client side encryption question
We are being asked about encrypting our backups. Looking at client side encryption, if they want to encrypt all contents of a drive under windows, is Include.encrypt c:\...\* The best way? Also, what about a bare metal restore of an encrypted client? Using encryptkey=generate Will doing a systemstate restore first bring back the key so as to restore files? Thank you all. This will get me started.
Re: Spectrum Protect Encryption
Hi Ricky, IBM Spectrum Protect supports AES-128 and AES-256 for client-side data encryption, and AES-256 for cloud-container storage pools on the server. It also supports SSL/TLS communication encryption up to TLS 1.2. Thank you, Del "ADSM: Dist Stor Manager" wrote on 03/25/2016 02:16:30 PM: > From: "Plair, Ricky" > To: ADSM-L@VM.MARIST.EDU > Date: 03/25/2016 02:17 PM > Subject: Spectrum Protect Encryption > Sent by: "ADSM: Dist Stor Manager" > > Can anyone tell me what type/version of encryption that the new IBM > Spectrum Protect uses. > > Is it the same as the older versions AES 128? > > I appreciate the help. > > Ricky M. Plair > Storage Engineer > HealthPlan Services > Office: 813 289 1000 Ext 2273 > Mobile: 813 357 9673
Spectrum Protect Encryption
Can anyone tell me what type/version of encryption that the new IBM Spectrum Protect uses. Is it the same as the older versions AES 128? I appreciate the help. Ricky M. Plair Storage Engineer HealthPlan Services Office: 813 289 1000 Ext 2273 Mobile: 813 357 9673 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information and/or Protected Health Information (PHI) subject to protection under the law, including the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). If you are not the intended recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error and that any use, disclosure, distribution, forwarding, printing, or copying of this email is strictly prohibited. If you have received this email in error, please notify the sender immediately and destroy all copies of the original message.
TSM Encryption security gap?
We are starting to make more use of TSM Encryption. There is a combination of features that appears to leave a security gap. We have decided to use ENCRYPTKEY GENERATE, because it provides what is in effect encryption key escrow. We require key escrow whenever encryption is used for university data - it's surprising how many times encryption keys get lost. We also use PASSWORDACCESS GENERATE, in order to enable automatic scheduled backups. The gap is in restore. If I have an encrypted drive, whose contents are backed up using TSM encryption, and then I unplug that drive thinking it is secure, it is not. Anyone who can boot the machine can restore everything from the encrypted drive, without entering any key or password, due to PASSWORDACCESS GENERATE. We are thinking of instructing users to always do a complete shutdown (not sleep or hibernate), and to encrypt their boot drive if they have any sensitive data, even if that data resides somewhere other than the boot drive. However, this is herding cats. It's unlikely to be followed in all cases. A possible solution would be to require re-entry of the TSM password to restore encrypted data, if both ENCRYPTKEY GENERATE and PASSWORDACCESS GENERATE are in effect. Am I understanding this correctly? Is there something I am missing here? Roger Deschner University of Illinois at Chicago rog...@uic.edu ==I have not lost my mind -- it is backed up on tape somewhere.=
Get rid of old encryption key on tapes.
Need a lot of help with this one. We have changed from using IBM Encryption Key Management to IBM Security Key Lifecycle Manager for encrypting tapes in our TS3310 library using TSM 7.1.1 on a Linux system. The problem is all the tapes have been encrypted by the old EKM and now we are using SKLM. TSM rejects the tape because it already has a encryption key from EKM. I don't need the data that is on any of the tapes I just need to be able to use them with SKLM. I have used the LABLE command with the OVERWRITE option and that seems to work on some but not many. How can I get rid of the old EKM encryption key on each tape so it will get a new encryption key from SKLM? Thanks for any help this is a doozy Ricky M. Plair Storage Engineer HealthPlan Services Office: 813 289 1000 Ext 2273 Mobile: 813 357 9673 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information and/or Protected Health Information (PHI) subject to protection under the law, including the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). If you are not the intended recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error and that any use, disclosure, distribution, forwarding, printing, or copying of this email is strictly prohibited. If you have received this email in error, please notify the sender immediately and destroy all copies of the original message.
Re: Tape Encryption
The TSM Redbook found at http://www.redbooks.ibm.com/redbooks/pdfs/sg247505.pdf has a chapter on TSM managed tape encryption and how it is handled. David -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of McWilliams, Eric Sent: Wednesday, July 08, 2015 2:50 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Tape Encryption We are currently encrypting our data as it is being written to tape. The auditors want to know how the encryption keys are managed. All I can find is that the keys are managed by the Tivoli Storage Manager. Does anyone have any documentation that explains how the keys are managed and what keeps someone from decrypting a tape that is lost or stolen? tsm: >q dev ltodevc f=d Device Class Name: LTODEVC Device Access Strategy: Sequential Storage Pool Count: 1 Device Type: LTO Format: DRIVE Est/Max Capacity (MB): Mount Limit: DRIVES Mount Wait (min): 60 Mount Retention (min): 60 Label Prefix: ADSM Drive Letter: Library: MEDSLIB Directory: Server Name: Retry Period: Retry Interval: Twosided: Shared: High-level Address: Minimum Capacity: WORM: No Drive Encryption: On Scaled Capacity: Primary Allocation (MB): Secondary Allocation (MB): Compression: Retention: Protection: Expiration Date: Unit: Logical Block Protection: No Last Update by (administrator): Last Update Date/Time: 12/08/2014 13:14:44 Volume Name: XXX Storage Pool Name: TAPEPOOL Device Class Name: LTODEVC Estimated Capacity: 2.3 T Scaled Capacity Applied: Pct Util: 100.0 Volume Status: Full Access: Read/Write Pct. Reclaimable Space: 0.0 Scratch Volume?: Yes In Error State?: No Number of Writable Sides: 1 Number of Times Mounted: 1 Write Pass Number: 1 Approx. Date Last Written: 07/02/2015 05:16:24 Approx. Date Last Read: 07/02/2015 05:16:24 Date Became Pending: Number of Write Errors: 0 Number of Read Errors: 0 Volume Location: Volume is MVS Lanfree Capable : No Last Update by (administrator): Last Update Date/Time: 06/30/2015 18:17:40 Begin Reclaim Period: End Reclaim Period: Drive Encryption Key Manager: Tivoli Storage Manager Logical Block Protected: No Thanks Eric ** *** CONFIDENTIALITY NOTICE *** This message and any included attachments are from MedSynergies, Inc. and are intended only for the addressee. The contents of this message contain confidential information belonging to the sender that is legally protected. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or contact MedSynergies, Inc. at postmas...@medsynergies.com.
Re: Tape Encryption
The Redbook "IBM Tivoli Storage Manager: Building a Secure Environment" (SG24-7505-00) goes into a bit more detail. A stolen storage pool tape is not, in and of itself, a security exposure; the thief will not have access to the TSM database entry containing the encryption key. If someone steals a storage pool tape and the various items needed for a database restore (database backup tape, volume history file, and device configuration file), they can decrypt the contents of the storage pool tape, as long as they have the necessary hardware and the knowledge needed to carry out what amounts to a TSM DR process. Thomas Denier Thomas Jefferson University -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of McWilliams, Eric Sent: Wednesday, July 08, 2015 2:50 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Tape Encryption We are currently encrypting our data as it is being written to tape. The auditors want to know how the encryption keys are managed. All I can find is that the keys are managed by the Tivoli Storage Manager. Does anyone have any documentation that explains how the keys are managed and what keeps someone from decrypting a tape that is lost or stolen? tsm: >q dev ltodevc f=d Device Class Name: LTODEVC Device Access Strategy: Sequential Storage Pool Count: 1 Device Type: LTO Format: DRIVE Est/Max Capacity (MB): Mount Limit: DRIVES Mount Wait (min): 60 Mount Retention (min): 60 Label Prefix: ADSM Drive Letter: Library: MEDSLIB Directory: Server Name: Retry Period: Retry Interval: Twosided: Shared: High-level Address: Minimum Capacity: WORM: No Drive Encryption: On Scaled Capacity: Primary Allocation (MB): Secondary Allocation (MB): Compression: Retention: Protection: Expiration Date: Unit: Logical Block Protection: No Last Update by (administrator): Last Update Date/Time: 12/08/2014 13:14:44 Volume Name: XXX Storage Pool Name: TAPEPOOL Device Class Name: LTODEVC Estimated Capacity: 2.3 T Scaled Capacity Applied: Pct Util: 100.0 Volume Status: Full Access: Read/Write Pct. Reclaimable Space: 0.0 Scratch Volume?: Yes In Error State?: No Number of Writable Sides: 1 Number of Times Mounted: 1 Write Pass Number: 1 Approx. Date Last Written: 07/02/2015 05:16:24 Approx. Date Last Read: 07/02/2015 05:16:24 Date Became Pending: Number of Write Errors: 0 Number of Read Errors: 0 Volume Location: Volume is MVS Lanfree Capable : No Last Update by (administrator): Last Update Date/Time: 06/30/2015 18:17:40 Begin Reclaim Period: End Reclaim Period: Drive Encryption Key Manager: Tivoli Storage Manager Logical Block Protected: No Thanks Eric ** *** CONFIDENTIALITY NOTICE *** This message and any included attachments are from MedSynergies, Inc. and are intended only for the addressee. The contents of this message contain confidential information belonging to the sender that is legally protected. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or contact MedSynergies, Inc. at postmas...@medsynergies.com. The information contained in this transmission contains privileged and confidential information. It is intended only for the use of the person named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. CAUTION: Intended recipients should NOT use email communication for emergent or urgent health care matters.
Tape Encryption
We are currently encrypting our data as it is being written to tape. The auditors want to know how the encryption keys are managed. All I can find is that the keys are managed by the Tivoli Storage Manager. Does anyone have any documentation that explains how the keys are managed and what keeps someone from decrypting a tape that is lost or stolen? tsm: >q dev ltodevc f=d Device Class Name: LTODEVC Device Access Strategy: Sequential Storage Pool Count: 1 Device Type: LTO Format: DRIVE Est/Max Capacity (MB): Mount Limit: DRIVES Mount Wait (min): 60 Mount Retention (min): 60 Label Prefix: ADSM Drive Letter: Library: MEDSLIB Directory: Server Name: Retry Period: Retry Interval: Twosided: Shared: High-level Address: Minimum Capacity: WORM: No Drive Encryption: On Scaled Capacity: Primary Allocation (MB): Secondary Allocation (MB): Compression: Retention: Protection: Expiration Date: Unit: Logical Block Protection: No Last Update by (administrator): Last Update Date/Time: 12/08/2014 13:14:44 Volume Name: XXX Storage Pool Name: TAPEPOOL Device Class Name: LTODEVC Estimated Capacity: 2.3 T Scaled Capacity Applied: Pct Util: 100.0 Volume Status: Full Access: Read/Write Pct. Reclaimable Space: 0.0 Scratch Volume?: Yes In Error State?: No Number of Writable Sides: 1 Number of Times Mounted: 1 Write Pass Number: 1 Approx. Date Last Written: 07/02/2015 05:16:24 Approx. Date Last Read: 07/02/2015 05:16:24 Date Became Pending: Number of Write Errors: 0 Number of Read Errors: 0 Volume Location: Volume is MVS Lanfree Capable : No Last Update by (administrator): Last Update Date/Time: 06/30/2015 18:17:40 Begin Reclaim Period: End Reclaim Period: Drive Encryption Key Manager: Tivoli Storage Manager Logical Block Protected: No Thanks Eric ** *** CONFIDENTIALITY NOTICE *** This message and any included attachments are from MedSynergies, Inc. and are intended only for the addressee. The contents of this message contain confidential information belonging to the sender that is legally protected. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or contact MedSynergies, Inc. at postmas...@medsynergies.com.
