The Redbook "IBM Tivoli Storage Manager: Building a Secure Environment"
(SG24-7505-00) goes into a bit more detail.
A stolen storage pool tape is not, in and of itself, a security exposure; the
thief will not have access to the TSM database entry containing the encryption
key. If someone steals a storage pool tape and the various items needed for a
database restore (database backup tape, volume history file, and device
configuration file), they can decrypt the contents of the storage pool tape, as
long as they have the necessary hardware and the knowledge needed to carry out
what amounts to a TSM DR process.
Thomas Denier
Thomas Jefferson University
-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
McWilliams, Eric
Sent: Wednesday, July 08, 2015 2:50 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: [ADSM-L] Tape Encryption
We are currently encrypting our data as it is being written to tape. The
auditors want to know how the encryption keys are managed. All I can find is
that the keys are managed by the Tivoli Storage Manager.
Does anyone have any documentation that explains how the keys are managed and
what keeps someone from decrypting a tape that is lost or stolen?
tsm: >q dev ltodevc f=d
Device Class Name: LTODEVC
Device Access Strategy: Sequential
Storage Pool Count: 1
Device Type: LTO
Format: DRIVE
Est/Max Capacity (MB):
Mount Limit: DRIVES
Mount Wait (min): 60
Mount Retention (min): 60
Label Prefix: ADSM
Drive Letter:
Library: MEDSLIB
Directory:
Server Name:
Retry Period:
Retry Interval:
Twosided:
Shared:
High-level Address:
Minimum Capacity:
WORM: No
Drive Encryption: On
Scaled Capacity:
Primary Allocation (MB):
Secondary Allocation (MB):
Compression:
Retention:
Protection:
Expiration Date:
Unit:
Logical Block Protection: No
Last Update by (administrator):
Last Update Date/Time: 12/08/2014 13:14:44
Volume Name: XXXXXXX
Storage Pool Name: TAPEPOOL
Device Class Name: LTODEVC
Estimated Capacity: 2.3 T
Scaled Capacity Applied:
Pct Util: 100.0
Volume Status: Full
Access: Read/Write
Pct. Reclaimable Space: 0.0
Scratch Volume?: Yes
In Error State?: No
Number of Writable Sides: 1
Number of Times Mounted: 1
Write Pass Number: 1
Approx. Date Last Written: 07/02/2015 05:16:24
Approx. Date Last Read: 07/02/2015 05:16:24
Date Became Pending:
Number of Write Errors: 0
Number of Read Errors: 0
Volume Location:
Volume is MVS Lanfree Capable : No
Last Update by (administrator):
Last Update Date/Time: 06/30/2015 18:17:40
Begin Reclaim Period:
End Reclaim Period:
Drive Encryption Key Manager: Tivoli Storage Manager
Logical Block Protected: No
Thanks
Eric
**********************************************************************
*** CONFIDENTIALITY NOTICE ***
This message and any included attachments are from MedSynergies, Inc. and are
intended only for the addressee. The contents of this message contain
confidential information belonging to the sender that is legally protected.
Unauthorized forwarding, printing, copying, distribution, or use of such
information is strictly prohibited and may be unlawful. If you are not the
addressee, please promptly delete this message and notify the sender of the
delivery error by e-mail or contact MedSynergies, Inc. at postmaster AT
medsynergies DOT com.
The information contained in this transmission contains privileged and
confidential information. It is intended only for the use of the person named
above. If you are not the intended recipient, you are hereby notified that any
review, dissemination, distribution or duplication of this communication is
strictly prohibited. If you are not the intended recipient, please contact the
sender by reply email and destroy all copies of the original message.
CAUTION: Intended recipients should NOT use email communication for emergent or
urgent health care matters.
|
