>> What could a customer do for DR of a client which lost it's encryption key
and needed to restore data from the TSM backup (encrypted). <<
Start guessing, I suppose. Other than that, they would be out of luck.
Like I said below:
"someone intercepting the TSM server database and storage pool volumes
could not restore the data without the encryption key (unless they can
hack it, but then any encryption scheme is subject to hacking)."
While that was presumably in the context of someone illegitimately trying
to access the data, that isn't really pertinent. No matter who is trying
to access the data, legitimate or now, they won't be able to get the data
without the encryption key. There is nothing we at IBM can do to get the
data back, as we build no "back doors" into the product (if we did, that
would be a potential security issue).
Someone else made a post on this topic and mentioned something about
encryption key management. I am not familiar with the formalities of this
discipline, but it seems to me that if you are going to start encrypting
your TSM data, you should consider implementing policies for managing
encryption keys.
Regards,
Andy
Andy Raibeck
IBM Software Group
Tivoli Storage Manager Client Development
Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS
Internet e-mail: [EMAIL PROTECTED]
The only dumb question is the one that goes unasked.
The command line is your friend.
"Good enough" is the enemy of excellence.
"Joshua S. Bassi" <[EMAIL PROTECTED]>
Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]>
04/03/2002 16:28
Please respond to "ADSM: Dist Stor Manager"
To: [EMAIL PROTECTED]
cc:
Subject: RE: don�t aynone know anything about Encryption in TSM.
Andy,
What could a customer do for DR of a client which lost it's encryption
key and needed to restore data from the TSM backup (encrypted).
--
Joshua S. Bassi
Sr. Solutions Architect @ rs-unix.com
IBM Certified - AIX/HACMP, SAN, Shark
Tivoli Certified Consultant- ADSM/TSM
Cell (415) 215-0326
-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]] On Behalf Of
Andrew Raibeck
Sent: Tuesday, April 02, 2002 7:45 AM
To: [EMAIL PROTECTED]
Subject: Re: don�t aynone know anything about Encryption in TSM.
There is no additional encryption performed by the TSM server. The
encrypted data sent by the client remains, of course, encrypted when it
is
copied to a copy storage pool or backup set (or anywhere else in the TSM
hierarchy).
Files that were encrypted when they were backed up can not be restored
without the encryption key. The encryption key is not stored on the TSM
server. Therefore, someone intercepting the TSM server database and
storage pool volumes could not restore the data without the encryption
key
(unless they can hack it, but then any encryption scheme is subject to
hacking).
Except for TSM client encryption, there are no other TSM-enabled means
of
encrypting the data.
Regards,
Andy
Andy Raibeck
IBM Software Group
Tivoli Storage Manager Client Development
Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS
Internet e-mail: [EMAIL PROTECTED]
The only dumb question is the one that goes unasked.
The command line is your friend.
"Good enough" is the enemy of excellence.
P�tur Ey��rsson <[EMAIL PROTECTED]>
Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]>
04/02/2002 07:57
Please respond to "ADSM: Dist Stor Manager"
To: [EMAIL PROTECTED]
cc:
Subject: RE: don�t aynone know anything about Encryption
in TSM.
My question was conserning 2 things.
If you use Encryption. Cant people who get a hold of the TSM Database
and
the Copy Storage Pools, restore the data, whether the data was back up
with
Encrytpion or not?
If you make a bakup set from the data back up. is ther Encryption on
that
data? if not is ther posible to make the backup sets more secure?
I have read about Encryption, witch sais that the data is Encrypted
before
the data is sent on the TSM Server. i haven�t read anything about
Encrytpion
on the acctual TSM server data, whether the data uses encryption there
or
not. It does not matter if the data is Encrypted on the way to the TSM,
it
only matters if i can secure the data offsite? And i havent read
anything
about that in TSM only about Encryption in TSM for clients.
Kvedja/Regards
Petur Eythorsson
Taeknimadur/Technician
IBM Certified Specialist - AIX
Tivoli Storage Manager Certified Professional
Microsoft Certified System Engineer
[EMAIL PROTECTED]
Nyherji Hf Simi TEL: +354-569-7700
Borgartun 37 105 Iceland
URL: http://www.nyherji.is
-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of
Martin, Jon R.
Sent: 2. apr�l 2002 14:36
To: [EMAIL PROTECTED]
Subject: Re: don�t aynone know anything about Encryption in TSM.
In Petur's defense, I think he is trying to say he could not find
anywhere
that specifically said "data in a Seq. Access Storage Pool, that goes
offsite will be encrypted." I can't see where he says he read a
document
that says it is not encrypted.
Jon
-----Original Message-----
From: Jack Magill [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 02, 2002 9:10 AM
To: [EMAIL PROTECTED]
Subject: Re: =?8859_1?B?ZG9utHQg?=aynone know anything about Encryption
in TSM.
Hi, I was just wondering where you found the information stating that
the
data was only protected on the way to the server, but not on the server.
Encryption is done by the client using an encrytion key that it create
and
since the key is never passed from client to server, there is no way for
the
server to de-crypt the data before storage.
Please let me know, as I would like to look at the documentation.
Jack
>
> From: P�tur Ey��rsson <[EMAIL PROTECTED]>
> Date: 2002/04/02 Tue AM 07:04:45 EST
> To: [EMAIL PROTECTED]
> Subject: don�t aynone know anything about Encryption in TSM.
>
> Hi i have posted this 2 times before here but havent receved a reply
yet.
> thus led me to belive that knowlegde on this is wery limited.
>
> I have a big custemer who is considerating TSM for there backup
system.
> However, they will be needing to take some of there backup offsite.
> They have extremly valible data witch may not get in the wrong hands.
>
> I have been reading up on Encryption in TSM and found it to be only
desingd
> to protect the data on the way
> to the TSM server. I found no info on werther the data would be
Encrypted
in
> the storage pools.
>
> My question.
>
> Is it possible to make Backupset, and be sure no-one can use it if it
gets
> in the wrong hands (Encrypt it somehow.
> How can a administrator be sure that no-one can restore his
> copy-storage-pools. is it posible to encrypt the data somehow.
> Is it possible to password protect the TSM Database, so that you can�t
> restore it without a password.
>
>
> what way can they take offsite backup and be sure that there data is
safe,
> even if the bad guys get the tapes.
>
> Thanks in advance for any help.
>
> Kvedja/Regards
> Petur Eythorsson
> Taeknimadur/Technician
> IBM Certified Specialist - AIX
> Tivoli Storage Manager Certified Professional
> Microsoft Certified System Engineer
>
> [EMAIL PROTECTED]
>
> Nyherji Hf Simi TEL: +354-569-7700
> Borgartun 37 105 Iceland
> URL: http://www.nyherji.is
>