Re: Old Technote: TSM encryption compliance with FIPS 140-2
Hi Del, That's very much appreciated! Best, Ruth U of I, Urbana, IL -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Del Hoobler Sent: Monday, March 16, 2015 5:57 AM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Old Technote: TSM encryption compliance with FIPS 140-2 Hi Ruth, You did it the correct way. I have also reached out to the team to get your comment sent to the owner of that specific technote. Del "ADSM: Dist Stor Manager" wrote on 03/12/2015 05:56:34 PM: > From: "Mitchell, Ruth Slovik" > To: ADSM-L@VM.MARIST.EDU > Date: 03/12/2015 05:57 PM > Subject: Old Technote: TSM encryption compliance with FIPS 140-2 Sent > by: "ADSM: Dist Stor Manager" > > Hi All, > > I know we all grapple with outdated online documentation from time to > time. Does anyone have a suggestion for the best way to request IBM > update an out of date technote? I've already submitted feedback via > the 'rate this page' link. Is it better to open a service request? To > me that seems like overkill. > > The page in question is, http://www-01.ibm.com/support/docview.wss? > uid=swg21442342, last updated in 2012. We'd like to point customers to > a current IBM page for this type of information, but such out of date > details aren't very helpful. > > Thanks in advance for recommendations. > > Ruth > U of I, Urbana, IL >
Re: Old Technote: TSM encryption compliance with FIPS 140-2
Hi Ruth, You did it the correct way. I have also reached out to the team to get your comment sent to the owner of that specific technote. Del "ADSM: Dist Stor Manager" wrote on 03/12/2015 05:56:34 PM: > From: "Mitchell, Ruth Slovik" > To: ADSM-L@VM.MARIST.EDU > Date: 03/12/2015 05:57 PM > Subject: Old Technote: TSM encryption compliance with FIPS 140-2 > Sent by: "ADSM: Dist Stor Manager" > > Hi All, > > I know we all grapple with outdated online documentation from time > to time. Does anyone have a suggestion for the best way to request > IBM update an out of date technote? I've already submitted feedback > via the 'rate this page' link. Is it better to open a service > request? To me that seems like overkill. > > The page in question is, http://www-01.ibm.com/support/docview.wss? > uid=swg21442342, last updated in 2012. We'd like to point customers > to a current IBM page for this type of information, but such out of > date details aren't very helpful. > > Thanks in advance for recommendations. > > Ruth > U of I, Urbana, IL >
Old Technote: TSM encryption compliance with FIPS 140-2
Hi All, I know we all grapple with outdated online documentation from time to time. Does anyone have a suggestion for the best way to request IBM update an out of date technote? I've already submitted feedback via the 'rate this page' link. Is it better to open a service request? To me that seems like overkill. The page in question is, http://www-01.ibm.com/support/docview.wss?uid=swg21442342, last updated in 2012. We'd like to point customers to a current IBM page for this type of information, but such out of date details aren't very helpful. Thanks in advance for recommendations. Ruth U of I, Urbana, IL
Re: TSM based encryption
No problems with the export/import. But, if you are talking about encryption that is done by the TSM client, it is encrypted before being sent to the server, and when it's transmitted to the new server it will still be encrypted. If you are talking about the TSM server managing encryption being done by tape drives, when the data is read back the drive will decrypt it, and it will be transmitted to the new server in non-encrypted form. Whether it's encrypted on the target server, depends on whether you are encrypting the target media. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Ochs, Duane Sent: Friday, October 03, 2014 1:42 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] TSM based encryption Good day everyone, I'm planning a large project for an acquired company and have no working experience with TSM based encryption. Will I run into problems while doing server to server exports with data that was archived using TSM based encryption? Thanks, Duane Follow Quad/Graphics in social media<http://www.qg.com/socialmedia>
TSM based encryption
Good day everyone, I'm planning a large project for an acquired company and have no working experience with TSM based encryption. Will I run into problems while doing server to server exports with data that was archived using TSM based encryption? Thanks, Duane Follow Quad/Graphics in social media<http://www.qg.com/socialmedia>
Re: invalid encryption key
Saw that once at a customer, was a V6 Windoze client. Asked them to open a Tivoli ticket, but never got a follow up from them. Please post back if you find out what did it! -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Ehresman,David E. Sent: Friday, September 27, 2013 3:41 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] invalid encryption key Anyone ever gotten a: ANS1469E Error processing '/soft/soft2/autotree/autosys/log/chmod_cache.060402'; invalid encryption key. message when doing a file system restore of a file system that has never had TSM encryption turned on? David
invalid encryption key
Anyone ever gotten a: ANS1469E Error processing '/soft/soft2/autotree/autosys/log/chmod_cache.060402'; invalid encryption key. message when doing a file system restore of a file system that has never had TSM encryption turned on? David
Re: Enabling Encryption in TS3500/E06 Drives
Hi Zoltan, Is the drive encryption enabled at the OS level. On E05 drives, I had to update our AIX server drive definition: chdev -l 'rmt6' -a wrt_encryption='on' I did not have to change anything to our new E07 drive, I guess they were set OK. Pierre Billaudeau SAQ Montreal -Message d'origine- De : ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] De la part de Zoltan Forray Envoyé : 3 septembre 2013 11:15 À : ADSM-L@VM.MARIST.EDU Objet : Re: [ADSM-L] Enabling Encryption in TS3500/E06 Drives Well, contrary to the response I received about this being as simple as changing the devclass value, I can not get encryption to work. I changed the devclass to DRIVEENCRYPTION=ON and the first attempt to write a new tape fails with: 9/3/2013 9:59:03 AM ANR8985E The drive 7876475 (/dev/lin_tape/by-serial/07876475) in library TS3500-COPY is using an encryption method that is incompatible with the current server settings. So, I figured I would check the hardware settings of the TS1130 -E06 drives. They were all set to NO ENCRYPTION. I changed this to APPLICATION and figured that would take care of it. No such luck. Same errors. Tried resetting/cycling the drives - still nothing. Tried taking all drives and paths offline, figuring this might reset/retrieve the new drive setting - still nothing - same errors. Is there some library (TS3500) setting that may be blocking this? So, what I am missing? On Tue, Aug 20, 2013 at 12:34 PM, Zoltan Forray wrote: > Well, the saga is coming to a conclusion and I am going to active > encryption of offsite tapes, via AME/TSM. > > Is there anything more I need to do besides update the DEVCLASS to > DRIVEENCRYPTION=ALLOW on all of my TSM servers? > > When I check the drive details via the TS3500 interface, is says > encryption is disabled? Do I need to go to each drive and enable it? > > -- > *Zoltan Forray* > TSM Software & Hardware Administrator > Virginia Commonwealth University > UCC/Office of Technology Services > zfor...@vcu.edu - 804-828-4807 > Don't be a phishing victim - VCU and other reputable organizations > will never use email to request that you reply with your password, > social security number or confidential personal information. For more > details visit http://infosecurity.vcu.edu/phishing.html > -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html -- Information confidentielle : Le présent message, ainsi que tout fichier qui y est joint, est envoyé à l'intention exclusive de son ou de ses destinataires; il est de nature confidentielle et peut constituer une information privilégiée. Nous avertissons toute personne autre que le destinataire prévu que tout examen, réacheminement, impression, copie, distribution ou autre utilisation de ce message et de tout fichier qui y est joint est strictement interdit. Si vous n'êtes pas le destinataire prévu, veuillez en aviser immédiatement l'expéditeur par retour de courriel et supprimer ce message et tout document joint de votre système. Merci.
