Understanding Client Side Encryption - ISP 8.1.2

ILCattivo

ILCattivo

ADSM.ORG Senior Member
Joined
Jul 9, 2013
Messages
192
Reaction score
14
Points
0
Location
Oxford, United Kingdom
So I believe things have changed recently with the way Spectrum Protect 8.1.2 now handles client side encryption.

I have read various IBM KB's on the subject but still need to get my head around a few points..

If these are the settings within a client opt file... (Windows)

ENCRYPTKEY SAVE
ENCRYPTIONTYPE AES256
INCLUDE.ENCRYPT *:\...\*

  1. Does the encryption key file change each time a backup session is initiated (scheduled)?
  2. If I wanted to protect this encryption key file, what is it called (assuming it sits in the 'baclient' directory) and how often do I need to copy it off of the server where it currently resides? Am fully aware that losing an encryption key file due to a downed server can be catastrophic in terms of data recovery.

Thanks
 
ILCattivo said:
Does the encryption key file change each time a backup session is initiated (scheduled)?
Click to expand...
No because it's set to save, you are prompted the first time and it's saved in TSM.sth.
ILCattivo said:
If I wanted to protect this encryption key file, what is it called (assuming it sits in the 'baclient' directory) and...
Click to expand...
https://www.ibm.com/support/knowledgecenter/en/SSEQVQ_8.1.2/client/c_secure_pwd.html

ILCattivo said:
how often do I need to copy it off of the server where it currently resides?
Click to expand...
If you lose the file, but know the encryption key, you can still restore without the file.
 
Just a small commecnt.

.sth is a stashed password file that unlocks a .kdb file, while .idx is a index file.
 
Trident said:
Just a small commecnt.

.sth is a stashed password file that unlocks a .kdb file, while .idx is a index file.
Click to expand...

While the 'IBM 8.1.2' link provided by marclant specifies these files named as 'TSM.' having tested this today these files are nowhere to be found within the 'baclient' directory?

Instead all 3 are located here 'C:\ProgramData\Tivoli\TSM\baclient\Nodes\DEMO\ISPServer' <--- Protected by the OS & hidden.

Having applied the key password today, this morning - 10/11/2017 (British date format), only TSM.IDX & TSM.KDB have a modification date of the time I applied the key password. TSM.STH has a modification date of 2 days ago?

So consider the following scenario based on what I found above.. If the user who set the original key password forgets or mislays it. Will he\she require all 3 of these files within the above location in order to get to the encrypted data to restore it, in the event that a particular client server had to be rebuilt from scratch and the ISP 8.1.2 BA Client re-installed a fresh?
 
Unless they remember the encryption key they typed and the node password, the latter can be reset.

Also, not sure it will work to just copy the file of restoring from a different machine, ie different hostname which may be needed in some DR scenarios.

Worth testing
 
marclant said:
Unless they remember the encryption key they typed and the node password, the latter can be reset.

Also, not sure it will work to just copy the file of restoring from a different machine, ie different hostname which may be needed in some DR scenarios.

Worth testing
Click to expand...

And these are exactly the questions I am being asked. These DR scenarios can be a bit of a faff to test when the actual production client server is still LIVE and thus changing NODE passwords restoring from a different host to test it will result in a mismatch of node passwords between the ISP Server and original prod client server.

Best probably to do this kind of testing in an isolated lab, doesn't help when a paranoid customer wants to test the scenario himself though.

Thanks marclant
 
ILCattivo, just wondering if you did any more testing...

Ok, so let's say I have "ENCRYPTKEY generate" in my client's dsm.opt file along with the other requisite encrypt statements. I perform encrypted client backups and restores and I never know the encryption key password. Life is good. Then one day the client fails to boot and we need to perform a bare metal restore. How will this be possible?
 
Trident, thanks for the reply. I was under the impression that the encryption/decryption process required a sharing of keys/passwords between the client and the server. I guess that is only if I use 'save' or 'prompt' with encryption.

So if I am using 'generate' for a client, and a hacker gains access to my TSM server (and TSM) they can easily setup a client and impersonate my encrypted client, then restore all of the encrypted files to his imposter client. I am trying to prevent this without having to save/store passwords for clients.
 
You must log in or register to reply here.

Data Privacy Impact Assessment

Compliance Assurance in Every Byte: Discover the Impact of Our DPIA Services.

Sponsor ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

Navigation Menu

Forums
   IBM TSM
   EMC Backup and Recovery
   Symantec NetBackup  
   SAN  
   NAS
   Platforms / OS
Mailing List Archives
   ADSM-L
User Groups

NordVPN 3 Months FREE

Help Support ADSM.ORG and Get NordVPN with 64% Off and 3 Months FREE.

NordVPN with 64% off + 3 months FREE

Forum statistics

Threads
31,968
Messages
135,434
Members
21,947
Latest member
dylbrawn
Back
Top