JensD
ADSM.ORG Senior Member
Hi
I've been looking at setting up data-at-rest encryption all over, and I've come to our backups in TSM (v7.1.6.0) on Linux, and I need some advice or pointers to the right parts of the documentation that have been unable to locate myself.
For everything on disk (random STGPs for incoming data, on-disk STGPs for main storage and later copy to on-tape copy STGPs), I'm going to migrate the individual LVM PVs for all LVs to new LUKS/dm-crypt'ed PVs, so everything should be transparent to TSM.
For all data tape volumes, what are the caveats for just updating my LTO4 library deviceclass to DRIVEEncryption=ON and have TSM manage the keys - will TSM just begin to write encrypted data the next time any STGP data is written?
I cannot find any mention of how I ensure that all existing tapes are repopulated with encrypted data, but I would need that to happen as well - hopefully without having to resort to setting ACCESS=DESTROYDD for all tape volumes to force TSM to rewrite data from the on-disk STGPs, but what are my options here?
Furthermore, I can see that I need to secure a copy of the master encryption key somehow.
In TSM v7.1.8 there was an optimization/improvement mention here: https://www.ibm.com/support/knowledgecenter/en/SSGSG7_7.1.8/srv.common/r_techchg_srv_ekey_718.html, but as I'm currently running v7.1.6, does that mean that I have to back up dsmserv.pwd myself, or can I just run DB backups with options PROTECTKeys=YES and PASSword=<some password> and then just keep the chosen password safe?
I also take it, that when I eventually come around to upgrading to later versions of TSM I either have to secure copies of cert.kdb, dsmkeydb.kdb, cert.sth and dsmkeydb.sth (mentioned in the like above) or just use PROTECTKeys=YES and PASSword=<some password> as with v7.1.6?
I've been looking at setting up data-at-rest encryption all over, and I've come to our backups in TSM (v7.1.6.0) on Linux, and I need some advice or pointers to the right parts of the documentation that have been unable to locate myself.
For everything on disk (random STGPs for incoming data, on-disk STGPs for main storage and later copy to on-tape copy STGPs), I'm going to migrate the individual LVM PVs for all LVs to new LUKS/dm-crypt'ed PVs, so everything should be transparent to TSM.
For all data tape volumes, what are the caveats for just updating my LTO4 library deviceclass to DRIVEEncryption=ON and have TSM manage the keys - will TSM just begin to write encrypted data the next time any STGP data is written?
I cannot find any mention of how I ensure that all existing tapes are repopulated with encrypted data, but I would need that to happen as well - hopefully without having to resort to setting ACCESS=DESTROYDD for all tape volumes to force TSM to rewrite data from the on-disk STGPs, but what are my options here?
Furthermore, I can see that I need to secure a copy of the master encryption key somehow.
In TSM v7.1.8 there was an optimization/improvement mention here: https://www.ibm.com/support/knowledgecenter/en/SSGSG7_7.1.8/srv.common/r_techchg_srv_ekey_718.html, but as I'm currently running v7.1.6, does that mean that I have to back up dsmserv.pwd myself, or can I just run DB backups with options PROTECTKeys=YES and PASSword=<some password> and then just keep the chosen password safe?
I also take it, that when I eventually come around to upgrading to later versions of TSM I either have to secure copies of cert.kdb, dsmkeydb.kdb, cert.sth and dsmkeydb.sth (mentioned in the like above) or just use PROTECTKeys=YES and PASSword=<some password> as with v7.1.6?