Re: Enabling Encryption in TS3500/E06 Drives
Well, contrary to the response I received about this being as simple as changing the devclass value, I can not get encryption to work. I changed the devclass to DRIVEENCRYPTION=ON and the first attempt to write a new tape fails with: 9/3/2013 9:59:03 AM ANR8985E The drive 7876475 (/dev/lin_tape/by-serial/07876475) in library TS3500-COPY is using an encryption method that is incompatible with the current server settings. So, I figured I would check the hardware settings of the TS1130 -E06 drives. They were all set to NO ENCRYPTION. I changed this to APPLICATION and figured that would take care of it. No such luck. Same errors. Tried resetting/cycling the drives - still nothing. Tried taking all drives and paths offline, figuring this might reset/retrieve the new drive setting - still nothing - same errors. Is there some library (TS3500) setting that may be blocking this? So, what I am missing? On Tue, Aug 20, 2013 at 12:34 PM, Zoltan Forray wrote: > Well, the saga is coming to a conclusion and I am going to active > encryption of offsite tapes, via AME/TSM. > > Is there anything more I need to do besides update the DEVCLASS to > DRIVEENCRYPTION=ALLOW on all of my TSM servers? > > When I check the drive details via the TS3500 interface, is says > encryption is disabled? Do I need to go to each drive and enable it? > > -- > *Zoltan Forray* > TSM Software & Hardware Administrator > Virginia Commonwealth University > UCC/Office of Technology Services > zfor...@vcu.edu - 804-828-4807 > Don't be a phishing victim - VCU and other reputable organizations will > never use email to request that you reply with your password, social > security number or confidential personal information. For more details > visit http://infosecurity.vcu.edu/phishing.html > -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
Re: Enabling Encryption in TS3500/E06 Drives
Sorry - I should have mentioned this is Redhat Linux On Tue, Sep 3, 2013 at 11:42 AM, Billaudeau, Pierre wrote: > Hi Zoltan, > Is the drive encryption enabled at the OS level. On E05 drives, I > had to update our AIX server drive definition: > chdev -l 'rmt6' -a wrt_encryption='on' > I did not have to change anything to our new E07 drive, I guess > they were set OK. > > Pierre Billaudeau > SAQ > Montreal > > -Message d'origine- > De : ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] De la part de > Zoltan Forray > Envoyé : 3 septembre 2013 11:15 > À : ADSM-L@VM.MARIST.EDU > Objet : Re: [ADSM-L] Enabling Encryption in TS3500/E06 Drives > > Well, contrary to the response I received about this being as simple as > changing the devclass value, I can not get encryption to work. > > I changed the devclass to DRIVEENCRYPTION=ON and the first attempt to > write a new tape fails with: > > 9/3/2013 9:59:03 AM ANR8985E The drive 7876475 > (/dev/lin_tape/by-serial/07876475) in library TS3500-COPY is using an > encryption method that is incompatible with the current server settings. > > So, I figured I would check the hardware settings of the TS1130 -E06 > drives. They were all set to NO ENCRYPTION. I changed this to APPLICATION > and figured that would take care of it. No such luck. Same errors. > > Tried resetting/cycling the drives - still nothing. > > Tried taking all drives and paths offline, figuring this might > reset/retrieve the new drive setting - still nothing - same errors. > > Is there some library (TS3500) setting that may be blocking this? > > So, what I am missing? > > > > > On Tue, Aug 20, 2013 at 12:34 PM, Zoltan Forray wrote: > > > Well, the saga is coming to a conclusion and I am going to active > > encryption of offsite tapes, via AME/TSM. > > > > Is there anything more I need to do besides update the DEVCLASS to > > DRIVEENCRYPTION=ALLOW on all of my TSM servers? > > > > When I check the drive details via the TS3500 interface, is says > > encryption is disabled? Do I need to go to each drive and enable it? > > > > -- > > *Zoltan Forray* > > TSM Software & Hardware Administrator > > Virginia Commonwealth University > > UCC/Office of Technology Services > > zfor...@vcu.edu - 804-828-4807 > > Don't be a phishing victim - VCU and other reputable organizations > > will never use email to request that you reply with your password, > > social security number or confidential personal information. For more > > details visit http://infosecurity.vcu.edu/phishing.html > > > > > > -- > *Zoltan Forray* > TSM Software & Hardware Administrator > Virginia Commonwealth University > UCC/Office of Technology Services > zfor...@vcu.edu - 804-828-4807 > Don't be a phishing victim - VCU and other reputable organizations will > never use email to request that you reply with your password, social > security number or confidential personal information. For more details > visit http://infosecurity.vcu.edu/phishing.html > > -- > > > Information confidentielle : Le présent message, ainsi que tout fichier > qui y est joint, est envoyé à l'intention exclusive de son ou de ses > destinataires; il est de nature confidentielle et peut constituer une > information privilégiée. Nous avertissons toute personne autre que le > destinataire prévu que tout examen, réacheminement, impression, copie, > distribution ou autre utilisation de ce message et de tout fichier qui y > est joint est strictement interdit. Si vous n'êtes pas le destinataire > prévu, veuillez en aviser immédiatement l'expéditeur par retour de courriel > et supprimer ce message et tout document joint de votre système. Merci. > -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
Enabling Encryption in TS3500/E06 Drives
Well, the saga is coming to a conclusion and I am going to active encryption of offsite tapes, via AME/TSM. Is there anything more I need to do besides update the DEVCLASS to DRIVEENCRYPTION=ALLOW on all of my TSM servers? When I check the drive details via the TS3500 interface, is says encryption is disabled? Do I need to go to each drive and enable it? -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
Re: Implementing Encryption
True, those pages don't mention a tape library. In this document on the TS3500 Tape Library: http://publib.boulder.ibm.com/infocenter/ts3500tl/v1r0/index.jsp?topic=%2Fcom.ibm.storage.ts3500.doc%2Fipg_3584_managing_encrypt.html It says: Planning for application-managed encryption This topic explains application-managed encryption (AME). This method is best where operating environments run an application already capable of generating and managing encryption policies and keys, such as Tivoli® Storage Manager (TSM). Policies specifying when encryption is to be used are defined through the application interface. The policies and keys pass through the data path between the application layer and the encrypting tape drives. Encryption is the result of interaction between the application and the encryption-enabled tape drive, and does not require any changes to the system and library layers. Because the application manages the encryption keys, data volumes written and encrypted using the application-managed encryption method can only be read by the same software application that wrote them. A key manager *is not required by, or used by, application-managed tape encryption*. On Wed, Apr 10, 2013 at 2:04 PM, Alex Paschal wrote: > That's odd. On page 23 it didn't mention anything about a robot being > in the AME workflow. Might it be on another page? > > In the Redbook, AME is on pages 34-37. There is no mention of the > library itself being in the data key workflow. > > I don't know what to tell you about the conflict. All I can do is to > give you my citations. Please let us know if you find some way to > answer the question. > > On 4/10/2013 7:23 AM, Zoltan Forray wrote: > >> *I don't think there's anything else you need to do. With AME, the >>>>> >>>> robot doesn't talk to TSM for the keys - it's done strictly at the tape >> drive level. * >> >> >> You are the second person to make such a comment when documentation I have >> found says exactly the opposite. With AME, the TSM server managing the >> robot acts as the EKM. The drive requests the key from the robot/ATL when >> since it was told is using AME passed the request to the TSM server which >> in turn generates the key and passes it back to the ATL/drive. From this >> doc (yes I know it is old but a newer document sent to me says the same >> thing): >> >> http://tsm-symposium.oucs.ox.**ac.uk/2007/papers/Christina%** >> 20Coutts%20-%20Tape%20Drive%**20Encryption.pdf<http://tsm-symposium.oucs.ox.ac.uk/2007/papers/Christina%20Coutts%20-%20Tape%20Drive%20Encryption.pdf> >> >> on page 23, it states: >> >> *TSM Application Managed Encryption (AME)* >> >> >> TSM generates encrypts and stores the key in the DB with other meta data >> - Provides interface to key services >> - Associates correct key with file >> >> >> On Tue, Apr 9, 2013 at 6:03 PM, Alex Paschal >> wrote: >> >> Oh, sorry, rest of the question. It's easy to convert from AME to LME - >>> create new library partition, new devclass, set up for LME. Rename some >>> stgpools and recreate them using the new devclass so you don't have to >>> modify your daily maintenance scripts or copygroups. Then attrition, >>> reclamation, or move data scripts. Pretty much the same way you'd >>> handle any other media refresh. >>> >>> I don't think there's anything else you need to do. With AME, the robot >>> doesn't talk to TSM for the keys - it's done strictly at the tape drive >>> level. TSM requests a tape mount, the robot moves the tape to the >>> drive, the drive mounts and sends the volser to TSM, TSM looks up the >>> data key in the db, sends the data key to the drive, the drive uses the >>> data key to encrypt. It's described pretty well in the IBM System >>> Storage Open Systems Tape Encryption Solutions redbook. >>> http://www.redbooks.ibm.com/abstracts/sg247907.html<http://www.redbooks.ibm.com/**abstracts/sg247907.html> >>> http://www.redbooks.ibm.com/abstracts/sg247907.html> >>> > >>> >>> >>> >>> On 4/9/2013 9:39 AM, Zoltan Forray wrote: >>> >>> Well folks, this project keeps changing. Originally figured we would >>>> use >>>> EKM/TKLM but then discussions bought it back to, why not just AME/TSM >>>> handle the encryption - do we need to encrypt the DB? >>>> >>>> So, while we are pending a response from the security/auditor folks >>>> about >>>> AME being sufficient, the
Re: Implementing Encryption
That's odd. On page 23 it didn't mention anything about a robot being in the AME workflow. Might it be on another page? In the Redbook, AME is on pages 34-37. There is no mention of the library itself being in the data key workflow. I don't know what to tell you about the conflict. All I can do is to give you my citations. Please let us know if you find some way to answer the question. On 4/10/2013 7:23 AM, Zoltan Forray wrote: *I don't think there's anything else you need to do. With AME, the robot doesn't talk to TSM for the keys - it's done strictly at the tape drive level. * You are the second person to make such a comment when documentation I have found says exactly the opposite. With AME, the TSM server managing the robot acts as the EKM. The drive requests the key from the robot/ATL when since it was told is using AME passed the request to the TSM server which in turn generates the key and passes it back to the ATL/drive. From this doc (yes I know it is old but a newer document sent to me says the same thing): http://tsm-symposium.oucs.ox.ac.uk/2007/papers/Christina%20Coutts%20-%20Tape%20Drive%20Encryption.pdf on page 23, it states: *TSM Application Managed Encryption (AME)* TSM generates encrypts and stores the key in the DB with other meta data - Provides interface to key services - Associates correct key with file On Tue, Apr 9, 2013 at 6:03 PM, Alex Paschal wrote: Oh, sorry, rest of the question. It's easy to convert from AME to LME - create new library partition, new devclass, set up for LME. Rename some stgpools and recreate them using the new devclass so you don't have to modify your daily maintenance scripts or copygroups. Then attrition, reclamation, or move data scripts. Pretty much the same way you'd handle any other media refresh. I don't think there's anything else you need to do. With AME, the robot doesn't talk to TSM for the keys - it's done strictly at the tape drive level. TSM requests a tape mount, the robot moves the tape to the drive, the drive mounts and sends the volser to TSM, TSM looks up the data key in the db, sends the data key to the drive, the drive uses the data key to encrypt. It's described pretty well in the IBM System Storage Open Systems Tape Encryption Solutions redbook. http://www.redbooks.ibm.com/**abstracts/sg247907.html<http://www.redbooks.ibm.com/abstracts/sg247907.html> On 4/9/2013 9:39 AM, Zoltan Forray wrote: Well folks, this project keeps changing. Originally figured we would use EKM/TKLM but then discussions bought it back to, why not just AME/TSM handle the encryption - do we need to encrypt the DB? So, while we are pending a response from the security/auditor folks about AME being sufficient, the question arose asking "what if we implement AME and then the power-that-be say it isn't good enough and they want the DB encrypted as well, forcing us to move to LME"? How much of a pain-in-the.. would that be? What is the impact? On the subject of implementing AME, besides saying UPDATE DEVCLASS .. DRIVEE=ON and then going to the encryption controls of the 3494/TS3500 and selecting "Encryption Method - Application Managed" and making sure all the TS1130 drives have encryption turned - what else do I need to do? How does the robot know to talk to TSM for the keys? On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote: Zoltan, BTDTGTTS. You first decide if you want to use TSM-managed or externally-managed (EKM) encryption. With TSM encryption, it really is just as simple as creating a devclass and creating storage pools pointing to that devclass. (Plus you have to set the encryption mode on the logical library to application-managed.) TSM creates its own keys, stores them in the TSM DB, passes the keys to the drives and tells the drives to encrypt the tapes. The encryption is still done outboard by the hardware. Has the wonderful advantage of being simple, free, and unbreakable. Your hands never touch the keys, it's totally transparent to everybody. You can't hurt it. No implications for DR. No reason not to use it. TSM development doesn't get enough credit for making this easy and free. OTOH, TSM-managed encryption will not encrypt DB backup tapes, or EXPORT tapes, nor BACKUPSET tapes. With externally-managed encryption, the keys are managed by the EKM. TSM doesn't' know it's happening. You set the encryption mode on the library to library-managed. The EKM has to be run on a server. It is a pay-for product. But the cost of the software is trivial compared to the implementation cost. High learning curve. Lots of testing required to make sure you can recover. You have to be careful about protecting the EKM; you have to recover the EKM at a DR site before you can read your tapes. (If you have a hot site, better to share the keys between the libraries.) It is possi
