ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ADSM-L] TSM has built-in encryption?

2008-03-06 11:18:20
Subject: Re: [ADSM-L] TSM has built-in encryption?
From: Wanda Prather <wprather AT JASI DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Thu, 6 Mar 2008 11:03:12 -0500 
The TSM clients (including TDP's) can encrypt at AES 256.  You take a hit on
performance for both backup and restore; you need to also turn on
compression on the client, as encrypted data can't be compressed by the tape
drive.

If you want to encrypt using the backup client, I STRONGLY recommend you
upgrade to 5.5, where the TSM server manages the keys for you.  Prior to
that level, you have to maintain the keys manually; if you lose the keys and
have to go to a DR site, you won't get your data back.  At 5.5, the keys are
generated randomly and maintained in the TSM data base.  (The TDP's have the
keys managed by the TSM data base starting at 5.3; for regular clients, that
feature starts at 5.5).

A better/cleaner method is encrypting outboard in the hardware.  Look into
upgrading your drives to LTO4; then (with an additional feature code on your
3584) you can do the encryption outboard, with no performance hit.  TSM can
still maintain the keys for you, if you want, or you can use an external key
manager that IBM provides.

Whether or not you can encrypt data that goes to your VTL outboard depends
on your VTL vendor.


On 3/6/08, Bell, Charles (Chip) <Chip.Bell AT bhsala DOT com> wrote:
>
> I am wondering what level of encryption TSM has as an application, if at
> all.
>
>
>
>
> We are running v5.4.2.0 on the server.
>
> We have a 3584 with LTO1 and LTO2, with copies of both going offsite to
> Iron
> Mountain.
>
> We have a VTL emulating 3592 for onsite use.
>
>
>
> God bless you!!!
>
> Chip Bell
> Network Engineer I
> IBM Tivoli Certified Deployment Professional
> Baptist Health System
> Birmingham, AL
>
>
>
>
>
>
> -----------------------------------------
> Confidentiality Notice:
> The information contained in this email message is privileged and
> confidential information and intended only for the use of the
> individual or entity named in the address. If you are not the
> intended recipient, you are hereby notified that any dissemination,
> distribution, or copying of this information is strictly
> prohibited. If you received this information in error, please
> notify the sender and delete this information from your computer
> and retain no copies of any of this information.
>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ADSM-L] TSM has built-in encryption?, Bell, Charles (Chip)
Next by Date:  [ADSM-L] Netapp/ADIC I2000 path woes, Shawn Drew
Previous by Thread:  [ADSM-L] TSM has built-in encryption?, Bell, Charles (Chip)
Next by Thread:  Re: [ADSM-L] TSM has built-in encryption?, Michael Stempf
Indexes:  [Date] [Thread] [Top] [All Lists]