Securing the TSM Backup tape - Sending Offsite

[Fontesg]

We are encrypting our offsite copy pools using LTO4 drive encryption and having TSM doing the key management. Here is the problem, the encryption keys are stored in the TSM database - which has to be on an unencrypted volume. So, sending the tapes offsite along with the database tape is a security risk because the keys are in the database. Anyone haveing this issue? I am asking for an enhacement to allow us to
to get symmetric pass-phrase encryption to protect the database on the DB tape.

Anyone else have this issue, have you found a solution?

 

[heada]

The best solution I have seen is client encryption. There are more keys to manage but once the client prepares the data, it is encrypted and can't be decrypted except with the client key. Even while traveling down the wire to the TSM server it is encrypted.

This allows for the TSM DB backup to be unencrypted and not have to worry about drive keys in the DB.

-Aaron

 

[n9hmg]

ba db to a FILE devclass, bzip2 -9 it, pgp that, and ftp it to your vault, or pgp |dd it to a tape.

 

[paulglen]

You all may be interested to read the following white paper which addresses this problem of LTO4 drive encryption:http://www.theq3.com/lto4.php
Paul
http://www.theq3.com/lto4.php

 

[DanGiles]

Okay people, I HAVE to say this. Do NOT just turn on encryption, be it drive or client; UNLESS you have a solid, reliable key management infrastructure in place. If you lose a key, or are likely to be way more screwed then if you lost a tape.

As you know from other posts, getting data from a TSM tape is a big challenge. If you want to make that challenge damn near impossible, use block-level differencing for the backups: that will really scramble your data!