ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ADSM-L] Implementing Encryption

2013-04-04 13:59:36
Subject: Re: [ADSM-L] Implementing Encryption
From: Zoltan Forray <zforray AT VCU DOT EDU>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Thu, 4 Apr 2013 13:55:59 -0400 
Thanks - that clears things up - a little bit - My question is, will the
older EKM work with the TS3500?  What what I have read in the TS3500
Planning Guide, it seems to imply it will.

On Thu, Apr 4, 2013 at 1:01 PM, Mike De Gasperis <mike.degasperis AT wowway DOT 
com
> wrote:

> Forgot to include this link from IBM regarding their EKM support.
>
> http://www-01.ibm.com/support/docview.wss?uid=ssg1S4000504
>
>
> ----- Original Message -----
> Wanda,
>
> As always, thanks for the detailed explanation. However, it brings up lots
> of questions.
>
> >>> With externally-managed encryption, the keys are managed by the EKM.
>
> Since this would be hardware-based and encrypts everything, this is the way
> we would go.
>
> >>> You set the encryption mode on the library to library-managed. The EKM
> has to be run on a server. It is a pay-for product.
>
> Huh? I downloaded EKM from the IBM FTP sight. It is Java based and nobody
> ever said anything about paying for it? As I understand it, in this
> scenario with our 3494 (soon to be replace with a TS3500/3584), the "EKM
> server" has to talk to the tape library to get the keys from it
> (DRIVEE=ALLOW). When Googling, one doc/comment we saw the person simply
> installed it on the TSM server. My question, since I am running 7-servers,
> do I need multiple instance - one per TSM server or just one and it gets
> everything from the 3494? I am confused......
>
> >>> High learning curve. Lots of testing required to make sure you can
> recover.
>
> Agreed. We are still digging through the docs on just installing and
> implementing EKM and who connects to who and where......
>
> >>> You have to be careful about protecting the EKM; you have to recover
> the EKM at a DR site before you can read your tapes.
> (If you have a hot site, better to share the keys between the libraries.)
>
> More like a "lukewarm sight" - I have an offsite vault/TSM server where the
> tapes are stored and daily each production TSM server does a DB backup to
> the offsite TSM server.
>
> >>> But with the EKM, your security group can control the key management,
> certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET
> tapes can be encrypted.
>
> This totally throws me off - I really need a "paint by numbers" diagram on
> how all the pieces connect - I have never dealt with encryption.....
>
>
> On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda <Wanda.Prather AT icfi DOT com
> >wrote:
>
> > With externally-managed encryption, the keys are managed by the EKM.
> > TSM doesn't' know it's happening.
> > You set the encryption mode on the library to library-managed.
> > The EKM has to be run on a server. It is a pay-for product.
> > But the cost of the software is trivial compared to the implementation
> > cost.
> > High learning curve. Lots of testing required to make sure you can
> > recover.
> >
> > You have to be careful about protecting the EKM; you have to recover the
> > EKM at a DR site before you can read your tapes.
> > (If you have a hot site, better to share the keys between the libraries.)
> > It is possible (not likely, but possible) to get yourself in a DR
> > situation where NOBODY, including IBM, can read those encrypted tapes.
> > Test, test, CYA, test.
> > But with the EKM, your security group can control the key management,
> > certificate changing, etc.
> > And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted.
> >
>
>
>
>
> --
> *Zoltan Forray*
> TSM Software & Hardware Administrator
> Virginia Commonwealth University
> UCC/Office of Technology Services
> zforray AT vcu DOT edu - 804-828-4807
> Don't be a phishing victim - VCU and other reputable organizations will
> never use email to request that you reply with your password, social
> security number or confidential personal information. For more details
> visit http://infosecurity.vcu.edu/phishing.html
>



--
*Zoltan Forray*
TSM Software & Hardware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zforray AT vcu DOT edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ADSM-L] Implementing Encryption, Prather, Wanda
Next by Date:  Re: [ADSM-L] Implementing Encryption, Zoltan Forray
Previous by Thread:  Re: [ADSM-L] Implementing Encryption, Mike De Gasperis
Next by Thread:  Re: [ADSM-L] Implementing Encryption, Prather, Wanda
Indexes:  [Date] [Thread] [Top] [All Lists]