Re: [ADSM-L] Excrypting Exchange Data

In the given example for Oracle all encryption keys are kept in TSM database. 
So you will be able to decrypt data only if you have restored TSM database. It 
is logical, because after loosing TSM database you are loosing everything. I 
heard there are some tools to read TSM backups from tapes without TSM Server. 
Of course you couldn't use them in case of encryption. We have tested DR 
solutions based on SAN online mirroring for TSM database and based on restoring 
TSM database from backup tapes. In both case it was no problems with encrypted 
data. I think, maintaining encryption keys in TSM database is the best way. TSM 
supports different ways of keeping encryption keys, but they are much more 
complicated and, in my opinion, dangerous from data loosing point of view.



Grigori G. Solonovitch



Senior Technical Architect



Information Technology  Bank of Kuwait and Middle East  http://www.bkme.com



Phone: (+965) 2231-2274  Mobile: (+965) 99798073  E-Mail: G.Solonovitch AT bkme 
DOT com



Please consider the environment before printing this Email





-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of 
Fred Johanson
Sent: Tuesday, January 12, 2010 5:36 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: [ADSM-L] Excrypting Exchange Data



Del, Grigori,



Thank you, this is very useful, especially as the subject was brought up in a 
meeting yesterday afternoon.  What I couldn't answer then is whether it is 
possible to decrypt an ORACLE backup on a different machine, two possible 
instances being if the machine dies can the files be restored on a rebuilt 
machine or if the machine is retired are the backups available on the 
replacement with new name or OS?







-----Original Message-----

From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of 
Grigori Solonovitch

Sent: Tuesday, January 12, 2010 6:16 AM

To: ADSM-L AT VM.MARIST DOT EDU

Subject: Re: [ADSM-L] Excrypting Exchange Data



Unfortunately, I have no experience in encryption TDP for Exchange backups.



For Oracle database we are using:







1) in dsm.sys:



   Encryptiontype         AES128



   Encryptkey               generate



   InclExcl                    /backup/tsm/ba/InclExcl.list







2) in Include/Exclude list:



include /ifns_ifns/.../* DBLPAR05







3) from activity log:



ANE4991I (Session: 2536, Node: LPAR05_ORA)  TDP Oracle AIX



ANU0599  TDP for Oracle: (4997220): =>(LPAR05_ORA)



ANU2526I Backup details for backup piece 
/ifns_ifns///LPAR05/ifns.11.1.54535.1.708019250 (database "IFNSDB").



Total bytes sent:         6077546496.



Total processing time: 00:08:05.



Throughput rate:         12237.33Kb/Sec.



Compressed:       Yes , 59%.



Encryption:         AES_128BIT.



LAN-Free:          No.



















Grigori G. Solonovitch







Senior Technical Architect







Information Technology  Bank of Kuwait and Middle East  http://www.bkme.com







Phone: (+965) 2231-2274  Mobile: (+965) 99798073  E-Mail: G.Solonovitch AT bkme 
DOT com







Please consider the environment before printing this Email











-----Original Message-----

From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of 
Stefan Folkerts

Sent: Tuesday, January 12, 2010 2:58 PM

To: ADSM-L AT VM.MARIST DOT EDU

Subject: [ADSM-L] Excrypting Exchange Data







What is supposed to be a walk in the park (when reading the very limited amount 
of documentation on encryption in the protection for mail (exchange) 
documentation) is turning into a little bit of a headache. :)







I currenty have my exchange dsm.opt setup like this ;







enableclientencryptkey yes



encryptiontype AES128



INCLUDE.ENCRYPT *\...\*











Also tried ;







include.encrypt "SERVERNAME\First Storage Group\...\*"







Doesn't change the situation, it still doesn't work.







I get NO request for key input, I am 100% sure this is not done before and I 
cannot seem to see my error here..please somebody point me at the error in my 
ways!







It would be great if somebody could post his dsm.opt file for an encrypted 
Exchange server.







Regards,







  Stefan







Please consider the environment before printing this Email.



________________________________

"This email message and any attachments transmitted with it may contain 
confidential and proprietary information, intended only for the named 
recipient(s). If you have received this message in error, or if you are not the 
named recipient(s), please delete this email after notifying the sender 
immediately. BKME cannot guarantee the integrity of this communication and 
accepts no liability for any damage caused by this email or its attachments due 
to viruses, any other defects, interception or unauthorized modification. The 
information, views, opinions and comments of this message are those of the 
individual and not necessarily endorsed by BKME."