• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

Delete Encryption Key from TSM-Database

marclant

ADSM.ORG Moderator
#21
well then i think we need to encrypt our export tapes
If you were to change the encryptkey to save instead of generate, it may achieve what you need. The only time you would not be prompted is on the original machine where it's saved, or on a new machine after doing a BMR because the password file/registry would be restored with it. Anywhere else, you'd be prompted for the encryption key. The downside is that if you change that, it will only affect new backups going forward.
thank you two for that long and complicated discussion.
You are welcome, anytime.
 

moon-buddy

ADSM.ORG Moderator
#22
Still need to authenticate as the node though. So the only people that can restore data are the people that know the node password, or the people that are able to login to a machine that already has the password stored and also have sufficient access. So in most cases, limited to administrators.

Also, if this was not allowed, what happens if the original machine is destroyed and you have to restore the data to an alternate machine?
I think you are missing the point:

When I said 'bonded to the original' it does not mean literally to the physical machine but with the node name associated with it. Case in point:

- The original machine running and a restore is needed. With 'save', TSM will look at the GID and node_name and if it is the same as its DB records, it will allow a restore

- The original machine is lost, and a restore is needed. A new node is built with the same node name as the old one. However the GID is NOT the same. When a restore is needed, TSM will prompt for the KEY regardless whether 'save' or 'generate' was setup.

This seems just logical - and really secured - to have this approach.
 

marclant

ADSM.ORG Moderator
#23
- The original machine is lost, and a restore is needed. A new node is built with the same node name as the old one. However the GID is NOT the same. When a restore is needed, TSM will prompt for the KEY regardless whether 'save' or 'generate' was setup.
With generate, just curious what key would would enter when prompted? The key is not known to users, only to the server and clients.
 

moon-buddy

ADSM.ORG Moderator
#24
With generate, just curious what key would would enter when prompted? The key is not known to users, only to the server and clients.
The key that was originally entered - and the system must prompt for a 'master' one be it 'generate' or 'save'.

Generate will work on later transactions.

I know that this is not what it was designed for but by doing this, an added layer of security is imposed. In short, a major change is needed.
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 17 19.5%
  • Keep using TSM for Spectrum Protect.

    Votes: 53 60.9%
  • Let's be formal and just say Spectrum Protect

    Votes: 10 11.5%
  • Other (please comement)

    Votes: 7 8.0%

Forum statistics

Threads
31,468
Messages
134,122
Members
21,568
Latest member
MESSID
Top