a VPN tunnel or encryption over the
> wire?
> 
> Should I uncheck "backup the registry" in the GUI.
> 
> Thanks
> 
> 
> On Tue, 10 Oct 2006, Andrew Raibeck wrote:
> 
> > No, you cannot just export/import the registry key.
> >
> > See the README file for the 5.3.4.x clients and look for the bullet 
titled
> > "ENCRYPTKEY SAVE requirements". Also look up APAR IC48782.
> >
> > Regards,
> >
> > Andy
> >
> > Andy Raibeck
> > IBM Software Group
> > Tivoli Storage Manager Client Development
> > Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS
> > Internet e-mail: storman AT us.ibm DOT com
> >
> > IBM Tivoli Storage Manager support web page:
> > http://www.ibm.
> com/software/sysmgmt/products/support/IBMTivoliStorageManager.html
> >
> > The only dumb question is the one that goes unasked.
> > The command line is your friend.
> > "Good enough" is the enemy of excellence.
> >
> > "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU> wrote on 10/08/2006
> > 08:44:35 PM:
> >
> > > Thank you for the info.  I'll look into the MS regedit for
> > > exporting/importing and see if the client wants to do this or if 
they
> > > will just keep the password phrase used somewhere and just use that 
if
> > > need be.
> > >
> > >
> > >
> > > TSM_User wrote:
> > >
> > > > To your question you only need the value you typed to generate the
> > > key the first time. You will be prompted to type it again and it
> > > will then encrypt the key again and store it in the registry.
> > > >
> > > >   Entries in the registry can be exported and then imported on
> > > another server. Exporting the keys from the registry using the MS's
> > > regedit on one system and then importing them somewhere else may
> > > work but I think Andy may need to chime in on that.
> > > >
> > > > Roger Silva <rogsilva AT STANFORD DOT EDU> wrote:
> > > >   Hi,
> > > >
> > > > My client has asked me if there is a way to export the EncryptKey 
but
> > I
> > > > have not found any documention talking about this. The reason for 
this
> > > > I assume would be in case of a system crash. I know the EncryptKey 
is
> > > > kept on both the client side in the registry and I believe on the
> > server
> > > > side as well. If the system was to crash, do you still only need 
the
> > > > Encryption Password to restore the data? Would this be just as if 
you
> > > > did not use the "SAVE" option and instead you used the "PROMPT"
> > option?
> > > >
> > > >
> > > > Thanks again for your info.
> > > >
> > > > Roger
> > > >
> > > >
> > > >
> > > > ---------------------------------
> > > > Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls.
> > > Great rates starting at 1¢/min.
> > > >
> >
> >

<Prev in Thread] Current Thread [Next in Thread>