Neil,
thanks for your detailed information. I've checked with IBM support.
Unfortunately our 3592-E05 Drives are not encryption capable. IBM support told
me that we can purchase a feature code (with the result, that all our drives
would be replaced with new one), but our management didn't want pay anything.
They asked me, if there would be any other way to encrypt the data without any
cost. I don't know any way except the TSM client encryption (but I think it's
not pratically to encrypt every data on the client systems, or is it?). We make
normal backups and archives, a lot of db2 api backups, TDP (Exchange, Domino,
MSSQL) and Oracle RMAN backups. Every day we backup up about 3-5 TB.
Does anyone have any other practical implementation of encrypting Volumes
without hardware drive encryption?
With kind regards,
______________________________________
Boris Herrmann
Produktion / Heterogene Systeme
ARAG IT GmbH
ARAG Platz 1, 40472 Düsseldorf
Tel: +49 (0)211 964-1137
Fax: +49 (0)211 964-1155
Boris.Herrmann AT ARAG DOT de
www.ARAG.de
Geschäftsführer: Ottmar Liebler, Hanno Petersen
Sitz und Registergericht: Düsseldorf, HRB 10934
USt-ID-Nr.: DE 119 356 473
-----Ursprüngliche Nachricht-----
Von: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] Im Auftrag
von Strand, Neil B.
Gesendet: Montag, 7. Januar 2008 17:03
An: ADSM-L AT VM.MARIST DOT EDU
Betreff: Re: [ADSM-L] 3592 Drive Encryption
Boris,
Verify that the library and drives are capable - may need a firmware upgrade
or feature code - check with IBM. You will also want to ensure you have the
latest Atape driver installed.
A logical library is either encryption capable or not - the drives in a
logical library cannot be mixed. If you implement library managed encryption,
you have a great deal of flexibility over which volumes get encrypted and with
which encryption keys they are encrypted with.
I strongly encourage you to set up at least two, redundant Encryption Key
Managers (EKM) because if a drive is unable to get a key, you get no volume to
read from or write to and things can grind to a halt quickly.
There are several IBM references including a Redbook on setting up the EKM.
You may consider first creating a logical library with one or two drives and
then testing various configurations with a small number of volumes and data
that can be lost if you mess up. If you lose the encryption key, you lose the
data that was saved with it - you have been warned, no key, no data.
I encrypt everyting that goes on tape (primary and copy pools) on the
assumption that tape is easily transportable. If a tape is ejected from the
library (for any reason), all of the data is still protected by encryption.
There is negligible performance impact with encryption on these drives.
Plan on at least a 4 -6 week implementation and make sure you test and
document your key and data recovery procedures and key changing procedures.
I choose to implement library managed rather than application managed
because it offered flexibility to have the encryption component managed by our
security team without having them learn TSM. It also allows encryption of
media outside of TSM so if we need to ship a tarfile on tape, it can be done
securely with a minimum of fuss. Library managed also allows you to specify
which tapes get encrypted - a volser range or a single tape to be encrypted
with a specific encryption key (that key could be shared with a business
partner).
Cheers,
Neil Strand
Storage Engineer - Legg Mason
Baltimore, MD.
(410) 580-7491
Whatever you can do or believe you can, begin it.
Boldness has genius, power and magic.
-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
Herrmann, Boris
Sent: Monday, January 07, 2008 10:10 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: [ADSM-L] 3592 Drive Encryption
Hello TSM'ers,
I've a question regarding Drive Encryption. We have a TSM Server v5.4.1.2 (on
AIX 5.3.0.0) with a 3584 Tape Library and 3592-E05 Drives. We share this
Library with our mainframe colleagues (one logical Library for mainframe and
one logical Library for our TSM environment). Now our management wishes to
encrypt our COPYSTORAGE-Pool volumes.
My questions:
Have anyone any experience with that issue and can give us some hints and tips
how to implement the Drive Encryption. Need we additional Feature Codes for the
Drives? Can we enable Drive Encryption only for our Logical Library without
interfere our mainframe colleagues?
With kind regards,
Boris Herrmann
Produktion / Heterogene Systeme
ARAG IT GmbH
ARAG Platz 1, 40472 Düsseldorf
Tel: +49 (0)211 964-1137
Fax: +49 (0)211 964-1155
Boris.Herrmann AT ARAG DOT de
www.ARAG.de <http://www.arag.de/>
Geschäftsführer: Ottmar Liebler, Hanno Petersen
Sitz und Registergericht: Düsseldorf, HRB 10934
USt-ID-Nr.: DE 119 356 473
IMPORTANT: E-mail sent through the Internet is not secure. Legg Mason
therefore recommends that you do not send any confidential or sensitive
information to us via electronic mail, including social security numbers,
account numbers, or personal identification numbers. Delivery, and or timely
delivery of Internet mail is not guaranteed. Legg Mason therefore recommends
that you do not send time sensitive
or action-oriented messages to us via electronic mail.
This message is intended for the addressee only and may contain privileged or
confidential information. Unless you are the intended recipient, you may not
use, copy or disclose to anyone any information contained in this message. If
you have received this message in error, please notify the author by replying
to this message and then kindly delete the message. Thank you.
|
