ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ADSM-L] Turning Encryption Off/On

2010-01-14 14:06:03
Subject: Re: [ADSM-L] Turning Encryption Off/On
From: adsm mailing list <adsm AT I-TSM.CO DOT UK>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Wed, 13 Jan 2010 15:14:27 +0000 
I configured dedicated Device classes and storage pools because of the 
following note in the Admin guide.


When  using  encryption-capable  drives  with  a  supported  encryption  
method,  a  new 
format  will  be  used  to  write  encrypted  data  to  tapes.  If  data  is  
written  to  volumes 
using  the  new  format  and  if  the  volumes  are  then  returned  to  
scratch,  they  will 
contain  labels  that  are  only  readable  by  encryption-enabled  drives.  To 
 use  these 
scratch  volumes  in  a  drive  that  is  not  enabled  for  encryption,  
either  because  the 
hardware  is  not  capable  of  encryption  or  because  the  encryption  
method  is  set  to 
NONE,  you  must  relabel  the  volumes. 


________________________________________
From: ADSM: Dist Stor Manager [ADSM-L AT VM.MARIST DOT EDU] on behalf of Wanda 
Prather [wanda.prather AT JASI DOT COM]
Sent: 13 January 2010 14:09
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: [ADSM-L] Turning Encryption Off/On

This is for TSM-managed encryption (the library is set to
application-managed).
You only need 1 set of scratch tapes.

One library, two storage pools, two devclasses, one encrypted, one not.
Same pool of scratch tapes.

When an encrypted tape goes scratch and comes back from the vault, it can be
reused non-encrypted.
(I think that is because the label isn't encrypted, just the data.)
TSM DB backups are never encrypted, either.

Works fine.  Beauty of TSM-managed encryption; easy peasy.  Set it and
forget it.






On Wed, Jan 13, 2010 at 6:06 AM, Stefan Folkerts <stefan.folkerts AT itaa DOT 
nl>wrote:

> I don't think you can have two devices classes (one with and one without
> encryption) sharing the same pool of scratch volumes (one logical library)
> using LTO hardware encryption.
> This is because the volume label on the tape is either written encrypted or
> it is not, I don't think the none encrypted deviceclass is able to write to
> a scratch tape labeled within an encrypted deviceclass configuration because
> the first thing it does is check the label, that's encrypted so label
> doesn't match eject -> set to private, next volume please...etc etc.
>
>
>
>
> -----Oorspronkelijk bericht-----
> Van: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] Namens
> Druckenmiller, David
> Verzonden: dinsdag 12 januari 2010 18:07
> Aan: ADSM-L AT VM.MARIST DOT EDU
> Onderwerp: Re: [ADSM-L] Turning Encryption Off/On
>
> Using hardware encryption, managed by TSM.
>
> Are you saying I can have two device classes sharing the same devices?  For
> some reason, I was always under the impression that you couldn't.  But after
> scanning the help, I don't know where I came up with that notion.  That
> would definitely make things simple for me.
>
> Thanks.
>
> -----Original Message-----
> From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf 
> Of
> Wanda Prather
> Sent: Tuesday, January 12, 2010 10:20 AM
> To: ADSM-L AT VM.MARIST DOT EDU
> Subject: Re: [ADSM-L] Turning Encryption Off/On
>
> Is your encryption application-managed (controlled by TSM) or
> library-managed (controlled by EKM/TKLM)?
>
> If application managed, IBM is correct, you just need a different devclass
> that specifies drive encryption OFF, pointing to the same library, and a
> new
> storage pool that specifies the non-encrypted devclass.  .
>
> I've got 4 LTO drives, onsite pool is NOT encrypted (long story there),
> COPY
> pool IS encrypted.  No biggie.
>
> W
>
>
> On Tue, Jan 12, 2010 at 9:10 AM, Druckenmiller, David
> <DruckeD AT mail.amc DOT edu>wrote:
>
> > We currently encrypt all our offsite tapes.  Mgmt wants to me create a
> > single unencrypted archive tape to be stored offsite long term for
> > litigation reasons.
> >
> > My question is:  If I turn off encryption long enough to get some data
> > written to this one tape, then turn encryption back on, could I then
> > continue to write uncrypted data to this one tape while all other tapes
> > would be encrypted?
> >
> > IBM is being non-committal saying we should really use new device class,
> > but I'd then have to move one tape drive over to new class each time I
> want
> > to write unencrypted.
> >
> > TSM 5.5.3
> > AIX 6.1
> > Tapes are LTO4
> >
> > Thanks
> > Dave
> >
> > -----------------------------------------
> > CONFIDENTIALITY NOTICE: This email and any attachments may contain
> > confidential information that is protected by law and is for the
> > sole use of the individuals or entities to which it is addressed.
> > If you are not the intended recipient, please notify the sender by
> > replying to this email and destroying all copies of the
> > communication and attachments. Further use, disclosure, copying,
> > distribution of, or reliance upon the contents of this email and
> > attachments is strictly prohibited. To contact Albany Medical
> > Center, or for a copy of our privacy practices, please visit us on
> > the Internet at www.amc.edu.
> >
>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ADSM-L] TSM 6.1.3 Install, Grigori Solonovitch
Next by Date:  [ADSM-L] Implementing LANFree data Movement - WIN Storage Agent Server Requirements, Botelho, Tiago (External)
Previous by Thread:  Re: [ADSM-L] Turning Encryption Off/On, Wanda Prather
Next by Thread:  [ADSM-L] pct idle wait > 100, Keith Arbogast
Indexes:  [Date] [Thread] [Top] [All Lists]