Boris,
Library managed encryption is controlled by the TS3500 library
communicating with the Encryption Key Manager application and TSM has no
awareness of any encryption occurring. No TSM configuration is required
when performing library managed encryption.
I strongly recommend that you review the the following:
IBM Encryption Key Manager Intro, Planning and User Guide (GA76-0419)
IBM Tape device Drivers Encryption Support (GA32-0565)
IBM TSM Building a Secure Environment (Redbook SG24-7505)
IBM System Storage TS1120 Tape Encryption: Planning, Implementation and
Usage Guide (Redbook SG24-7320)
IBM Tape Encryption for TS1120 and IBM Ultrium 4 Tape Drives (TechDoc,
Rolf Hahn)
Plan to spend a few weeks setting up your key management, testing and
documenting key management policies and procedures. Also verify the
recovery procedure if you accidently loose or destroy a key (hint -
monster.com)
An advantage to library managed encryption is that your security
group can be respoonsible for managing the encryption keys with almost
no TSM expertise required. Additionally, a different application (not
TSM) could write encrypted data to a tape with no dependence on TSM
(other than temporarly marking that drive unavailable and ensuring the
tape is not a TSM tape).
Have you considered encrypting every tape in the library? It may
simplify your media management. The performance hit of encrypting on a
TS1120 is almost nill.
Cheers,
Neil Strand
Storage Engineer - Legg Mason
Baltimore, MD.
(410) 580-7491
Whatever you can do or believe you can, begin it.
Boldness has genius, power and magic.
-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
Herrmann, Boris
Sent: Tuesday, April 15, 2008 7:41 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: [ADSM-L] Drive Encryption (3592)
Hello,
again, I've a question regarding drive encryption. Our environment:
TSM Server 5.4.1.2 (AIX 5.3)
TS3500 tape library with 3592 Drives
In the next time, our old 3592 Drives will be replaced with newer one
(3592) which have the hardware drive encryption capability.
Our plan is to use the encryption only for our COPYSTORAGE POOLS , TSM
DB BACKUPS and EXPORTS (using "library encryption" method).
We want to create two DEVCLASSES: DEV3592 and DEV3592_ENC
If I understand the option DRIVEEncryption correctly it is not possible
to use both (TAPEPOOL without encryption) and (COPYPOOL with encryption)
because either one will fail with "library method"?. If we use ALLOW for
DEV3592_ENC => encryption will work (for our COPYPOOLS). But when we use
OFF for our DEV3592 (TAPEPOOL) => backup will fail with method Library
Encryption? So how is it possible to use both?
Any help or tips are appreciated.
With kind regards,
Boris
IMPORTANT: E-mail sent through the Internet is not secure. Legg Mason
therefore recommends that you do not send any confidential or sensitive
information to us via electronic mail, including social security numbers,
account numbers, or personal identification numbers. Delivery, and or timely
delivery of Internet mail is not guaranteed. Legg Mason therefore recommends
that you do not send time sensitive
or action-oriented messages to us via electronic mail.
This message is intended for the addressee only and may contain privileged or
confidential information. Unless you are the intended recipient, you may not
use, copy or disclose to anyone any information contained in this message. If
you have received this message in error, please notify the author by replying
to this message and then kindly delete the message. Thank you.
|
