TSM for VE - Client side encryption

P

P-to-H

Active Newcomer
Joined
Jun 4, 2020
Messages
8
Reaction score
0
Points
0
Hello community,

My job is to encrypt VM backups. But I don't know how.

I already used a lot of Google to find out how but so far I could only find the following pages:

https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.6/client/r_opt_encryptkey.html
https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.4/client/c_bac_encryptunx.html
https://www.ibm.com/support/pages/encrypting-vmware-vm-backups

Now I seem to know that I have to set the options in dsm.sys:

encryptkey
include.encrypt *

However, when I start dsmc, I get the message that the entries are ignored.

Code: 
# dsmc
ANS1691I  The option 'ENCRYPTKEY' that was found in the options file '/opt/tivoli/tsm/client/ba/bin/dsm.opt' at the line number: 3 is not supported and will be ignored by the client.
ANS1691I  The option 'INCLUDE.ENCRYPT' that was found in the options file '/opt/tivoli/tsm/client/ba/bin/dsm.opt' at the line number: 6 is not supported and will be ignored by the client.

Does anyone of you have any experience with encrypting VM data?

Our Systeminformations:
Red Hat 7.3
Command Line Backup-Archive Client Interface
Client Version 8, Release 1, Level 8.0
Server Version 8, Release 1, Level 6.200
Server is Running on AIX 7200-03-03-1914
 
Hi,
You need to specify
encryptiontype AES128 or AES256
encryptkey save, prompt or generate

For encryptkey;
save - you will be asked for a password, and it will be saved. You loose it, and all is gone
prompt - you are always asked for a password. Please store all the passwords you enter
generate - client and server will create a password, and it is stored on the tsm server

In a vmware enviroment, where you may have multiple data movers, I would be very careful about setting encryption passwords. Please test what happens if one dm back's up a vm, and an other dm restore it.
I have not used encryption for TSMVE, so do not grab all of this as the final solution.

Good luck,
 
Hello Trident,

thank you for your explanation.
Unfortunately, the message is still coming.

Code: 
ANS1691I  The option 'ENCRYPTIONTYPE' that was found in the options file '/opt/tivoli/tsm/client/ba/bin/dsm.opt' at the line number: 2 is not supported and will be ignored by the client.
ANS1691I  The option 'ENCRYPTKEY' that was found in the options file '/opt/tivoli/tsm/client/ba/bin/dsm.opt' at the line number: 3 is not supported and will be ignored by the client.
ANS1691I  The option 'INCLUDE.ENCRYPT' that was found in the options file '/opt/tivoli/tsm/client/ba/bin/dsm.opt' at the line number: 4 is not supported and will be ignored by the client.

IBM also gives different information on where to write the options. Sometimes it says that they belong in the dsm.sys and sometimes in the dsm.opt.

The message that the option is ignored only comes when I write it in the dsm.opt. If the options are in dsm.sys nothing happens.

Do you happen to know where the option really has to be?


Code: 
# cat dsm.opt
Servername  DM_TEST
encryptiontype AES256
encryptkey save
include.encrypt *

Code: 
# cat dsm.sys
Servername         DM_TEST
Nodename          DM_TEST
Asnodename        CLUSTER_TEST

TCPPort           1507
TCPADMINPort      1527
TCPServeraddress  tsm

*Password
  Passwordaccess        Generate
  PAssworddir           /usr/local/tsm

*ErrorLogPath + Verfallszeit
  ErrorlogName          /var/tsm/dsmerror_ve.log
  ErrorlogRetention     8,D

*SchedLogPath + Verfallszeit
  SchedlogName          /var/tsm/dsmsched_ve.log
  SchedlogRetention     8,D

*instrlogname
  Instrlogname          /var/tsm/dsminstr.log
  INSTRLOGMAX           20

*Netzwerk Tuning
  TCPWindow             0
  TCPBuffsize           32
  TXNB                  10G
  TCPNode               yes

*Sched Parameter
webports               1552 1553
TCPClientport          1502
managedservices        schedule webclient

*VM
VMCHost                 vcenter
include.vmsnapshotattempts     "*" 0 4
VMMAXParallel                  40
VMLIMITPERDATASTORE            40
vmprocessvmwithindependent     yes
vmprocessvmwithprdm            yes
vmmaxvirtualdisks              999
vmctlmc                        meta
vmmc                           data

encryptiontype AES256
encryptkey save
include.encrypt *

Thanks a lot
 
Hello everybody,

in the meantime I have received an answer from IBM Support. For Linux, the options must be entered in the dsm.sys. Here was a mistake on my part.

Then for TSMfVE the option "encryptkey" must set as "generate".

I'll try it. During this time, the support would also like to find a command with which you can check that the data is really encrypted (to calm down the customers :))
 
Hi,

furthermore it did not work to encrypt the backups.

IBM has now told me that encryption only works with "mode = FULL". However, this mode has been removed from Client 8.1. This means that encryption is no longer available.
 
You must log in or register to reply here.

Data Privacy Impact Assessment

Compliance Assurance in Every Byte: Discover the Impact of Our DPIA Services.

Sponsor ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

Navigation Menu

Forums
   IBM TSM
   EMC Backup and Recovery
   Symantec NetBackup  
   SAN  
   NAS
   Platforms / OS
Mailing List Archives
   ADSM-L
User Groups

NordVPN 3 Months FREE

Help Support ADSM.ORG and Get NordVPN with 64% Off and 3 Months FREE.

NordVPN with 64% off + 3 months FREE

Forum statistics

Threads
31,968
Messages
135,428
Members
21,947
Latest member
dylbrawn
Back
Top