ADSM-L

Re: Windows 2003 Encryption

2006-10-12 18:31:03
Subject: Re: Windows 2003 Encryption
From: Roger Silva <rogsilva AT STANFORD DOT EDU>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Thu, 12 Oct 2006 15:28:10 -0700
Ah, Good to know.

Thanks Andy for you help.

-Roger

Andrew Raibeck wrote:

Since Windows 2003 system state backup is an "all or nothing" affair, unchecking "Back up the Registry" has no effect (that should actually come out, since it applies only to NT 4.0, which is not supported by the 5.3 client).

If you encrypt all data, e.g.:

   include.encrypt *

Then the system state (which includes registry) will be encrypted as well.

If you need more targeted encryption try this:

include.encrypt *:\adsm.sys\...\*
include.encrypt *:\WINDOWS\Repair\Backup\BootableSystemState\Registry\...\*

Regards,

Andy

Andy Raibeck
IBM Software Group
Tivoli Storage Manager Client Development
Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS
Internet e-mail: storman AT us.ibm DOT com

IBM Tivoli Storage Manager support web page: http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliStorageManager.html

The only dumb question is the one that goes unasked.
The command line is your friend.
"Good enough" is the enemy of excellence.

"ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU> wrote on 10/10/2006 08:17:18 AM:


Thanks Andy,

From what I understand, you cannot encrypt the systemobjects which would
include the registry, is this the case and if so, is there a way around
this in order to secure that your registry is not sent across the wire
un-encrytpted when you are not using a VPN tunnel or encryption over the
wire?

Should I uncheck "backup the registry" in the GUI.

Thanks


On Tue, 10 Oct 2006, Andrew Raibeck wrote:


No, you cannot just export/import the registry key.

See the README file for the 5.3.4.x clients and look for the bullet

titled

"ENCRYPTKEY SAVE requirements". Also look up APAR IC48782.

Regards,

Andy

Andy Raibeck
IBM Software Group
Tivoli Storage Manager Client Development
Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS
Internet e-mail: storman AT us.ibm DOT com

IBM Tivoli Storage Manager support web page:
http://www.ibm.

com/software/sysmgmt/products/support/IBMTivoliStorageManager.html

The only dumb question is the one that goes unasked.
The command line is your friend.
"Good enough" is the enemy of excellence.

"ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU> wrote on 10/08/2006
08:44:35 PM:


Thank you for the info.  I'll look into the MS regedit for
exporting/importing and see if the client wants to do this or if

they

will just keep the password phrase used somewhere and just use that

if

need be.



TSM_User wrote:


To your question you only need the value you typed to generate the

key the first time. You will be prompted to type it again and it
will then encrypt the key again and store it in the registry.

 Entries in the registry can be exported and then imported on

another server. Exporting the keys from the registry using the MS's
regedit on one system and then importing them somewhere else may
work but I think Andy may need to chime in on that.

Roger Silva <rogsilva AT STANFORD DOT EDU> wrote:
 Hi,

My client has asked me if there is a way to export the EncryptKey

but

I

have not found any documention talking about this. The reason for

this

I assume would be in case of a system crash. I know the EncryptKey

is

kept on both the client side in the registry and I believe on the

server

side as well. If the system was to crash, do you still only need

the

Encryption Password to restore the data? Would this be just as if

you

did not use the "SAVE" option and instead you used the "PROMPT"

option?


Thanks again for your info.

Roger



---------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls.

Great rates starting at 1¢/min.




<Prev in Thread] Current Thread [Next in Thread>