Question about data encryption

LanSchroeder

LanSchroeder

ADSM.ORG Member
Joined
Nov 9, 2007
Messages
59
Reaction score
1
Points
0
Location
Wisconsin
Hi everyone, i have a question on encryption in general that i'm having a hard time finding a straight answer on. When i put the statement "INCLUDE.ENCRYPT" in my dsm.opt file when i perform backups, does that encrypt the data all the way from the client transmitted to the server, then to the data at rest on diskpool and tape?

Also if that is true, is hardware encryption on the library itself needed at that point? I guess i'm having a little difficulty wrapping my head around encryption.

If anyone could point me in a good direction to do some research or fill me in a bit more I would really appreciate that!
 
Hi,
You can encrypt at different levels. Client encryption, link encryption and tapevolume encryption. Mix and match from below to suit your needs.

Client encryption will keep the data encrypted with a password of your choice, or a server based password. The data is encrypted by the client, and stored encrypted at all times. It must be decrypted a a tsm client.
Link encryption. SSL on transport layer. Data is not encrypted while stored on tsm server. Only useful if you share links with other companies.
Tape encryption needs a key manager that keeps track of tapes and what encryption key used. Data is encrypted by tapedrive. It can be per tapedrive, or for an entire library.


Be advised, that client based encryption is a slow task. TSM will only use one core, so your throughput will drop.

Google tsm encryption, and you get alot of hits.
 
Thank you for the quick response and explanation!

Data throughput is important to us so it looks like hardware encryption is the way to go for us. The library we want to encrypt is a Quantum iScalar so it looks like i will dig into their SKM.
 
My two cents:

I have turned on tape drive encryption in the past and if data in-flight encryption is not of a concern to you, then this should be a very transparent solution for you. This is data encryption at rest.

Just bear in mind that you need to have the right LTO version (LTO 4 and higher) to have drive encryption. TSM controls this.

If data in-flight encryption is of a concern, then you do not have a choice except: 1) enable node encryption or , 2) use application layer encryption/token.

Also, network layer encryption encrypts data on transfer and decrypted on the receiving end. Thus, the TSM server stores the data in its natural state unless tape drive encryption is enabled.
 
Last edited:
Hey guys i have a complete Quantum iScalar tape library setup with Quantum's SKM. I'm at the point where i can test pushing data to a tape and when i created a new stg pool using the new library devclass i keep on getting this error when trying to label in new tapes...
ANR8985E The drive ****** in library ******* is using an encryption method that is incompatible with the current server settings.

I was messing with the driveencryption=(yes,no,allow,external) and nothing seems to work. Is there another setting i need to address to make it all just a pure library managed encryption?
 
What version of LTO are you using? LTO 4 and up has support for encryption on TSM.

Is the tape library encryption set to have hardware encryption?

If you want TSM to manage encryption, turn OFF hardware encryption on the library side.

To allow the hardware to manage encryption, use the "external" parameter.

In any regard, the LTO version SHOULD support encryption.
 
Its LTO6 and the library is set to have an encrypted partition which includes all tape drives. Is there a TSM server setting that i missed somewhere besides the device class?
I want TSM to have no part in the encryption process but it still somehow sees encryption. I have one more theory to test... change the medium changer driver to IBM's media changer driver instead of the iScalar.
 
Changing the driver didn't help all that much... but i just might of had a light bulb go off in my head.

Since the library manages the encryption... I should have to import all the media into the library partition prior to me labeling/checking in the volumes to the storage pool i'm thinking. The TSM server is completely unaware of encryption so when brand new volumes are inserted to the library the library is unaware of the new tapes as well until its imported into the encrypted partition... hence it fails when i tell TSM to label volumes. time for more testing.
 
Nothing is working and so far i have a PMR open with IBM. I hope they are as stumped as i am because its been 2 days since i heard from them.
 
You must log in or register to reply here.

Data Privacy Impact Assessment

Compliance Assurance in Every Byte: Discover the Impact of Our DPIA Services.

Sponsor ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

Navigation Menu

Forums
   IBM TSM
   EMC Backup and Recovery
   Symantec NetBackup  
   SAN  
   NAS
   Platforms / OS
Mailing List Archives
   ADSM-L
User Groups

NordVPN 3 Months FREE

Help Support ADSM.ORG and Get NordVPN with 64% Off and 3 Months FREE.

NordVPN with 64% off + 3 months FREE

Forum statistics

Threads
31,969
Messages
135,439
Members
21,949
Latest member
tsheli
Back
Top