Re: Implementing Encryption
>>> *I don't think there's anything else you need to do. With AME, the robot doesn't talk to TSM for the keys - it's done strictly at the tape drive level. * You are the second person to make such a comment when documentation I have found says exactly the opposite. With AME, the TSM server managing the robot acts as the EKM. The drive requests the key from the robot/ATL when since it was told is using AME passed the request to the TSM server which in turn generates the key and passes it back to the ATL/drive. From this doc (yes I know it is old but a newer document sent to me says the same thing): http://tsm-symposium.oucs.ox.ac.uk/2007/papers/Christina%20Coutts%20-%20Tape%20Drive%20Encryption.pdf on page 23, it states: *TSM Application Managed Encryption (AME)* TSM generates encrypts and stores the key in the DB with other meta data - Provides interface to key services - Associates correct key with file On Tue, Apr 9, 2013 at 6:03 PM, Alex Paschal wrote: > Oh, sorry, rest of the question. It's easy to convert from AME to LME - > create new library partition, new devclass, set up for LME. Rename some > stgpools and recreate them using the new devclass so you don't have to > modify your daily maintenance scripts or copygroups. Then attrition, > reclamation, or move data scripts. Pretty much the same way you'd > handle any other media refresh. > > I don't think there's anything else you need to do. With AME, the robot > doesn't talk to TSM for the keys - it's done strictly at the tape drive > level. TSM requests a tape mount, the robot moves the tape to the > drive, the drive mounts and sends the volser to TSM, TSM looks up the > data key in the db, sends the data key to the drive, the drive uses the > data key to encrypt. It's described pretty well in the IBM System > Storage Open Systems Tape Encryption Solutions redbook. > http://www.redbooks.ibm.com/**abstracts/sg247907.html<http://www.redbooks.ibm.com/abstracts/sg247907.html> > > > On 4/9/2013 9:39 AM, Zoltan Forray wrote: > >> Well folks, this project keeps changing. Originally figured we would use >> EKM/TKLM but then discussions bought it back to, why not just AME/TSM >> handle the encryption - do we need to encrypt the DB? >> >> So, while we are pending a response from the security/auditor folks about >> AME being sufficient, the question arose asking "what if we implement AME >> and then the power-that-be say it isn't good enough and they want the DB >> encrypted as well, forcing us to move to LME"? How much of a pain-in-the.. >> would that be? What is the impact? >> >> On the subject of implementing AME, besides saying UPDATE DEVCLASS .. >> DRIVEE=ON and then going to the encryption controls of the 3494/TS3500 >> and >> selecting "Encryption Method - Application Managed" and making sure all >> the >> TS1130 drives have encryption turned - what else do I need to do? How >> does >> the robot know to talk to TSM for the keys? >> >> On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda > >wrote: >> >> Zoltan, BTDTGTTS. >>> >>> You first decide if you want to use TSM-managed or externally-managed >>> (EKM) encryption. >>> >>> With TSM encryption, it really is just as simple as creating a devclass >>> and creating storage pools pointing to that devclass. >>> (Plus you have to set the encryption mode on the logical library to >>> application-managed.) >>> >>> TSM creates its own keys, stores them in the TSM DB, passes the keys to >>> the drives and tells the drives to encrypt the tapes. >>> The encryption is still done outboard by the hardware. >>> Has the wonderful advantage of being simple, free, and unbreakable. >>> Your hands never touch the keys, it's totally transparent to everybody. >>> You can't hurt it. >>> No implications for DR. No reason not to use it. >>> TSM development doesn't get enough credit for making this easy and free. >>> >>> OTOH, TSM-managed encryption will not encrypt DB backup tapes, or EXPORT >>> tapes, nor BACKUPSET tapes. >>> >>> With externally-managed encryption, the keys are managed by the EKM. >>> TSM doesn't' know it's happening. >>> You set the encryption mode on the library to library-managed. >>> The EKM has to be run on a server. It is a pay-for product. >>> But the cost of the software is trivial compared to the implementation >>> cost. >>> High learning curve. Lots of testing required to make sure you can >>> recov
Re: Implementing Encryption
Oh, sorry, rest of the question. It's easy to convert from AME to LME - create new library partition, new devclass, set up for LME. Rename some stgpools and recreate them using the new devclass so you don't have to modify your daily maintenance scripts or copygroups. Then attrition, reclamation, or move data scripts. Pretty much the same way you'd handle any other media refresh. I don't think there's anything else you need to do. With AME, the robot doesn't talk to TSM for the keys - it's done strictly at the tape drive level. TSM requests a tape mount, the robot moves the tape to the drive, the drive mounts and sends the volser to TSM, TSM looks up the data key in the db, sends the data key to the drive, the drive uses the data key to encrypt. It's described pretty well in the IBM System Storage Open Systems Tape Encryption Solutions redbook. http://www.redbooks.ibm.com/abstracts/sg247907.html On 4/9/2013 9:39 AM, Zoltan Forray wrote: Well folks, this project keeps changing. Originally figured we would use EKM/TKLM but then discussions bought it back to, why not just AME/TSM handle the encryption - do we need to encrypt the DB? So, while we are pending a response from the security/auditor folks about AME being sufficient, the question arose asking "what if we implement AME and then the power-that-be say it isn't good enough and they want the DB encrypted as well, forcing us to move to LME"? How much of a pain-in-the.. would that be? What is the impact? On the subject of implementing AME, besides saying UPDATE DEVCLASS .. DRIVEE=ON and then going to the encryption controls of the 3494/TS3500 and selecting "Encryption Method - Application Managed" and making sure all the TS1130 drives have encryption turned - what else do I need to do? How does the robot know to talk to TSM for the keys? On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote: Zoltan, BTDTGTTS. You first decide if you want to use TSM-managed or externally-managed (EKM) encryption. With TSM encryption, it really is just as simple as creating a devclass and creating storage pools pointing to that devclass. (Plus you have to set the encryption mode on the logical library to application-managed.) TSM creates its own keys, stores them in the TSM DB, passes the keys to the drives and tells the drives to encrypt the tapes. The encryption is still done outboard by the hardware. Has the wonderful advantage of being simple, free, and unbreakable. Your hands never touch the keys, it's totally transparent to everybody. You can't hurt it. No implications for DR. No reason not to use it. TSM development doesn't get enough credit for making this easy and free. OTOH, TSM-managed encryption will not encrypt DB backup tapes, or EXPORT tapes, nor BACKUPSET tapes. With externally-managed encryption, the keys are managed by the EKM. TSM doesn't' know it's happening. You set the encryption mode on the library to library-managed. The EKM has to be run on a server. It is a pay-for product. But the cost of the software is trivial compared to the implementation cost. High learning curve. Lots of testing required to make sure you can recover. You have to be careful about protecting the EKM; you have to recover the EKM at a DR site before you can read your tapes. (If you have a hot site, better to share the keys between the libraries.) It is possible (not likely, but possible) to get yourself in a DR situation where NOBODY, including IBM, can read those encrypted tapes. Test, test, CYA, test. But with the EKM, your security group can control the key management, certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. So if you have a requirement for encrypting backupsets, you need the EKM. DEVCLASS change does not apply, as TSM knows nothing about the encryption. If all you have is a requirement that BACKUP DATA on your storage pool tapes (which isn't included in a DB backup tape) gets encrypted so that if a tape falls off a truck there is no exposure to PII, choose TSM encryption and just turn it on. W -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Zoltan Forray Sent: Thursday, April 04, 2013 9:41 AM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Implementing Encryption I know this sounds strange, but we need to implement encryption on our TS1130 tapes. Never having done this, I need some help/suggestions/war-stories/etc on how to basically turn encryption on. Is there a quick-and-dirty book on the subject? I understand the first thing would be to change the devclass for the tape drives to "encryption=yes" for ALL of my servers (currently, 2 of 7 are library managers). Then I saw something about EKM to manage the keys. Is this also implemented on all TSM servers? -- *Zoltan Forray* TSM Software & Hardware Administ
Re: Implementing Encryption
The real question is: are you allowed to send the unencrypted keys (in the unencrypted dbbackup) offsite in the same truck as the encrypted tapes? Or will you have to ship the dbbackup tape separately? Or if you want to dodge that "gotcha," I suppose you could simply scp the dbbackup to some server at another site, rather than sending the dbbackup with your tapes. Maybe rsync, because it can do block-level incremental. If you don't have a lot of change in your dbbackup, that could save on bandwidth. On 4/9/2013 9:39 AM, Zoltan Forray wrote: Well folks, this project keeps changing. Originally figured we would use EKM/TKLM but then discussions bought it back to, why not just AME/TSM handle the encryption - do we need to encrypt the DB? So, while we are pending a response from the security/auditor folks about AME being sufficient, the question arose asking "what if we implement AME and then the power-that-be say it isn't good enough and they want the DB encrypted as well, forcing us to move to LME"? How much of a pain-in-the.. would that be? What is the impact? On the subject of implementing AME, besides saying UPDATE DEVCLASS .. DRIVEE=ON and then going to the encryption controls of the 3494/TS3500 and selecting "Encryption Method - Application Managed" and making sure all the TS1130 drives have encryption turned - what else do I need to do? How does the robot know to talk to TSM for the keys? On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote: Zoltan, BTDTGTTS. You first decide if you want to use TSM-managed or externally-managed (EKM) encryption. With TSM encryption, it really is just as simple as creating a devclass and creating storage pools pointing to that devclass. (Plus you have to set the encryption mode on the logical library to application-managed.) TSM creates its own keys, stores them in the TSM DB, passes the keys to the drives and tells the drives to encrypt the tapes. The encryption is still done outboard by the hardware. Has the wonderful advantage of being simple, free, and unbreakable. Your hands never touch the keys, it's totally transparent to everybody. You can't hurt it. No implications for DR. No reason not to use it. TSM development doesn't get enough credit for making this easy and free. OTOH, TSM-managed encryption will not encrypt DB backup tapes, or EXPORT tapes, nor BACKUPSET tapes. With externally-managed encryption, the keys are managed by the EKM. TSM doesn't' know it's happening. You set the encryption mode on the library to library-managed. The EKM has to be run on a server. It is a pay-for product. But the cost of the software is trivial compared to the implementation cost. High learning curve. Lots of testing required to make sure you can recover. You have to be careful about protecting the EKM; you have to recover the EKM at a DR site before you can read your tapes. (If you have a hot site, better to share the keys between the libraries.) It is possible (not likely, but possible) to get yourself in a DR situation where NOBODY, including IBM, can read those encrypted tapes. Test, test, CYA, test. But with the EKM, your security group can control the key management, certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. So if you have a requirement for encrypting backupsets, you need the EKM. DEVCLASS change does not apply, as TSM knows nothing about the encryption. If all you have is a requirement that BACKUP DATA on your storage pool tapes (which isn't included in a DB backup tape) gets encrypted so that if a tape falls off a truck there is no exposure to PII, choose TSM encryption and just turn it on. W -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Zoltan Forray Sent: Thursday, April 04, 2013 9:41 AM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Implementing Encryption I know this sounds strange, but we need to implement encryption on our TS1130 tapes. Never having done this, I need some help/suggestions/war-stories/etc on how to basically turn encryption on. Is there a quick-and-dirty book on the subject? I understand the first thing would be to change the devclass for the tape drives to "encryption=yes" for ALL of my servers (currently, 2 of 7 are library managers). Then I saw something about EKM to manage the keys. Is this also implemented on all TSM servers? -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html -- *Zoltan Forray* TSM Software & Hardware Administrator
