Re: [ADSM-L] More tsm encryption questions

Depends on your goal for encryption. If you need it for encrypting during
transport ( or maybe use SSL ), encrypted data at rest on your storage, data
is encrypted on the tapes going offsite,... Yeah the key is in the TSM DB,
but your need to restore/rebuild TSM to be able to get it. Just dumping out
the tape isn't going to get you any eye-readable material. Don't know if the
auditors or lawyers would accept it, but it's better than nothing. I've
referred to it in the past as the cheap managers' encryption scheme. If you
really need to lock it down, then hardware encryption is the way to go with
an external key manager, but that co$t$, is vender specific as you need TKLM
if you use IBM hardware and you can't mix it if you go to a recovery site.

So it depends on what you're trying to accomplish  and the budget you have.

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
Steven Langdale
Sent: Thursday, March 22, 2012 5:10 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: [ADSM-L] More tsm encryption questions

Well, there you go. you're spot on there Bill!

I'm struggling to see what use generate is,  What't the point of encrypting
the data when the key is handed out whenever a restore is performed?

That must be why I've only ever used "encryptkey save" in the past.


On 22 March 2012 19:57, Bill Boyer <bjdboyer AT comcast DOT net> wrote:

> With the ENCRYPTKEY GENERATE specified the client creates the key at
> the beginning of the backup and that key is kept with the data stream
> stored on the TSM server. When you restore this the key in the data
> stream is used. I believe they also refer to this as transparent
encryption.
>
> The include.encrypt will only effect future backups, not any backups
> already encrypted and stored on the TSM server.
>
>
> Bill Boyer
> "There are 10 kinds of people in the world. Those that understand
> binary and those that don't." - ??
>
>
>
>
> -----Original Message-----
> From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf
> Of Steven Langdale
> Sent: Thursday, March 22, 2012 2:21 PM
> To: ADSM-L AT VM.MARIST DOT EDU
> Subject: Re: [ADSM-L] More tsm encryption questions
>
> They restored because the client had an encryption key, delete that,
> or possibly the encryptiontype line and you will be prompted for it.
>
> As for testing to see if they ARE encrypted, i think the client may
> say with a q backup (but not sure).  The test I used was to try a
> restore after I had removed the key file.
>
> One aside, if you are using tape technology that compresses, the
> compression will do down the drain.
>
> Steven
>
>
>
> On 22 March 2012 18:01, Lee, Gary <GLEE AT bsu DOT edu> wrote:
>
> > Ok.  Think I have encryption working.
> >
> > Tried the following experiment.
> >
> > 1. Added these lines to dsm.opt
> >
> > encryptiontype aes128
> > encryptkey generate
> > include.encrypt "c:\Documents and Settings\glee.BSU\My
> > Documents\crypt\...\*"
> >
> > 2. did an incremental backup to pick up the crypt folder just
> > created and filled.
> >
> > 3. deleted all files starting with "phon"
> >
> > 4.  restored files starting with phon back to crypt folder, .  Went
well.
> >
> > 5. commented all encryption related lines out of dsm.opt.
> >
> > 6. removed phone* from crypt folder again.
> >
> > 7. restored phone* back to crypt folder.
> >
> > I thought that with encryption lines removed from dsm.opt, either
> > the encrypted files wouldn't restore, or would be restored as garbage.
> > Not so. Restored perfectly.
> >
> > What have I missed?
> > Also, is there a way to verify that the specified files are truly
> > encrypted?
> >
> > Thanks again for the assistance.
> >
> >
> >
> >
> > Gary Lee
> > Senior System Programmer
> > Ball State University
> > phone: 765-285-1310
> >
> >
>