ADSM-L

Re: ENCRYPTKEY

2005-03-30 10:14:29
Subject: Re: ENCRYPTKEY
From: "Stapleton, Mark" <mark.stapleton AT BERBEE DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Wed, 30 Mar 2005 09:14:14 -0600
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On 
Behalf Of William Boyer
>I have a client that is trying to set up encryption for some 
>files. TSM 5.3 client:
>
>ENCRYPTIONTYPE AES128
>
>ENCRYPTKEY        SAVE
>
>The first time he used the GUI to backup the files he was 
>prompted, but there was no indication that the INCLUDE.ENCRYPT 
>files were encrypted.
>
>Is there a way to see from the backup (DSMSCHED.LOG with 
>VERBOSE) that files were encrypted? This client is a bank and 
>he needs to
>"prove" to the auditors that files are being encrypted. After 
>the Bank of America tape loss incident, they auditors are
>understandably nervous.

The easiest way (in fact, the only way I know how) to prove the file is
encrypted is to attempt to restore the file to an alternate server; the
TSM client will request the encryption key, and will not perform the
restore without it.

The machine that owns the file has the encryption key embedded in the
Windows registry. That is why, when you restore the file to the original
machine, the restoration deencryption is transparent. That is also why,
when you restore the file to the original machine after it has been
rebuilt, that the encryption key is requested. If the transparent
restore makes the auditors nervous, have the customer remind the
auditors that loss of control of the server console makes any security
impossible. 

It would also behoove all of us to be reminded that, once a TSM client
password becomes known to (or is guessed by) malefactors, encryption and
data security are greatly compromised.

--
Mark Stapleton (stapleton AT berbee DOT com)
Office 262.521.5627

<Prev in Thread] Current Thread [Next in Thread>
  • ENCRYPTKEY, William Boyer
    • Re: ENCRYPTKEY, Stapleton, Mark <=