Re: Implementing Encryption
Well folks, this project keeps changing. Originally figured we would use EKM/TKLM but then discussions bought it back to, why not just AME/TSM handle the encryption - do we need to encrypt the DB? So, while we are pending a response from the security/auditor folks about AME being sufficient, the question arose asking "what if we implement AME and then the power-that-be say it isn't good enough and they want the DB encrypted as well, forcing us to move to LME"? How much of a pain-in-the.. would that be? What is the impact? On the subject of implementing AME, besides saying UPDATE DEVCLASS .. DRIVEE=ON and then going to the encryption controls of the 3494/TS3500 and selecting "Encryption Method - Application Managed" and making sure all the TS1130 drives have encryption turned - what else do I need to do? How does the robot know to talk to TSM for the keys? On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote: > Zoltan, BTDTGTTS. > > You first decide if you want to use TSM-managed or externally-managed > (EKM) encryption. > > With TSM encryption, it really is just as simple as creating a devclass > and creating storage pools pointing to that devclass. > (Plus you have to set the encryption mode on the logical library to > application-managed.) > > TSM creates its own keys, stores them in the TSM DB, passes the keys to > the drives and tells the drives to encrypt the tapes. > The encryption is still done outboard by the hardware. > Has the wonderful advantage of being simple, free, and unbreakable. > Your hands never touch the keys, it's totally transparent to everybody. > You can't hurt it. > No implications for DR. No reason not to use it. > TSM development doesn't get enough credit for making this easy and free. > > OTOH, TSM-managed encryption will not encrypt DB backup tapes, or EXPORT > tapes, nor BACKUPSET tapes. > > With externally-managed encryption, the keys are managed by the EKM. > TSM doesn't' know it's happening. > You set the encryption mode on the library to library-managed. > The EKM has to be run on a server. It is a pay-for product. > But the cost of the software is trivial compared to the implementation > cost. > High learning curve. Lots of testing required to make sure you can > recover. > > You have to be careful about protecting the EKM; you have to recover the > EKM at a DR site before you can read your tapes. > (If you have a hot site, better to share the keys between the libraries.) > It is possible (not likely, but possible) to get yourself in a DR > situation where NOBODY, including IBM, can read those encrypted tapes. > Test, test, CYA, test. > But with the EKM, your security group can control the key management, > certificate changing, etc. > And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. > > So if you have a requirement for encrypting backupsets, you need the EKM. > DEVCLASS change does not apply, as TSM knows nothing about the encryption. > > If all you have is a requirement that BACKUP DATA on your storage pool > tapes (which isn't included in a DB backup tape) gets encrypted so that if > a tape falls off a truck there is no exposure to PII, choose TSM encryption > and just turn it on. > > W > > > > > > -Original Message- > From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of > Zoltan Forray > Sent: Thursday, April 04, 2013 9:41 AM > To: ADSM-L@VM.MARIST.EDU > Subject: [ADSM-L] Implementing Encryption > > I know this sounds strange, but we need to implement encryption on our > TS1130 tapes. > > Never having done this, I need some help/suggestions/war-stories/etc on > how to basically turn encryption on. Is there a quick-and-dirty book on > the subject? > > I understand the first thing would be to change the devclass for the tape > drives to "encryption=yes" for ALL of my servers (currently, 2 of 7 are > library managers). > > Then I saw something about EKM to manage the keys. Is this also > implemented on all TSM servers? > > -- > *Zoltan Forray* > TSM Software & Hardware Administrator > Virginia Commonwealth University > UCC/Office of Technology Services > zfor...@vcu.edu - 804-828-4807 > Don't be a phishing victim - VCU and other reputable organizations will > never use email to request that you reply with your password, social > security number or confidential personal information. For more details > visit http://infosecurity.vcu.edu/phishing.html > -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
Re: Implementing Encryption
Understood. I do something similar right now. Daily, my TSM servers backup their volhist and devconfig files which are then SFTP'ed to an offsite server (these are Linux systems). On Fri, Apr 5, 2013 at 3:27 PM, Alex Paschal wrote: > Be sure to create a Windows task or crontab script that copies your EKM > keystore periodically and remotely. And preferably not to TSM. :-) > > > On 4/5/2013 6:30 AM, Zoltan Forray wrote: > >> Unfortunately, after discussing the choices with management, they decided >> to choose LME vs AME. So they want me to setup a Linux VM running EKM >> (onsite), as well as the EMK function on my offsite TSM server - >> fun...funfun I know the 3494 config allows for a primary and >> secondary EKM and assume the TS3500 allows for at least this minimum >> config. >> >> At least they agree to wait until after the TS3500 is installed before >> implementing. >> >> Time to dig into the EKM docs for setting things up. I saw in the 3494 LM >> setup I need TCP/IP ports 3801 (default) opened. Not sure about the other >> values like "Key Label Entry" and "Key Label" >> >> On Thu, Apr 4, 2013 at 6:53 PM, Prather, Wanda > >wrote: >> >> Correct. >>> Anything that has to be readable without accessing a live TSM DB, can't >>> be >>> encrypted with TSM, ergo backupsets, exports, DB backups. >>> >>> And I don't know of any other reason not to choose TSM/App managed >>> encryption. >>> It's transparent, easy, free, and I've never run into any problems with >>> it. >>> >>> The tape internal label isn't encrypted, so there isn't even a problem if >>> you have encrypted tapes in one pool and they go back to scratch and get >>> used later in an un-encrypted pool. >>> Set it and forget it. (But don't forget you have to turn on encryption >>> in >>> the TS3500 library partition first.) >>> >>> W >>> >>> -Original Message- >>> From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of >>> Zoltan Forray >>> Sent: Thursday, April 04, 2013 2:08 PM >>> To: ADSM-L@VM.MARIST.EDU >>> Subject: Re: [ADSM-L] Implementing Encryption >>> >>> Thanks. >>> >>> Other than the factor that certain tapes/processes are not encrypted >>> (from >>> the book when setting DRIVEE=ON - *Other types of volumes-for example, >>> backup sets, export volumes, and database backup volumes-will not be >>> encrypted.*) >>> >>> is there any reason not to choose "Application Managed Encryption"? As I >>> think I understand it, with AME/TSM managing the keys, they are stored on >>> the DB backup tape, thus the reason to not encrypt it? Correct? >>> >>> On Thu, Apr 4, 2013 at 1:55 PM, Prather, Wanda >> >>>> wrote: >>>> Here ya go. Buy the BIG bottle of aspirin. >>>> >>>> http://www.redbooks.ibm.com/**abstracts/sg247907.html?Open<http://www.redbooks.ibm.com/abstracts/sg247907.html?Open> >>>> >>>> And just as a follow up: >>>> >>>> When you use TSM-managed encryption, it IS hardware based. >>>> Either TSM or TKLM, the encryption is done outboard by the drive itself. >>>> >>>> The difference is who handles the encryption keys/certificates, TSM or >>>> the TKLM. >>>> And the question of what TSM tapes can be encrypted as a result. >>>> >>>> W >>>> >>>> >>>> -Original Message- >>>> From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf >>>> Of Prather, Wanda >>>> Sent: Thursday, April 04, 2013 1:42 PM >>>> To: ADSM-L@VM.MARIST.EDU >>>> Subject: Re: [ADSM-L] Implementing Encryption >>>> >>>> I apologize, when I said EKM, I meant TKLM, which is the current >>>> product replacement for the old EKM. >>>> >>>> The only paint-by-number is a redbook for TKLM. >>>> Actually there are a couple, and you'll need aspirin. >>>> >>>> I'll look up the numbers and get back to you. >>>> >>>> >>>> >>>> -Original Message- >>>> From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf >>>> Of Zoltan Forray >>>> Sent: Thursday, April 04, 2013 12:35 PM >>>> To: ADSM-L@VM.MARIST.EDU
Re: Implementing Encryption
Be sure to create a Windows task or crontab script that copies your EKM keystore periodically and remotely. And preferably not to TSM. :-) On 4/5/2013 6:30 AM, Zoltan Forray wrote: Unfortunately, after discussing the choices with management, they decided to choose LME vs AME. So they want me to setup a Linux VM running EKM (onsite), as well as the EMK function on my offsite TSM server - fun...funfun I know the 3494 config allows for a primary and secondary EKM and assume the TS3500 allows for at least this minimum config. At least they agree to wait until after the TS3500 is installed before implementing. Time to dig into the EKM docs for setting things up. I saw in the 3494 LM setup I need TCP/IP ports 3801 (default) opened. Not sure about the other values like "Key Label Entry" and "Key Label" On Thu, Apr 4, 2013 at 6:53 PM, Prather, Wanda wrote: Correct. Anything that has to be readable without accessing a live TSM DB, can't be encrypted with TSM, ergo backupsets, exports, DB backups. And I don't know of any other reason not to choose TSM/App managed encryption. It's transparent, easy, free, and I've never run into any problems with it. The tape internal label isn't encrypted, so there isn't even a problem if you have encrypted tapes in one pool and they go back to scratch and get used later in an un-encrypted pool. Set it and forget it. (But don't forget you have to turn on encryption in the TS3500 library partition first.) W -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Zoltan Forray Sent: Thursday, April 04, 2013 2:08 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Implementing Encryption Thanks. Other than the factor that certain tapes/processes are not encrypted (from the book when setting DRIVEE=ON - *Other types of volumes-for example, backup sets, export volumes, and database backup volumes-will not be encrypted.*) is there any reason not to choose "Application Managed Encryption"? As I think I understand it, with AME/TSM managing the keys, they are stored on the DB backup tape, thus the reason to not encrypt it? Correct? On Thu, Apr 4, 2013 at 1:55 PM, Prather, Wanda wrote: Here ya go. Buy the BIG bottle of aspirin. http://www.redbooks.ibm.com/abstracts/sg247907.html?Open And just as a follow up: When you use TSM-managed encryption, it IS hardware based. Either TSM or TKLM, the encryption is done outboard by the drive itself. The difference is who handles the encryption keys/certificates, TSM or the TKLM. And the question of what TSM tapes can be encrypted as a result. W -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Prather, Wanda Sent: Thursday, April 04, 2013 1:42 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Implementing Encryption I apologize, when I said EKM, I meant TKLM, which is the current product replacement for the old EKM. The only paint-by-number is a redbook for TKLM. Actually there are a couple, and you'll need aspirin. I'll look up the numbers and get back to you. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Zoltan Forray Sent: Thursday, April 04, 2013 12:35 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Implementing Encryption Wanda, As always, thanks for the detailed explanation. However, it brings up lots of questions. With externally-managed encryption, the keys are managed by the EKM. Since this would be hardware-based and encrypts everything, this is the way we would go. You set the encryption mode on the library to library-managed. The EKM has to be run on a server. It is a pay-for product. Huh? I downloaded EKM from the IBM FTP sight. It is Java based and nobody ever said anything about paying for it? As I understand it, in this scenario with our 3494 (soon to be replace with a TS3500/3584), the "EKM server" has to talk to the tape library to get the keys from it (DRIVEE=ALLOW). When Googling, one doc/comment we saw the person simply installed it on the TSM server. My question, since I am running 7-servers, do I need multiple instance - one per TSM server or just one and it gets everything from the 3494? I am confused.. High learning curve. Lots of testing required to make sure you can recover. Agreed. We are still digging through the docs on just installing and implementing EKM and who connects to who and where.. You have to be careful about protecting the EKM; you have to recover the EKM at a DR site before you can read your tapes. (If you have a hot site, better to share the keys between the libraries.) More like a "lukewarm sight" - I have an offsite vault/TSM server where the tapes are stored and daily each production TSM server does a DB backup to the offsite TSM server. But with the EKM, your security group ca
