We are starting to make more use of TSM Encryption. There is a
combination of features that appears to leave a security gap.

We have decided to use ENCRYPTKEY GENERATE, because it provides what is
in effect encryption key escrow. We require key escrow whenever
encryption is used for university data - it's surprising how many times
encryption keys get lost. We also use PASSWORDACCESS GENERATE, in order
to enable automatic scheduled backups.

The gap is in restore. If I have an encrypted drive, whose contents are
backed up using TSM encryption, and then I unplug that drive thinking it
is secure, it is not. Anyone who can boot the machine can restore
everything from the encrypted drive, without entering any key or
password, due to PASSWORDACCESS GENERATE.

We are thinking of instructing users to always do a complete shutdown
(not sleep or hibernate), and to encrypt their boot drive if they have
any sensitive data, even if that data resides somewhere other than the
boot drive. However, this is herding cats. It's unlikely to be followed
in all cases.

A possible solution would be to require re-entry of the TSM password to
restore encrypted data, if both ENCRYPTKEY GENERATE and PASSWORDACCESS
GENERATE are in effect.

Am I understanding this correctly? Is there something I am missing here?

Roger Deschner      University of Illinois at Chicago     rogerd AT uic DOT edu
======I have not lost my mind -- it is backed up on tape somewhere.=====