ADSM-L

Re: Using tsm-encryption and want to change the hostname at the Client

2006-07-31 18:00:36
Subject: Re: Using tsm-encryption and want to change the hostname at the Client
From: Alexei Kojenov <kojenova AT US.IBM DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Mon, 31 Jul 2006 14:57:44 -0700
Rainer,

Your data is always encrypted with the key generated from the password that
you enter, regardless of the hostname. The hostname is only used to store
the password locally. For example,

1) Let's say the hostname is 'mercury'
2) You run your first backup and are prompted for encryption key password.
Let's say you enter 'secret'
3) The string 'secret' is encrypted with 'mercury' and is stored in TSM.PWD
4) The data are encrypted with 'secret'.
5) On the next backup, the stored password is retrieved from TSM.PWD and
decrypted with 'mercury', and 'secret' is used for data backup.

6) Let's say you change the hostname to 'venus' and delete/rename existing
TSM.PWD
7) TSM prompts you for encryption key password and you enter 'secret'
again.
8) 'secret' is encrypted with 'venus' and is stored in TSM.PWD (note,
TSM.PWD will binary differ from the one from step 3, because the key, which
is dependent on hostname, is different)
9) The data are encrypted with 'secret' (the same as in step 4, regardless
of hostname).
10) On the next backup, stored password is decrypted with 'venus', and the
same password 'secret' is used for backup.

So you shouldn't worry about validity of your old backups as long as you
use the same encryption password and you deleted/renamed TSM.PWD when
changing the hostname.

The problems come when someone changes the hostname bud does not delete
TSM.PWD. In the example above, a backup following the hostname change will
try to decrypt stored password with 'venus' and will get an incorrect
result (because 'secret' was originally encrypted with 'mercury'!), so the
new backups will be using some garbage encryption key, and it would be
really hard to restore the new data correctly if TSM.PWD is lost or if the
restore happens on a different machine.

Alexei


"ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU> wrote on 07/27/2006
06:31:17 AM:

> Hi Alexei,
>
> thanks for your hint - now i come with a new question concerning the
> 'restore' :
> Because nothing changes other than the 'hostname' of that linux system
...
> ... what about the data that has been backed up prior to the time
> I rename the hostname and reenter the 'encryption key password' ?
>
> Because I stay with 'encryptkey save' what happens when (some time)
> I may do a full restore of the '/home/' -Filespace ?
>
> Because this Filespace '/home/'  has data backed up that is encrypted
> with both encryption-key-usage of the old and the new 'hostname'
> ( but always the same 'tsm-Nodename' )
> ... will I am able to restore(and decrypt) all of it ?
>
> ... i fear to go into problems - Or do I have to start backup again
> from 'zero' - for example :
> by renaming  the filespace on the server
> at the time changing the hostname ?
>
> Thanks again for any hints !
> -- that is something really confusing to me :-|
>
> Rainer
>
>
>
> Alexei Kojenov schrieb:
>
> > Rainer,
> >
> > You need to make TSM client prompt you for encryption key password on
the
> > next backup after you changed the hostname. The only way to do this is
to
> > rename/remove the existing TSM.PWD file (this is the file where TSM
client
> > stores its passwords). You should rename this file rather than delete
it,
> > in case you have problems and want to revert.
> >
> > Alexei
> >
> > -----------------------
> >
> > Dear TSmers,
> >
> > we have tsmserver 5.3.3.2 /solaris and tsm-Client 5.3.4.0 /linux.
> >
> > On the Client we use tsm-encryption :
> > The 'nodename' Option is set in the dsm.sys and also the
> > 'encryptkey save' OPtion is set  and  'encryptiontype AES128' is also
set.
> > The inclexc-File contains a line like 'include.encrypt *'
> > So far anything runs fine :-)
> >
> > Problem: Next week we have to change the 'hostname' of that
linux-server.
> > The Question now is : - if any - what steps are to be done at the
> > tsm-Client ?
> > ... and even at the tsm-server ?
> > The (tsm)nodename won't be changed.
> > Do I need the TSM-Client in a manual way give once again the
> > encryption-key password to let the encryption-key be generated ?
> > Or is there nothing to be done at the Client ?
> >
> > I have looked throgh the lists and docs and havent't found any
> > 'procedures' for that scenario - just pointers to dependancies on the
> > system's hostname.
> >
> > Thanks in advance for any hints , recipe or links ... !
> > Rainer
> >
> >
> > --
> >
------------------------------------------------------------------------
> > Rainer Wolf                          eMail:
rainer.wolf AT uni-ulm DOT de
> > kiz - Abt. Infrastruktur           Tel/Fax:      ++49 731
50-22482/22471
> > Universitaet Ulm                     wwweb:
http://kiz.uni-ulm.de
> >
> >
>
> --
> ------------------------------------------------------------------------
> Rainer Wolf                          eMail:       rainer.wolf AT uni-ulm DOT 
> de
> kiz - Abt. Infrastruktur           Tel/Fax:      ++49 731 50-22482/22471
> Universitaet Ulm                     wwweb:        http://kiz.uni-ulm.de

<Prev in Thread] Current Thread [Next in Thread>