Re: Implementing Encryption
Unfortunately, after discussing the choices with management, they decided to choose LME vs AME. So they want me to setup a Linux VM running EKM (onsite), as well as the EMK function on my offsite TSM server - fun...funfun I know the 3494 config allows for a primary and secondary EKM and assume the TS3500 allows for at least this minimum config. At least they agree to wait until after the TS3500 is installed before implementing. Time to dig into the EKM docs for setting things up. I saw in the 3494 LM setup I need TCP/IP ports 3801 (default) opened. Not sure about the other values like "Key Label Entry" and "Key Label" On Thu, Apr 4, 2013 at 6:53 PM, Prather, Wanda wrote: > Correct. > Anything that has to be readable without accessing a live TSM DB, can't be > encrypted with TSM, ergo backupsets, exports, DB backups. > > And I don't know of any other reason not to choose TSM/App managed > encryption. > It's transparent, easy, free, and I've never run into any problems with it. > > The tape internal label isn't encrypted, so there isn't even a problem if > you have encrypted tapes in one pool and they go back to scratch and get > used later in an un-encrypted pool. > Set it and forget it. (But don't forget you have to turn on encryption in > the TS3500 library partition first.) > > W > > -Original Message- > From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of > Zoltan Forray > Sent: Thursday, April 04, 2013 2:08 PM > To: ADSM-L@VM.MARIST.EDU > Subject: Re: [ADSM-L] Implementing Encryption > > Thanks. > > Other than the factor that certain tapes/processes are not encrypted (from > the book when setting DRIVEE=ON - *Other types of volumes-for example, > backup sets, export volumes, and database backup volumes-will not be > encrypted.*) > > is there any reason not to choose "Application Managed Encryption"? As I > think I understand it, with AME/TSM managing the keys, they are stored on > the DB backup tape, thus the reason to not encrypt it? Correct? > > On Thu, Apr 4, 2013 at 1:55 PM, Prather, Wanda >wrote: > > > Here ya go. Buy the BIG bottle of aspirin. > > > > http://www.redbooks.ibm.com/abstracts/sg247907.html?Open > > > > And just as a follow up: > > > > When you use TSM-managed encryption, it IS hardware based. > > Either TSM or TKLM, the encryption is done outboard by the drive itself. > > > > The difference is who handles the encryption keys/certificates, TSM or > > the TKLM. > > And the question of what TSM tapes can be encrypted as a result. > > > > W > > > > > > -Original Message- > > From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf > > Of Prather, Wanda > > Sent: Thursday, April 04, 2013 1:42 PM > > To: ADSM-L@VM.MARIST.EDU > > Subject: Re: [ADSM-L] Implementing Encryption > > > > I apologize, when I said EKM, I meant TKLM, which is the current > > product replacement for the old EKM. > > > > The only paint-by-number is a redbook for TKLM. > > Actually there are a couple, and you'll need aspirin. > > > > I'll look up the numbers and get back to you. > > > > > > > > -Original Message- > > From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf > > Of Zoltan Forray > > Sent: Thursday, April 04, 2013 12:35 PM > > To: ADSM-L@VM.MARIST.EDU > > Subject: Re: [ADSM-L] Implementing Encryption > > > > Wanda, > > > > As always, thanks for the detailed explanation. However, it brings up > > lots of questions. > > > > >>> With externally-managed encryption, the keys are managed by the EKM. > > > > Since this would be hardware-based and encrypts everything, this is > > the way we would go. > > > > >>> You set the encryption mode on the library to library-managed. The > > >>> EKM > > has to be run on a server. It is a pay-for product. > > > > Huh? I downloaded EKM from the IBM FTP sight. It is Java based and > > nobody ever said anything about paying for it? As I understand it, in > > this scenario with our 3494 (soon to be replace with a TS3500/3584), > > the "EKM server" has to talk to the tape library to get the keys from > > it (DRIVEE=ALLOW). When Googling, one doc/comment we saw the person > > simply installed it on the TSM server. My question, since I am > > running 7-servers, do I need multiple instance - one per TSM server or > just one and it gets > > everything from the 3494? I am confused.. >
Re: Implementing Encryption
Correct. Anything that has to be readable without accessing a live TSM DB, can't be encrypted with TSM, ergo backupsets, exports, DB backups. And I don't know of any other reason not to choose TSM/App managed encryption. It's transparent, easy, free, and I've never run into any problems with it. The tape internal label isn't encrypted, so there isn't even a problem if you have encrypted tapes in one pool and they go back to scratch and get used later in an un-encrypted pool. Set it and forget it. (But don't forget you have to turn on encryption in the TS3500 library partition first.) W -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Zoltan Forray Sent: Thursday, April 04, 2013 2:08 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Implementing Encryption Thanks. Other than the factor that certain tapes/processes are not encrypted (from the book when setting DRIVEE=ON - *Other types of volumes-for example, backup sets, export volumes, and database backup volumes-will not be encrypted.*) is there any reason not to choose "Application Managed Encryption"? As I think I understand it, with AME/TSM managing the keys, they are stored on the DB backup tape, thus the reason to not encrypt it? Correct? On Thu, Apr 4, 2013 at 1:55 PM, Prather, Wanda wrote: > Here ya go. Buy the BIG bottle of aspirin. > > http://www.redbooks.ibm.com/abstracts/sg247907.html?Open > > And just as a follow up: > > When you use TSM-managed encryption, it IS hardware based. > Either TSM or TKLM, the encryption is done outboard by the drive itself. > > The difference is who handles the encryption keys/certificates, TSM or > the TKLM. > And the question of what TSM tapes can be encrypted as a result. > > W > > > -Original Message- > From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf > Of Prather, Wanda > Sent: Thursday, April 04, 2013 1:42 PM > To: ADSM-L@VM.MARIST.EDU > Subject: Re: [ADSM-L] Implementing Encryption > > I apologize, when I said EKM, I meant TKLM, which is the current > product replacement for the old EKM. > > The only paint-by-number is a redbook for TKLM. > Actually there are a couple, and you'll need aspirin. > > I'll look up the numbers and get back to you. > > > > -Original Message- > From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf > Of Zoltan Forray > Sent: Thursday, April 04, 2013 12:35 PM > To: ADSM-L@VM.MARIST.EDU > Subject: Re: [ADSM-L] Implementing Encryption > > Wanda, > > As always, thanks for the detailed explanation. However, it brings up > lots of questions. > > >>> With externally-managed encryption, the keys are managed by the EKM. > > Since this would be hardware-based and encrypts everything, this is > the way we would go. > > >>> You set the encryption mode on the library to library-managed. The > >>> EKM > has to be run on a server. It is a pay-for product. > > Huh? I downloaded EKM from the IBM FTP sight. It is Java based and > nobody ever said anything about paying for it? As I understand it, in > this scenario with our 3494 (soon to be replace with a TS3500/3584), > the "EKM server" has to talk to the tape library to get the keys from > it (DRIVEE=ALLOW). When Googling, one doc/comment we saw the person > simply installed it on the TSM server. My question, since I am > running 7-servers, do I need multiple instance - one per TSM server or just > one and it gets > everything from the 3494? I am confused.. > > >>> High learning curve. Lots of testing required to make sure you > >>> can > recover. > > Agreed. We are still digging through the docs on just installing and > implementing EKM and who connects to who and where.. > > >>> You have to be careful about protecting the EKM; you have to > >>> recover > the EKM at a DR site before you can read your tapes. > (If you have a hot site, better to share the keys between the > libraries.) > > More like a "lukewarm sight" - I have an offsite vault/TSM server > where the tapes are stored and daily each production TSM server does a > DB backup to the offsite TSM server. > > >>> But with the EKM, your security group can control the key > >>> management, > certificate changing, etc. And then DB backup tapes, EXPORT, and > BACKUPSET tapes can be encrypted. > > This totally throws me off - I really need a "paint by numbers" > diagram on how all the pieces connect - I have never dealt with > encryption. > > > On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wand
Re: Implementing Encryption
Thanks. Other than the factor that certain tapes/processes are not encrypted (from the book when setting DRIVEE=ON - *Other types of volumes—for example, backup sets, export volumes, and database backup volumes—will not be encrypted.*) is there any reason not to choose "Application Managed Encryption"? As I think I understand it, with AME/TSM managing the keys, they are stored on the DB backup tape, thus the reason to not encrypt it? Correct? On Thu, Apr 4, 2013 at 1:55 PM, Prather, Wanda wrote: > Here ya go. Buy the BIG bottle of aspirin. > > http://www.redbooks.ibm.com/abstracts/sg247907.html?Open > > And just as a follow up: > > When you use TSM-managed encryption, it IS hardware based. > Either TSM or TKLM, the encryption is done outboard by the drive itself. > > The difference is who handles the encryption keys/certificates, TSM or the > TKLM. > And the question of what TSM tapes can be encrypted as a result. > > W > > > -Original Message- > From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of > Prather, Wanda > Sent: Thursday, April 04, 2013 1:42 PM > To: ADSM-L@VM.MARIST.EDU > Subject: Re: [ADSM-L] Implementing Encryption > > I apologize, when I said EKM, I meant TKLM, which is the current product > replacement for the old EKM. > > The only paint-by-number is a redbook for TKLM. > Actually there are a couple, and you'll need aspirin. > > I'll look up the numbers and get back to you. > > > > -Original Message- > From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of > Zoltan Forray > Sent: Thursday, April 04, 2013 12:35 PM > To: ADSM-L@VM.MARIST.EDU > Subject: Re: [ADSM-L] Implementing Encryption > > Wanda, > > As always, thanks for the detailed explanation. However, it brings up > lots of questions. > > >>> With externally-managed encryption, the keys are managed by the EKM. > > Since this would be hardware-based and encrypts everything, this is the > way we would go. > > >>> You set the encryption mode on the library to library-managed. The > >>> EKM > has to be run on a server. It is a pay-for product. > > Huh? I downloaded EKM from the IBM FTP sight. It is Java based and > nobody ever said anything about paying for it? As I understand it, in this > scenario with our 3494 (soon to be replace with a TS3500/3584), the "EKM > server" has to talk to the tape library to get the keys from it > (DRIVEE=ALLOW). When Googling, one doc/comment we saw the person simply > installed it on the TSM server. My question, since I am running 7-servers, > do I need multiple instance - one per TSM server or just one and it gets > everything from the 3494? I am confused.. > > >>> High learning curve. Lots of testing required to make sure you can > recover. > > Agreed. We are still digging through the docs on just installing and > implementing EKM and who connects to who and where.. > > >>> You have to be careful about protecting the EKM; you have to recover > the EKM at a DR site before you can read your tapes. > (If you have a hot site, better to share the keys between the libraries.) > > More like a "lukewarm sight" - I have an offsite vault/TSM server where > the tapes are stored and daily each production TSM server does a DB backup > to the offsite TSM server. > > >>> But with the EKM, your security group can control the key > >>> management, > certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET > tapes can be encrypted. > > This totally throws me off - I really need a "paint by numbers" diagram on > how all the pieces connect - I have never dealt with encryption. > > > On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda >wrote: > > > With externally-managed encryption, the keys are managed by the EKM. > > TSM doesn't' know it's happening. > > You set the encryption mode on the library to library-managed. > > The EKM has to be run on a server. It is a pay-for product. > > But the cost of the software is trivial compared to the implementation > > cost. > > High learning curve. Lots of testing required to make sure you can > > recover. > > > > You have to be careful about protecting the EKM; you have to recover > > the EKM at a DR site before you can read your tapes. > > (If you have a hot site, better to share the keys between the > > libraries.) It is possible (not likely, but possible) to get yourself > > in a DR situation where NOBODY, including IBM, can read those encrypted > tapes. > > Test, test, CYA, test. > > But wi
