Almost all the "tools". If the keys are stored in a secure environment (IBM's ICSF for example, or CA's BrightStor Tape Encryption); then the key's database itself is protected with a master passphrase that should be in a sealed envelope that is available only to selected managers and stored at a third secure location (not the DR site and not the data center itself). Without the master passphrase, the key database cannot be used. However, if you access to the "turtle shells" and you know the master passphrase, then yes you would have everything you need to decrypt any tape-file you get access too.
Russell Witt CA-1 Level-2 Support Manager -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] Behalf Of Ed Finnell Sent: Saturday, September 02, 2006 1:06 PM To: [email protected] Subject: Re: IBM announces Encrypting tape drives ...<snip>... >> I was just trying to work out a 'cold-site' scenario with encrypted tapes. Seems like we'd need to build a 'one-pack system' with a running key ring then do the restores from encrypted tapes to build a 'whole' system. So if somebody steals my turtle shells for cold site they get all the tools to build a new system. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
