ADSM-L

Re: [ADSM-L] AW: [ADSM-L] Move Encryption Key to another machine

2009-01-23 07:38:54
Subject: Re: [ADSM-L] AW: [ADSM-L] Move Encryption Key to another machine
From: Wanda Prather <wprather AT JASI DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Fri, 23 Jan 2009 07:37:37 -0500
Thanks Thomas,

Your post is very clear; I just wish I knew the answer!

Wanda

On Fri, Jan 23, 2009 at 3:00 AM, Thomas Rupp <Thomas.Rupp AT illwerke DOT 
at>wrote:

> Sorry, that was missing from my posting.
> Our admin used regedit export/import to move the TSM registry keys to
> another machine.
> Keys moved:
>
> HKEY_LOCAL_MACHINE\SOFTWARE\IBM\ADSM\CurrentVersion\Nodes\<nodename>\<tsmserver>
>
> This is what I think how TSM works:
> The encryption key is encrypted using the hostname returned by the
> operating sytem.
> Then the encryption key is saved in the registry.
> To backup or restore data TSM needs to decrypt the encryption key using the
> hostname
> returned by the operating system.
> That's why I think you can't move the encrypted key to another machine. TSM
> would use
> the hostname returned by the operating system (this is not the same as on
> the original
> machine) to decrypt the encryption key. Here TSM would return an error
> because the
> decryption fails.
>
> But when we moved the registry keys to another machine (different hostname)
> TSM didn't
> ask for the encryption key. In our opinion this is a security flaw.
> We want to use encryption so that data can only be restored to the original
> machine (=
> hostname).
>
> I hope I could make myself clear. Please excuse my bad english but -
> unfortunately -
> I'm no native speaker.
>
> Thanks
> Thomas Rupp
>
>
> -----Ursprüngliche Nachricht-----
> Von: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] Im Auftrag 
> von
> Wanda Prather
> Gesendet: Freitag, 23. Jänner 2009 02:17
> An: ADSM-L AT VM.MARIST DOT EDU
> Betreff: Re: [ADSM-L] Move Encryption Key to another machine
>
>
> I'm confused;  TSM doesn't support restoring system state to a different
> hostname, so I don't know what would be considered "working as designed" in
> that case!
>
> How are you moving the registry?
>
> Vorarlberger Illwerke Aktiengesellschaft ein Unternehmen von illwerke vkw
> Rechtsform: Aktiengesellschaft, Sitz: Bregenz, Firmenbuchnummer: FN 59202m
> Firmenbuchgericht: LG Feldkirch, DVR 0008753, UID-Nr.: ATU 36737402
>
> Vorarlberger Kraftwerke Aktiengesellschaft ein Unternehmen von illwerke vkw
> Rechtsform: Aktiengesellschaft, Sitz: Bregenz, Firmenbuchnummer: FN58920y
> Firmenbuchgericht: LG Feldkirch, DVR 0027961, UID-Nr.: ATU 36737304
>