Mike,
I don't know the application you use to encrypt the tapes. Maybe we're
confusing (misinterpret) the terms "importer key' and 'exporter key'.
In ICSF these keys are used for encyphering/deciphering other keys for
safe transportation. Those keys being enciphered by exporter keys are
sometimes called data keys or application keys.
Your backup application surely use application keys. Assuming symmetric
methods the same key is used for encryption and decryption of your data.
So you need to have this key in both locations.
How do you transport the (application) key to remote location it is up
to you. It can be on paper, in special envelope, guarded by armed guys
etc. It also can be sent via e-mail, but encrypted using transport
(exporter/importer) keys.
--
Radoslaw Skorupka
Lodz, Poland
Ward, Mike S wrote:
Thanks for the answer. I have the need to backup customer information
and send it to offsite storage in case of a disaster. If we have a
disaster or (test) disaster recovery we take the tapes to our disaster
recovery site and restore the data there. If we had to restore the data
locally on the same system that it was created on would I need an
importer key? Would the same exporter key work for data decryption? If
we restored the system along with the data at the disaster recovery site
would I need the importer key there?
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of R.S.
Sent: Wednesday, April 19, 2006 1:49 AM
To: [email protected]
Subject: Re: ICSF
Ward, Mike S wrote:
Thanks for the answer.
I just finished generating an exporter key using ICSF. Do I need to
generate an importer key as well? The ICSF admin book sort of says
they
complement each other, but it doesn't say whether you need both. I
will
be encrypting tapes using VDR's utility, and I'll need to read the
tapes
back in at the local site or at a remote site. Am I just ok with an
exporter key?
I don't know what are your needs.
However exporter/importer keys (I assume symmetric keys) are for key
transportation in secure way. Instead of that you can transport the keys
in clear form (it is unsecure and requires SSM).
Again, if you transport the keys "unidirectionally" (from system A to
system B, never in opposite direction), then one pair exporter/importer
is OK. If you want to have bidirectional "key traffic" then you need two
pairs.
Picture
one direction:
SYSA exporter1 ----> importer1 SYSB
second direction:
SYSA importer2 <---- exporter2 SYSB
importer1 and exporter1 are 'complementary' - they have the same value.
importer2 and exporter2 are complementary also.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
