Delete Encryption Key from TSM-Database

dcz01 said:
well then i think we need to encrypt our export tapes
Click to expand...
If you were to change the encryptkey to save instead of generate, it may achieve what you need. The only time you would not be prompted is on the original machine where it's saved, or on a new machine after doing a BMR because the password file/registry would be restored with it. Anywhere else, you'd be prompted for the encryption key. The downside is that if you change that, it will only affect new backups going forward.
dcz01 said:
thank you two for that long and complicated discussion.
Click to expand...
You are welcome, anytime.
 
marclant said:
Still need to authenticate as the node though. So the only people that can restore data are the people that know the node password, or the people that are able to login to a machine that already has the password stored and also have sufficient access. So in most cases, limited to administrators.

Also, if this was not allowed, what happens if the original machine is destroyed and you have to restore the data to an alternate machine?
Click to expand...

I think you are missing the point:

When I said 'bonded to the original' it does not mean literally to the physical machine but with the node name associated with it. Case in point:

- The original machine running and a restore is needed. With 'save', TSM will look at the GID and node_name and if it is the same as its DB records, it will allow a restore

- The original machine is lost, and a restore is needed. A new node is built with the same node name as the old one. However the GID is NOT the same. When a restore is needed, TSM will prompt for the KEY regardless whether 'save' or 'generate' was setup.

This seems just logical - and really secured - to have this approach.
 
moon-buddy said:
- The original machine is lost, and a restore is needed. A new node is built with the same node name as the old one. However the GID is NOT the same. When a restore is needed, TSM will prompt for the KEY regardless whether 'save' or 'generate' was setup.
Click to expand...
With generate, just curious what key would would enter when prompted? The key is not known to users, only to the server and clients.
 
marclant said:
With generate, just curious what key would would enter when prompted? The key is not known to users, only to the server and clients.
Click to expand...

The key that was originally entered - and the system must prompt for a 'master' one be it 'generate' or 'save'.

Generate will work on later transactions.

I know that this is not what it was designed for but by doing this, an added layer of security is imposed. In short, a major change is needed.
 
You must log in or register to reply here.

Data Privacy Impact Assessment

Compliance Assurance in Every Byte: Discover the Impact of Our DPIA Services.

Sponsor ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

Navigation Menu

Forums
   IBM TSM
   EMC Backup and Recovery
   Symantec NetBackup  
   SAN  
   NAS
   Platforms / OS
Mailing List Archives
   ADSM-L
User Groups

NordVPN 3 Months FREE

Help Support ADSM.ORG and Get NordVPN with 64% Off and 3 Months FREE.

NordVPN with 64% off + 3 months FREE

Forum statistics

Threads
31,969
Messages
135,437
Members
21,948
Latest member
svermatsm
Back
Top