Actually we have them in production and have sucessfully tested a restore of an encrypted tape in our disaster recovery environment. We use RACF to control the public piece of the key pair and ICSF holds the private key. Our DR environment has a completely separate RACF and ICSF databases from production.
The way that we have set it all up to work is to create keypairs in both the production and DR environments, import the public keys from the DR environment into the production environment and attach these keys to EKM keyring. When we encrypt tapes we use both the production and DR public keys to wrap the data encrypting key on the tape. At DR the tape drives talk to EKM which sends the DR private key to the tape drive which sucessfully unwraps the data encrypting key protected by the DR public key. Does that make sense? Mark Jacobs Time Customer Service -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt Sent: Thursday, April 10, 2008 4:24 PM To: [email protected] Subject: Re: Encrypted Tapes and DR I hear the name of the algorithm is WORN: Write once, read never :-) Sorry. We are looking at the solution and have been through some presentations. http://www-03.ibm.com/press/us/en/pressrelease/20254.wss Key management comes with the solution and DR considerations are allegedly built right in. I don't recall any of the details, but I do recall thinking their scheme might actually work. After all, sales folks always know their product perfectly and all software works exactly as documented :-) Even so, my personal take is that there are lots of complex little pieces that have to work perfectly or the data is irrevocably lost. Since the data includes your backups, well, there you are. Somehow the cost/benefit/risk equations don't quite add up in my poor, befuddled brainbone. HTH -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Lizette Koehler Sent: Thursday, April 10, 2008 2:37 PM To: [email protected] Subject: Encrypted Tapes and DR Is anyone using the new Encryption Tape Drives (like TS3500) from IBM at a DR site? If so, how are the keys handled? Lizette NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
