• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

TSM for VE - Client side encryption

P-to-H

Active Newcomer
#1
Hello community,

My job is to encrypt VM backups. But I don't know how.

I already used a lot of Google to find out how but so far I could only find the following pages:

https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.6/client/r_opt_encryptkey.html
https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.4/client/c_bac_encryptunx.html
https://www.ibm.com/support/pages/encrypting-vmware-vm-backups

Now I seem to know that I have to set the options in dsm.sys:

encryptkey
include.encrypt *

However, when I start dsmc, I get the message that the entries are ignored.

Code:
# dsmc
ANS1691I  The option 'ENCRYPTKEY' that was found in the options file '/opt/tivoli/tsm/client/ba/bin/dsm.opt' at the line number: 3 is not supported and will be ignored by the client.
ANS1691I  The option 'INCLUDE.ENCRYPT' that was found in the options file '/opt/tivoli/tsm/client/ba/bin/dsm.opt' at the line number: 6 is not supported and will be ignored by the client.
Does anyone of you have any experience with encrypting VM data?

Our Systeminformations:
Red Hat 7.3
Command Line Backup-Archive Client Interface
Client Version 8, Release 1, Level 8.0
Server Version 8, Release 1, Level 6.200
Server is Running on AIX 7200-03-03-1914
 

Trident

TSM noob with 12 years expirience
ADSM.ORG Moderator
#2
Hi,
You need to specify
encryptiontype AES128 or AES256
encryptkey save, prompt or generate

For encryptkey;
save - you will be asked for a password, and it will be saved. You loose it, and all is gone
prompt - you are always asked for a password. Please store all the passwords you enter
generate - client and server will create a password, and it is stored on the tsm server

In a vmware enviroment, where you may have multiple data movers, I would be very careful about setting encryption passwords. Please test what happens if one dm back's up a vm, and an other dm restore it.
I have not used encryption for TSMVE, so do not grab all of this as the final solution.

Good luck,
 

P-to-H

Active Newcomer
#3
Hello Trident,

thank you for your explanation.
Unfortunately, the message is still coming.

Code:
ANS1691I  The option 'ENCRYPTIONTYPE' that was found in the options file '/opt/tivoli/tsm/client/ba/bin/dsm.opt' at the line number: 2 is not supported and will be ignored by the client.
ANS1691I  The option 'ENCRYPTKEY' that was found in the options file '/opt/tivoli/tsm/client/ba/bin/dsm.opt' at the line number: 3 is not supported and will be ignored by the client.
ANS1691I  The option 'INCLUDE.ENCRYPT' that was found in the options file '/opt/tivoli/tsm/client/ba/bin/dsm.opt' at the line number: 4 is not supported and will be ignored by the client.
IBM also gives different information on where to write the options. Sometimes it says that they belong in the dsm.sys and sometimes in the dsm.opt.

The message that the option is ignored only comes when I write it in the dsm.opt. If the options are in dsm.sys nothing happens.

Do you happen to know where the option really has to be?


Code:
# cat dsm.opt
Servername  DM_TEST
encryptiontype AES256
encryptkey save
include.encrypt *
Code:
# cat dsm.sys
Servername         DM_TEST
Nodename          DM_TEST
Asnodename        CLUSTER_TEST

TCPPort           1507
TCPADMINPort      1527
TCPServeraddress  tsm

*Password
  Passwordaccess        Generate
  PAssworddir           /usr/local/tsm

*ErrorLogPath + Verfallszeit
  ErrorlogName          /var/tsm/dsmerror_ve.log
  ErrorlogRetention     8,D

*SchedLogPath + Verfallszeit
  SchedlogName          /var/tsm/dsmsched_ve.log
  SchedlogRetention     8,D

*instrlogname
  Instrlogname          /var/tsm/dsminstr.log
  INSTRLOGMAX           20

*Netzwerk Tuning
  TCPWindow             0
  TCPBuffsize           32
  TXNB                  10G
  TCPNode               yes

*Sched Parameter
webports               1552 1553
TCPClientport          1502
managedservices        schedule webclient

*VM
VMCHost                 vcenter
include.vmsnapshotattempts     "*" 0 4
VMMAXParallel                  40
VMLIMITPERDATASTORE            40
vmprocessvmwithindependent     yes
vmprocessvmwithprdm            yes
vmmaxvirtualdisks              999
vmctlmc                        meta
vmmc                           data

encryptiontype AES256
encryptkey save
include.encrypt *
Thanks a lot
 

P-to-H

Active Newcomer
#4
Hello everybody,

in the meantime I have received an answer from IBM Support. For Linux, the options must be entered in the dsm.sys. Here was a mistake on my part.

Then for TSMfVE the option "encryptkey" must set as "generate".

I'll try it. During this time, the support would also like to find a command with which you can check that the data is really encrypted (to calm down the customers :))
 
#5
Hi,

furthermore it did not work to encrypt the backups.

IBM has now told me that encryption only works with "mode = FULL". However, this mode has been removed from Client 8.1. This means that encryption is no longer available.
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 18 18.6%
  • Keep using TSM for Spectrum Protect.

    Votes: 59 60.8%
  • Let's be formal and just say Spectrum Protect

    Votes: 12 12.4%
  • Other (please comement)

    Votes: 8 8.2%

Forum statistics

Threads
31,664
Messages
134,990
Members
21,691
Latest member
luciano91vs
Top