From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED] On Behalf Of William Boyer >I have a client that is trying to set up encryption for some >files. TSM 5.3 client: > >ENCRYPTIONTYPE AES128 > >ENCRYPTKEY SAVE > >The first time he used the GUI to backup the files he was >prompted, but there was no indication that the INCLUDE.ENCRYPT >files were encrypted. > >Is there a way to see from the backup (DSMSCHED.LOG with >VERBOSE) that files were encrypted? This client is a bank and >he needs to >"prove" to the auditors that files are being encrypted. After >the Bank of America tape loss incident, they auditors are >understandably nervous.
The easiest way (in fact, the only way I know how) to prove the file is encrypted is to attempt to restore the file to an alternate server; the TSM client will request the encryption key, and will not perform the restore without it. The machine that owns the file has the encryption key embedded in the Windows registry. That is why, when you restore the file to the original machine, the restoration deencryption is transparent. That is also why, when you restore the file to the original machine after it has been rebuilt, that the encryption key is requested. If the transparent restore makes the auditors nervous, have the customer remind the auditors that loss of control of the server console makes any security impossible. It would also behoove all of us to be reminded that, once a TSM client password becomes known to (or is guessed by) malefactors, encryption and data security are greatly compromised. -- Mark Stapleton ([EMAIL PROTECTED]) Office 262.521.5627
