ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ADSM-L] Implementing Encryption

2013-04-04 12:37:27
Subject: Re: [ADSM-L] Implementing Encryption
From: Zoltan Forray <zforray AT VCU DOT EDU>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Thu, 4 Apr 2013 12:35:13 -0400 
Wanda,

As always, thanks for the detailed explanation.  However, it brings up lots
of questions.

>>> With externally-managed encryption, the keys are managed by the EKM.

Since this would be hardware-based and encrypts everything, this is the way
we would go.

>>> You set the encryption mode on the library to library-managed. The EKM
has to be run on a server.  It is a pay-for product.

Huh?  I downloaded EKM from the IBM FTP sight.  It is Java based and nobody
ever said anything about paying for it?  As I understand it, in this
scenario with our 3494 (soon to be replace with a TS3500/3584), the "EKM
server" has to talk to the tape library to get the keys from it
(DRIVEE=ALLOW).  When Googling, one doc/comment we saw the person simply
installed it on the TSM server.  My question, since I am running 7-servers,
do I need multiple instance - one per TSM server or just one and it gets
everything from the 3494?   I am confused......

>>> High learning curve.  Lots of testing required to make sure you can
recover.

Agreed.  We are still digging through the docs on just  installing and
implementing EKM and who connects to who and where......

>>> You have to be careful about protecting the EKM; you have to recover
the EKM at a DR site before you can read your tapes.
(If you have a hot site, better to share the keys between the libraries.)

More like a "lukewarm sight" - I have an offsite vault/TSM server where the
tapes are stored and daily each production TSM server does a DB backup to
the offsite TSM server.

>>> But with the EKM, your security group can control the key management,
certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET
tapes can be encrypted.

This totally throws me off - I really need a "paint by numbers" diagram on
how all the pieces connect - I have never dealt with encryption.....


On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda <Wanda.Prather AT icfi DOT 
com>wrote:

> With externally-managed encryption, the keys are managed by the EKM.
> TSM doesn't' know it's happening.
> You set the encryption mode on the library to library-managed.
> The EKM has to be run on a server.  It is a pay-for product.
> But the cost of the software is trivial compared to the implementation
> cost.
> High learning curve.  Lots of testing required to make sure you can
> recover.
>
> You have to be careful about protecting the EKM; you have to recover the
> EKM at a DR site before you can read your tapes.
> (If you have a hot site, better to share the keys between the libraries.)
> It is possible (not likely, but possible) to get yourself in a DR
> situation where NOBODY, including IBM, can read those encrypted tapes.
> Test, test, CYA, test.
> But with the EKM, your security group can control the key management,
> certificate changing, etc.
> And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted.
>




--
*Zoltan Forray*
TSM Software & Hardware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zforray AT vcu DOT edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ADSM-L] Implementing Encryption, Prather, Wanda
Next by Date:  Re: [ADSM-L] Implementing Encryption, Mike De Gasperis
Previous by Thread:  Re: [ADSM-L] Implementing Encryption, Prather, Wanda
Next by Thread:  Re: [ADSM-L] Implementing Encryption, Mike De Gasperis
Indexes:  [Date] [Thread] [Top] [All Lists]