Folks,
 
I'm trying to plug the hole in the system here.  With TSM V5.3.5.2 and
5.4.0.2 LTO4 drives and their encryption functionality can finally be
exploited at the application level.  Within TSM, we use device classes
to enable this.  So I'm thinking one could have one device class
supporting encryption and another not (both in the same library) and
have pools associated with these device classes, blah, blah, blah.  You
get the idea.  Cool, cool.
 
OK, so now all the encryption keys are stored in the TSM database.  The
problem is I now create an un-encrypted db backup tape to send offsite
with my encrypted volumes and I've a whee bit of a problem.
 
How are others rectifying this: use System level or library level
instead of or in addition to Application Managed with TSM?  Keep the
backup tape and the storage pool volumes separate (that's gotta be a bad
idea from the get go)?  Other ideas?
 
Unless I'm missing something, this just can't work well at all.  Perhaps
a switch on the backup db command... (but then who would manage that
key?)
 
The genesis of this is my attempt to get my hands around AME, SME and
LME.  Whew: you want a headache just start reading about all of that.
And if that's not enough, IBM's Encryption Key Management Java
application is real fun.  The more I read the more I like client side
encryption.  But everyone is screaming to encrypt everything.
 
Share your thoughts.  I intend to write a short white paper on all of
this once I get my head around it all.
 
Kelly J. Lipp
VP Manufacturing & CTO
STORServer, Inc.
485-B Elkton Drive
Colorado Springs, CO 80907
719-266-8777
lipp AT storserver DOT com