There are a couple of options here. First, there are software based encryption and then there are hardware based devices. With hardware based devices; you need to make sure there are similar devices at your DR location if used for backup (the main purpose of tape of course). And you have the issue of key management (true key management means not using one key for a year and then generating another one for next year). Both IBM and Oracle/Sun/STK have devices that fall into this category. And while it is not required to replace all your tape units; encrypted data can only be read on encryption-enabled devices. So while the media might be the same as what you currently have; device selection might become an issue if you don't replace all devices.
Software based encryption falls into two categories; application based and generic. An application based encryption product means that you create a file; copy it with the application to an encrypted tape. Then, at DR you read the tape file with the application again to decrypt the data to a decrypted file and then read the decrypted file. Rather time-consuming. Though some applications do have an interface directly to DFDSS or FDR (which makes those backups much easier); but DB2 backups would still need to be copied and re-copied. Again, IBM has a product here as does Megacryption and Innovation. The encryption process is done in the main CPU, so CPU usage does increase. Last is generic software encryption (CA Tape Encryption) that allows any tape file to be encrypted as it is originally written to tape and decrypted by whatever application attempts to read the tape (no need to copy the data). It does use more CPU cycles, but was one of the early exploiters of the zIIP (so if you have a zIIP it will use those CPU cycles). The upside is no need to replace physical tape devices at either the home location or at DR. The downside is the CPU cycles if you don't have a zIIP. Russell Witt CA L2 Support Manager -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]]on Behalf Of MONTERO ROMERO, ENRIQUE ELOI Sent: Wednesday, February 17, 2010 9:39 AM To: [email protected] Subject: DFSMSrmm Tape encryption Hi team, I mean, we are evaluating the way to encrypt the data saved into cartridges or tapes. Is there some way to activate the tape encryption with RMM? Is it a software or Hardware functionality? Which is the easiest way to start encrypting our tapes? Best regards, Enrique Montero. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