Re: Implementing Encryption
Thanks - that clears things up - a little bit - My question is, will the older EKM work with the TS3500? What what I have read in the TS3500 Planning Guide, it seems to imply it will. On Thu, Apr 4, 2013 at 1:01 PM, Mike De Gasperis wrote: > Forgot to include this link from IBM regarding their EKM support. > > http://www-01.ibm.com/support/docview.wss?uid=ssg1S4000504 > > > - Original Message - > Wanda, > > As always, thanks for the detailed explanation. However, it brings up lots > of questions. > > >>> With externally-managed encryption, the keys are managed by the EKM. > > Since this would be hardware-based and encrypts everything, this is the way > we would go. > > >>> You set the encryption mode on the library to library-managed. The EKM > has to be run on a server. It is a pay-for product. > > Huh? I downloaded EKM from the IBM FTP sight. It is Java based and nobody > ever said anything about paying for it? As I understand it, in this > scenario with our 3494 (soon to be replace with a TS3500/3584), the "EKM > server" has to talk to the tape library to get the keys from it > (DRIVEE=ALLOW). When Googling, one doc/comment we saw the person simply > installed it on the TSM server. My question, since I am running 7-servers, > do I need multiple instance - one per TSM server or just one and it gets > everything from the 3494? I am confused.. > > >>> High learning curve. Lots of testing required to make sure you can > recover. > > Agreed. We are still digging through the docs on just installing and > implementing EKM and who connects to who and where.. > > >>> You have to be careful about protecting the EKM; you have to recover > the EKM at a DR site before you can read your tapes. > (If you have a hot site, better to share the keys between the libraries.) > > More like a "lukewarm sight" - I have an offsite vault/TSM server where the > tapes are stored and daily each production TSM server does a DB backup to > the offsite TSM server. > > >>> But with the EKM, your security group can control the key management, > certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET > tapes can be encrypted. > > This totally throws me off - I really need a "paint by numbers" diagram on > how all the pieces connect - I have never dealt with encryption. > > > On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda >wrote: > > > With externally-managed encryption, the keys are managed by the EKM. > > TSM doesn't' know it's happening. > > You set the encryption mode on the library to library-managed. > > The EKM has to be run on a server. It is a pay-for product. > > But the cost of the software is trivial compared to the implementation > > cost. > > High learning curve. Lots of testing required to make sure you can > > recover. > > > > You have to be careful about protecting the EKM; you have to recover the > > EKM at a DR site before you can read your tapes. > > (If you have a hot site, better to share the keys between the libraries.) > > It is possible (not likely, but possible) to get yourself in a DR > > situation where NOBODY, including IBM, can read those encrypted tapes. > > Test, test, CYA, test. > > But with the EKM, your security group can control the key management, > > certificate changing, etc. > > And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. > > > > > > > -- > *Zoltan Forray* > TSM Software & Hardware Administrator > Virginia Commonwealth University > UCC/Office of Technology Services > zfor...@vcu.edu - 804-828-4807 > Don't be a phishing victim - VCU and other reputable organizations will > never use email to request that you reply with your password, social > security number or confidential personal information. For more details > visit http://infosecurity.vcu.edu/phishing.html > -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
Re: Implementing Encryption
Here ya go. Buy the BIG bottle of aspirin. http://www.redbooks.ibm.com/abstracts/sg247907.html?Open And just as a follow up: When you use TSM-managed encryption, it IS hardware based. Either TSM or TKLM, the encryption is done outboard by the drive itself. The difference is who handles the encryption keys/certificates, TSM or the TKLM. And the question of what TSM tapes can be encrypted as a result. W -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Prather, Wanda Sent: Thursday, April 04, 2013 1:42 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Implementing Encryption I apologize, when I said EKM, I meant TKLM, which is the current product replacement for the old EKM. The only paint-by-number is a redbook for TKLM. Actually there are a couple, and you'll need aspirin. I'll look up the numbers and get back to you. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Zoltan Forray Sent: Thursday, April 04, 2013 12:35 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Implementing Encryption Wanda, As always, thanks for the detailed explanation. However, it brings up lots of questions. >>> With externally-managed encryption, the keys are managed by the EKM. Since this would be hardware-based and encrypts everything, this is the way we would go. >>> You set the encryption mode on the library to library-managed. The >>> EKM has to be run on a server. It is a pay-for product. Huh? I downloaded EKM from the IBM FTP sight. It is Java based and nobody ever said anything about paying for it? As I understand it, in this scenario with our 3494 (soon to be replace with a TS3500/3584), the "EKM server" has to talk to the tape library to get the keys from it (DRIVEE=ALLOW). When Googling, one doc/comment we saw the person simply installed it on the TSM server. My question, since I am running 7-servers, do I need multiple instance - one per TSM server or just one and it gets everything from the 3494? I am confused.. >>> High learning curve. Lots of testing required to make sure you can recover. Agreed. We are still digging through the docs on just installing and implementing EKM and who connects to who and where.. >>> You have to be careful about protecting the EKM; you have to recover the EKM at a DR site before you can read your tapes. (If you have a hot site, better to share the keys between the libraries.) More like a "lukewarm sight" - I have an offsite vault/TSM server where the tapes are stored and daily each production TSM server does a DB backup to the offsite TSM server. >>> But with the EKM, your security group can control the key >>> management, certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. This totally throws me off - I really need a "paint by numbers" diagram on how all the pieces connect - I have never dealt with encryption. On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote: > With externally-managed encryption, the keys are managed by the EKM. > TSM doesn't' know it's happening. > You set the encryption mode on the library to library-managed. > The EKM has to be run on a server. It is a pay-for product. > But the cost of the software is trivial compared to the implementation > cost. > High learning curve. Lots of testing required to make sure you can > recover. > > You have to be careful about protecting the EKM; you have to recover > the EKM at a DR site before you can read your tapes. > (If you have a hot site, better to share the keys between the > libraries.) It is possible (not likely, but possible) to get yourself > in a DR situation where NOBODY, including IBM, can read those encrypted tapes. > Test, test, CYA, test. > But with the EKM, your security group can control the key management, > certificate changing, etc. > And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. > -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
Re: Implementing Encryption
I apologize, when I said EKM, I meant TKLM, which is the current product replacement for the old EKM. The only paint-by-number is a redbook for TKLM. Actually there are a couple, and you'll need aspirin. I'll look up the numbers and get back to you. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Zoltan Forray Sent: Thursday, April 04, 2013 12:35 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Implementing Encryption Wanda, As always, thanks for the detailed explanation. However, it brings up lots of questions. >>> With externally-managed encryption, the keys are managed by the EKM. Since this would be hardware-based and encrypts everything, this is the way we would go. >>> You set the encryption mode on the library to library-managed. The >>> EKM has to be run on a server. It is a pay-for product. Huh? I downloaded EKM from the IBM FTP sight. It is Java based and nobody ever said anything about paying for it? As I understand it, in this scenario with our 3494 (soon to be replace with a TS3500/3584), the "EKM server" has to talk to the tape library to get the keys from it (DRIVEE=ALLOW). When Googling, one doc/comment we saw the person simply installed it on the TSM server. My question, since I am running 7-servers, do I need multiple instance - one per TSM server or just one and it gets everything from the 3494? I am confused.. >>> High learning curve. Lots of testing required to make sure you can recover. Agreed. We are still digging through the docs on just installing and implementing EKM and who connects to who and where.. >>> You have to be careful about protecting the EKM; you have to recover the EKM at a DR site before you can read your tapes. (If you have a hot site, better to share the keys between the libraries.) More like a "lukewarm sight" - I have an offsite vault/TSM server where the tapes are stored and daily each production TSM server does a DB backup to the offsite TSM server. >>> But with the EKM, your security group can control the key >>> management, certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. This totally throws me off - I really need a "paint by numbers" diagram on how all the pieces connect - I have never dealt with encryption. On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote: > With externally-managed encryption, the keys are managed by the EKM. > TSM doesn't' know it's happening. > You set the encryption mode on the library to library-managed. > The EKM has to be run on a server. It is a pay-for product. > But the cost of the software is trivial compared to the implementation > cost. > High learning curve. Lots of testing required to make sure you can > recover. > > You have to be careful about protecting the EKM; you have to recover > the EKM at a DR site before you can read your tapes. > (If you have a hot site, better to share the keys between the > libraries.) It is possible (not likely, but possible) to get yourself > in a DR situation where NOBODY, including IBM, can read those encrypted tapes. > Test, test, CYA, test. > But with the EKM, your security group can control the key management, > certificate changing, etc. > And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. > -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
Re: Implementing Encryption
Forgot to include this link from IBM regarding their EKM support. http://www-01.ibm.com/support/docview.wss?uid=ssg1S4000504 - Original Message - Wanda, As always, thanks for the detailed explanation. However, it brings up lots of questions. >>> With externally-managed encryption, the keys are managed by the EKM. Since this would be hardware-based and encrypts everything, this is the way we would go. >>> You set the encryption mode on the library to library-managed. The EKM has to be run on a server. It is a pay-for product. Huh? I downloaded EKM from the IBM FTP sight. It is Java based and nobody ever said anything about paying for it? As I understand it, in this scenario with our 3494 (soon to be replace with a TS3500/3584), the "EKM server" has to talk to the tape library to get the keys from it (DRIVEE=ALLOW). When Googling, one doc/comment we saw the person simply installed it on the TSM server. My question, since I am running 7-servers, do I need multiple instance - one per TSM server or just one and it gets everything from the 3494? I am confused.. >>> High learning curve. Lots of testing required to make sure you can recover. Agreed. We are still digging through the docs on just installing and implementing EKM and who connects to who and where.. >>> You have to be careful about protecting the EKM; you have to recover the EKM at a DR site before you can read your tapes. (If you have a hot site, better to share the keys between the libraries.) More like a "lukewarm sight" - I have an offsite vault/TSM server where the tapes are stored and daily each production TSM server does a DB backup to the offsite TSM server. >>> But with the EKM, your security group can control the key management, certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. This totally throws me off - I really need a "paint by numbers" diagram on how all the pieces connect - I have never dealt with encryption. On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote: > With externally-managed encryption, the keys are managed by the EKM. > TSM doesn't' know it's happening. > You set the encryption mode on the library to library-managed. > The EKM has to be run on a server. It is a pay-for product. > But the cost of the software is trivial compared to the implementation > cost. > High learning curve. Lots of testing required to make sure you can > recover. > > You have to be careful about protecting the EKM; you have to recover the > EKM at a DR site before you can read your tapes. > (If you have a hot site, better to share the keys between the libraries.) > It is possible (not likely, but possible) to get yourself in a DR > situation where NOBODY, including IBM, can read those encrypted tapes. > Test, test, CYA, test. > But with the EKM, your security group can control the key management, > certificate changing, etc. > And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. > -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
