In the given example for Oracle all encryption keys are kept in TSM database.
So you will be able to decrypt data only if you have restored TSM database. It
is logical, because after loosing TSM database you are loosing everything. I
heard there are some tools to read TSM backups from tapes without TSM Server.
Of course you couldn't use them in case of encryption. We have tested DR
solutions based on SAN online mirroring for TSM database and based on restoring
TSM database from backup tapes. In both case it was no problems with encrypted
data. I think, maintaining encryption keys in TSM database is the best way. TSM
supports different ways of keeping encryption keys, but they are much more
complicated and, in my opinion, dangerous from data loosing point of view.
Grigori G. Solonovitch
Senior Technical Architect
Information Technology Bank of Kuwait and Middle East http://www.bkme.com
Phone: (+965) 2231-2274 Mobile: (+965) 99798073 E-Mail: G.Solonovitch AT bkme
DOT com
Please consider the environment before printing this Email
-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
Fred Johanson
Sent: Tuesday, January 12, 2010 5:36 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: [ADSM-L] Excrypting Exchange Data
Del, Grigori,
Thank you, this is very useful, especially as the subject was brought up in a
meeting yesterday afternoon. What I couldn't answer then is whether it is
possible to decrypt an ORACLE backup on a different machine, two possible
instances being if the machine dies can the files be restored on a rebuilt
machine or if the machine is retired are the backups available on the
replacement with new name or OS?
-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
Grigori Solonovitch
Sent: Tuesday, January 12, 2010 6:16 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: [ADSM-L] Excrypting Exchange Data
Unfortunately, I have no experience in encryption TDP for Exchange backups.
For Oracle database we are using:
1) in dsm.sys:
Encryptiontype AES128
Encryptkey generate
InclExcl /backup/tsm/ba/InclExcl.list
2) in Include/Exclude list:
include /ifns_ifns/.../* DBLPAR05
3) from activity log:
ANE4991I (Session: 2536, Node: LPAR05_ORA) TDP Oracle AIX
ANU0599 TDP for Oracle: (4997220): =>(LPAR05_ORA)
ANU2526I Backup details for backup piece
/ifns_ifns///LPAR05/ifns.11.1.54535.1.708019250 (database "IFNSDB").
Total bytes sent: 6077546496.
Total processing time: 00:08:05.
Throughput rate: 12237.33Kb/Sec.
Compressed: Yes , 59%.
Encryption: AES_128BIT.
LAN-Free: No.
Grigori G. Solonovitch
Senior Technical Architect
Information Technology Bank of Kuwait and Middle East http://www.bkme.com
Phone: (+965) 2231-2274 Mobile: (+965) 99798073 E-Mail: G.Solonovitch AT bkme
DOT com
Please consider the environment before printing this Email
-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
Stefan Folkerts
Sent: Tuesday, January 12, 2010 2:58 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: [ADSM-L] Excrypting Exchange Data
What is supposed to be a walk in the park (when reading the very limited amount
of documentation on encryption in the protection for mail (exchange)
documentation) is turning into a little bit of a headache. :)
I currenty have my exchange dsm.opt setup like this ;
enableclientencryptkey yes
encryptiontype AES128
INCLUDE.ENCRYPT *\...\*
Also tried ;
include.encrypt "SERVERNAME\First Storage Group\...\*"
Doesn't change the situation, it still doesn't work.
I get NO request for key input, I am 100% sure this is not done before and I
cannot seem to see my error here..please somebody point me at the error in my
ways!
It would be great if somebody could post his dsm.opt file for an encrypted
Exchange server.
Regards,
Stefan
Please consider the environment before printing this Email.
________________________________
"This email message and any attachments transmitted with it may contain
confidential and proprietary information, intended only for the named
recipient(s). If you have received this message in error, or if you are not the
named recipient(s), please delete this email after notifying the sender
immediately. BKME cannot guarantee the integrity of this communication and
accepts no liability for any damage caused by this email or its attachments due
to viruses, any other defects, interception or unauthorized modification. The
information, views, opinions and comments of this message are those of the
individual and not necessarily endorsed by BKME."
|