ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ADSM-L] tape encryption in TSM environment

2011-06-13 16:42:23
Subject: Re: [ADSM-L] tape encryption in TSM environment
From: Shawn Drew <shawn.drew AT AMERICAS.BNPPARIBAS DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Mon, 13 Jun 2011 16:37:46 -0400 
With TSM, you are already assuming the database will be consistent to be
able to restore anything,  encryption or not.
TSM isn't more or less likely to lose an application managed encryption
key than it will lose an inventory reference to any particular file.

WIth Application managed encryption, you are storing the keys in the TSM
DB along with all the other metadata,  so you aren't adding any points of
failure.
You will need to protect your database using different storage since it
won't be encrypted.  (I.E. on disk/vtl with offsite replication or
something like that)

with encryptkey=save, the key is stored on the filesystem, and as a
result, the normal TSM backups, One could argue that this has more points
of failure.  (The TSM database reference and the storage media that the
key is actually stored on) as opposed to only in the TSM DB.

Even if your goal is only to offload responsibility to the customer, when
their keyfile gets corrupted, the'll come to TSM to restore the key
anyway.  And if it is windows, who wants to restore a registry?!

random encryption ramblings...


Regards,
Shawn
________________________________________________
Shawn Drew




Internet
warbogas AT INDIANA DOT EDU

Sent by: ADSM-L AT VM.MARIST DOT EDU
06/13/2011 03:53 PM
Please respond to
ADSM-L AT VM.MARIST DOT EDU


To
ADSM-L
cc

Subject
Re: [ADSM-L] tape encryption in TSM environment






Someone here is not willing to bet his career on the reliability of a TSM
server managed encryption key. He reasons that if a key is lost on the TSM
server side of backups, the data could not be recovered, and we would be
accountable. If a client admin loses an encryption key, he is accountable.
So we do not use drive-based encryption, and tell our customers to use
client-based encryption, specifying 'encryptkey save'.

I cannot guarantee that TSM will never lose an application managed
encryption key.  Am I missing something?

With my thanks,
Keith Arbogast



This message and any attachments (the "message") is intended solely for
the addressees and is confidential. If you receive this message in error,
please delete it and immediately notify the sender. Any use not in accord
with its purpose, any dissemination or disclosure, either whole or partial,
is prohibited except formal approval. The internet can not guarantee the
integrity of this message. BNP PARIBAS (and its subsidiaries) shall (will)
not therefore be liable for the message if modified. Please note that certain
functions and services for BNP Paribas may be performed by BNP Paribas RCC, Inc.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ADSM-L] tape encryption in TSM environment, Keith Arbogast
Next by Date:  Re: [ADSM-L] TSM dedup stgpools, Fernando Florentino
Previous by Thread:  Re: [ADSM-L] tape encryption in TSM environment, Keith Arbogast
Next by Thread:  Re: [ADSM-L] tape encryption in TSM environment, Remco Post
Indexes:  [Date] [Thread] [Top] [All Lists]