TSM security

[share1t]

hi just a few questions about security in the TSM enviroment and was hoping you kind gents might be able to help.
I use TSM 5.4.0.3 server and clients
1. on the client it says 128 encryption is enabled does this happen automatically or do you have to add include.encryption in the options file.
2. can you read the disk pools with a hex editor
3 . can you read the tapes without the tsm database
does anyone know of any other security flaws
cheers

 

[heada]

If you enable encryption on the client, it encrypts all data being sent to the TSM server. You can optionally only encrypt certain files/directories by using the include.encryption setting. The diskpools are not encrpyted and so could be read by a hex editor but the data would be written to random diskpool volumes and you might be only able to understand one block of data at a time. If the client encrypted it'd data, then those data blocks are encrypted and unreadable. You can read TSM tapes without the database but it is a stream of blocks of data which might not be in a readable order and again, if the client encrypted it'd data it is still encrypted while on tape.

-Aaron

 

[JohanW]

2. Only if you have access to the disks/files. No reason to grant that access to anyone but TSM. You can run as a service account. Don't forget to physically lock your storage location.
3. Of course you can. Since you can't physically secure your offsite tapes, esp. while in transit, weight the risks and rewards, and consider drive encryption, now with 5.5 I believe an option with supported hardware.

 

[ghosts]

Excuse my hijack of the thread..

Can you read tapes without tsm db and get something out of it?
If so, with what tool?

Thank you.

 

[JohanW]

mt?

All you need is a dump of the tape; unless it's encrypted, sure, you can get something out of it.

Sore eyes mostly, probably.

 

[ttrinh7975]

ghosts-


Without the DB backup tape, you can not read any data cartridge belongs to that environment.

Unless the backup tape is being generate by a backupset process.

http://publib.boulder.ibm.com/infoc...=/com.ibm.itsmmsmunn.doc_5.3.3/anrsrf5390.htm

 

[heada]

Yes, you can read a non-encrypted data stream from a TSM volume. Will it make sense? probably not. Could you, if given enough time and the complete set of stgpool tapes, reconstruct real data? sure. Would it be worth it? not likely.

If you know the structure that TSM stores it's data (header block and then data blocks of fixed size) then you can dump the data blocks out and then sort them. Once sorted you could recombine them to make a file. The amount of effort this would take is HUGE!!! but very possible.

If your data is that sensitive that you're worried about it happening, encrypt it on the TSM client. There is no way that it could be reconstructed at that point even with the TSM DB. If you lose your client encryption key, the data is gone....forever....with no hope of ever reading it again.

-Aaron

 

[Trident]

Hi

I have not tried this myself.

http://sourceforge.net/projects/tsmtape/


-= Trident =-

 

[share1t]

thanks for the info
what i'd really like to know is
im using client version 5.4.1.3 and in the authorisation tab in preferences there is an encryption type option which has 128 bit AES selected, does this mean encryption is on or do i have to use the include encryption option for it to be encrypted.

 

[erwanns]

Hi all,

Didn't anyboy here read this redbook available since june 2007 ?
http://www.redbooks.ibm.com/abstracts/sg247505.html

You'll find in it the answers to most of your questions.

Regards,
Erwann

 

[share1t]

thanks very much i had been looking for this sort of thing but did not find it

 

[ghosts]

Thank you guys for the information about the tsm/security thing.

Quite interesting thing this.

I suposse it's a bigger issue or more likely that someone will use a backdoor on the fileservers to get that critical information that resides on the offsite tapes.

I'm quiet happy that I'm not working with security/antivirus/fw etc..

 

[TSM_Guy]

Verifying Encryption Occurred

Just upgraded to TSM 5.5 Server on AIX. Staff now in process of upgrading clients to level 5.5.

1. With the encryption key stored in the TSM Database, is there a way to verify for each node that there is an encryption key stored? Is this action logged somewhere?

2. What is the easiest way to verify that encryption occurred for each node? Is this action logged somewhere?