ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ADSM-L] More tsm encryption questions

2012-03-22 20:37:42
Subject: Re: [ADSM-L] More tsm encryption questions
From: "Prather, Wanda" <wPrather AT ICFI DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Fri, 23 Mar 2012 00:33:09 +0000 
>>I'm struggling to see what use generate is,  What't the point of encrypting 
>>the data when the key is handed out whenever a restore is performed?
Well, it prevents anybody who doesn't have access to the console of that 
machine from restoring the data, esp. to a different machine.
If you don't use generate, then the backup can't be run by the scheduler 
because there is no one there to answer the prompt for the key.

If you want to do a manual backup and supply the ken, specify encryptkey prompt.

Here is info you can use to verify whether the data is encrypted:
http://adsm.org/lists/html/ADSM-L/2009-03/msg00425.html


That must be why I've only ever used "encryptkey save" in the past.


On 22 March 2012 19:57, Bill Boyer <bjdboyer AT comcast DOT net> wrote:

> With the ENCRYPTKEY GENERATE specified the client creates the key at 
> the beginning of the backup and that key is kept with the data stream 
> stored on the TSM server. When you restore this the key in the data 
> stream is used. I believe they also refer to this as transparent encryption.
>
> The include.encrypt will only effect future backups, not any backups 
> already encrypted and stored on the TSM server.
>
>
> Bill Boyer
> "There are 10 kinds of people in the world. Those that understand 
> binary and those that don't." - ??
>
>
>
>
> -----Original Message-----
> From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf 
> Of Steven Langdale
> Sent: Thursday, March 22, 2012 2:21 PM
> To: ADSM-L AT VM.MARIST DOT EDU
> Subject: Re: [ADSM-L] More tsm encryption questions
>
> They restored because the client had an encryption key, delete that, 
> or possibly the encryptiontype line and you will be prompted for it.
>
> As for testing to see if they ARE encrypted, i think the client may 
> say with a q backup (but not sure).  The test I used was to try a 
> restore after I had removed the key file.
>
> One aside, if you are using tape technology that compresses, the 
> compression will do down the drain.
>
> Steven
>
>
>
> On 22 March 2012 18:01, Lee, Gary <GLEE AT bsu DOT edu> wrote:
>
> > Ok.  Think I have encryption working.
> >
> > Tried the following experiment.
> >
> > 1. Added these lines to dsm.opt
> >
> > encryptiontype aes128
> > encryptkey generate
> > include.encrypt "c:\Documents and Settings\glee.BSU\My 
> > Documents\crypt\...\*"
> >
> > 2. did an incremental backup to pick up the crypt folder just 
> > created and filled.
> >
> > 3. deleted all files starting with "phon"
> >
> > 4.  restored files starting with phon back to crypt folder, .  Went well.
> >
> > 5. commented all encryption related lines out of dsm.opt.
> >
> > 6. removed phone* from crypt folder again.
> >
> > 7. restored phone* back to crypt folder.
> >
> > I thought that with encryption lines removed from dsm.opt, either 
> > the encrypted files wouldn't restore, or would be restored as garbage.
> > Not so. Restored perfectly.
> >
> > What have I missed?
> > Also, is there a way to verify that the specified files are truly 
> > encrypted?
> >
> > Thanks again for the assistance.
> >
> >
> >
> >
> > Gary Lee
> > Senior System Programmer
> > Ball State University
> > phone: 765-285-1310
> >
> >
>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ADSM-L] More tsm encryption questions, Steven Langdale
Next by Date:  Re: [ADSM-L] More tsm encryption questions, Bill Boyer
Previous by Thread:  Re: [ADSM-L] More tsm encryption questions, Steven Langdale
Next by Thread:  Re: [ADSM-L] More tsm encryption questions, Bill Boyer
Indexes:  [Date] [Thread] [Top] [All Lists]