Re: Implementing Encryption
I've never dealt with the EKM but it looks to be a legacy product that will be phased out by IBM. You'll want to look at the TKLM product which does require licensing for the drives that will be encrypting as well as for the actual TKLM servers themselves. We ended up setting up four TKLM servers in our environment. Two at our prod site and two at DR to protect against failure. - Original Message - Wanda, As always, thanks for the detailed explanation. However, it brings up lots of questions. >>> With externally-managed encryption, the keys are managed by the EKM. Since this would be hardware-based and encrypts everything, this is the way we would go. >>> You set the encryption mode on the library to library-managed. The EKM has to be run on a server. It is a pay-for product. Huh? I downloaded EKM from the IBM FTP sight. It is Java based and nobody ever said anything about paying for it? As I understand it, in this scenario with our 3494 (soon to be replace with a TS3500/3584), the "EKM server" has to talk to the tape library to get the keys from it (DRIVEE=ALLOW). When Googling, one doc/comment we saw the person simply installed it on the TSM server. My question, since I am running 7-servers, do I need multiple instance - one per TSM server or just one and it gets everything from the 3494? I am confused.. >>> High learning curve. Lots of testing required to make sure you can recover. Agreed. We are still digging through the docs on just installing and implementing EKM and who connects to who and where.. >>> You have to be careful about protecting the EKM; you have to recover the EKM at a DR site before you can read your tapes. (If you have a hot site, better to share the keys between the libraries.) More like a "lukewarm sight" - I have an offsite vault/TSM server where the tapes are stored and daily each production TSM server does a DB backup to the offsite TSM server. >>> But with the EKM, your security group can control the key management, certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. This totally throws me off - I really need a "paint by numbers" diagram on how all the pieces connect - I have never dealt with encryption. On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote: > With externally-managed encryption, the keys are managed by the EKM. > TSM doesn't' know it's happening. > You set the encryption mode on the library to library-managed. > The EKM has to be run on a server. It is a pay-for product. > But the cost of the software is trivial compared to the implementation > cost. > High learning curve. Lots of testing required to make sure you can > recover. > > You have to be careful about protecting the EKM; you have to recover the > EKM at a DR site before you can read your tapes. > (If you have a hot site, better to share the keys between the libraries.) > It is possible (not likely, but possible) to get yourself in a DR > situation where NOBODY, including IBM, can read those encrypted tapes. > Test, test, CYA, test. > But with the EKM, your security group can control the key management, > certificate changing, etc. > And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. > -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
Re: Implementing Encryption
Wanda, As always, thanks for the detailed explanation. However, it brings up lots of questions. >>> With externally-managed encryption, the keys are managed by the EKM. Since this would be hardware-based and encrypts everything, this is the way we would go. >>> You set the encryption mode on the library to library-managed. The EKM has to be run on a server. It is a pay-for product. Huh? I downloaded EKM from the IBM FTP sight. It is Java based and nobody ever said anything about paying for it? As I understand it, in this scenario with our 3494 (soon to be replace with a TS3500/3584), the "EKM server" has to talk to the tape library to get the keys from it (DRIVEE=ALLOW). When Googling, one doc/comment we saw the person simply installed it on the TSM server. My question, since I am running 7-servers, do I need multiple instance - one per TSM server or just one and it gets everything from the 3494? I am confused.. >>> High learning curve. Lots of testing required to make sure you can recover. Agreed. We are still digging through the docs on just installing and implementing EKM and who connects to who and where.. >>> You have to be careful about protecting the EKM; you have to recover the EKM at a DR site before you can read your tapes. (If you have a hot site, better to share the keys between the libraries.) More like a "lukewarm sight" - I have an offsite vault/TSM server where the tapes are stored and daily each production TSM server does a DB backup to the offsite TSM server. >>> But with the EKM, your security group can control the key management, certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. This totally throws me off - I really need a "paint by numbers" diagram on how all the pieces connect - I have never dealt with encryption. On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote: > With externally-managed encryption, the keys are managed by the EKM. > TSM doesn't' know it's happening. > You set the encryption mode on the library to library-managed. > The EKM has to be run on a server. It is a pay-for product. > But the cost of the software is trivial compared to the implementation > cost. > High learning curve. Lots of testing required to make sure you can > recover. > > You have to be careful about protecting the EKM; you have to recover the > EKM at a DR site before you can read your tapes. > (If you have a hot site, better to share the keys between the libraries.) > It is possible (not likely, but possible) to get yourself in a DR > situation where NOBODY, including IBM, can read those encrypted tapes. > Test, test, CYA, test. > But with the EKM, your security group can control the key management, > certificate changing, etc. > And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. > -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
Re: Implementing Encryption
Zoltan, BTDTGTTS. You first decide if you want to use TSM-managed or externally-managed (EKM) encryption. With TSM encryption, it really is just as simple as creating a devclass and creating storage pools pointing to that devclass. (Plus you have to set the encryption mode on the logical library to application-managed.) TSM creates its own keys, stores them in the TSM DB, passes the keys to the drives and tells the drives to encrypt the tapes. The encryption is still done outboard by the hardware. Has the wonderful advantage of being simple, free, and unbreakable. Your hands never touch the keys, it's totally transparent to everybody. You can't hurt it. No implications for DR. No reason not to use it. TSM development doesn't get enough credit for making this easy and free. OTOH, TSM-managed encryption will not encrypt DB backup tapes, or EXPORT tapes, nor BACKUPSET tapes. With externally-managed encryption, the keys are managed by the EKM. TSM doesn't' know it's happening. You set the encryption mode on the library to library-managed. The EKM has to be run on a server. It is a pay-for product. But the cost of the software is trivial compared to the implementation cost. High learning curve. Lots of testing required to make sure you can recover. You have to be careful about protecting the EKM; you have to recover the EKM at a DR site before you can read your tapes. (If you have a hot site, better to share the keys between the libraries.) It is possible (not likely, but possible) to get yourself in a DR situation where NOBODY, including IBM, can read those encrypted tapes. Test, test, CYA, test. But with the EKM, your security group can control the key management, certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. So if you have a requirement for encrypting backupsets, you need the EKM. DEVCLASS change does not apply, as TSM knows nothing about the encryption. If all you have is a requirement that BACKUP DATA on your storage pool tapes (which isn't included in a DB backup tape) gets encrypted so that if a tape falls off a truck there is no exposure to PII, choose TSM encryption and just turn it on. W -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Zoltan Forray Sent: Thursday, April 04, 2013 9:41 AM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Implementing Encryption I know this sounds strange, but we need to implement encryption on our TS1130 tapes. Never having done this, I need some help/suggestions/war-stories/etc on how to basically turn encryption on. Is there a quick-and-dirty book on the subject? I understand the first thing would be to change the devclass for the tape drives to "encryption=yes" for ALL of my servers (currently, 2 of 7 are library managers). Then I saw something about EKM to manage the keys. Is this also implemented on all TSM servers? -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
Re: Implementing Encryption
Hi Zoltan, We used TSM encryption (Application base on AIX TSM servers) and here are the steps we had to implement: 1. On TSM server : Update DEVCLASS 3592CLASS2 drivee=on 2. On AIX : chdev -l 'rmt6' -a wrt_encryption='on' chdev -l 'rmt13' -a wrt_encryption='on' chdev -l 'rmt14' -a wrt_encryption='on' ('on' replaces the value 'custom') 3. Change at the hardware level : Enable "Application" at the drive level : CE Drv Options Drive encryption Method config Application Pierre Billaudeau -Message d'origine- De : ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] De la part de Zoltan Forray Envoyé : 4 avril 2013 09:41 À : ADSM-L@VM.MARIST.EDU Objet : [ADSM-L] Implementing Encryption I know this sounds strange, but we need to implement encryption on our TS1130 tapes. Never having done this, I need some help/suggestions/war-stories/etc on how to basically turn encryption on. Is there a quick-and-dirty book on the subject? I understand the first thing would be to change the devclass for the tape drives to "encryption=yes" for ALL of my servers (currently, 2 of 7 are library managers). Then I saw something about EKM to manage the keys. Is this also implemented on all TSM servers? -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html -- Information confidentielle : Le présent message, ainsi que tout fichier qui y est joint, est envoyé à l'intention exclusive de son ou de ses destinataires; il est de nature confidentielle et peut constituer une information privilégiée. Nous avertissons toute personne autre que le destinataire prévu que tout examen, réacheminement, impression, copie, distribution ou autre utilisation de ce message et de tout fichier qui y est joint est strictement interdit. Si vous n'êtes pas le destinataire prévu, veuillez en aviser immédiatement l'expéditeur par retour de courriel et supprimer ce message et tout document joint de votre système. Merci.
Implementing Encryption
I know this sounds strange, but we need to implement encryption on our TS1130 tapes. Never having done this, I need some help/suggestions/war-stories/etc on how to basically turn encryption on. Is there a quick-and-dirty book on the subject? I understand the first thing would be to change the devclass for the tape drives to "encryption=yes" for ALL of my servers (currently, 2 of 7 are library managers). Then I saw something about EKM to manage the keys. Is this also implemented on all TSM servers? -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
Tape drive encryption solutions - slightly OT
Hello Just wanted to get some feedback from anyone with experience in doing tape drive encryption. We normally run TSM using IBM tape drives in a quantum library. But we have a contractual requirement to deliver encrypted tapes in a standard tar format. Because this is a last minute once off thing we are looking for an easy and cheap way to setup tape drive encryption from the system level. We are using IBM drivers, and I can see there is a ekm config file that points to an EKM server. But it's not clear what protocols/standard are used/required by the EKM server and which ones work etc. Any help would be appreciated -- Grant Street Senior Systems Engineer T: +61 2 9383 4800 (main) T: +61 2 938 34882 (direct) F: +61 2 9383 4801 (fax) Animal Logic Logo *See our latest work at http://www.animallogic.com/work*
Re: TSM Image backup encryption
I had same problems. I'm returned to v6.2. On 08.01.2013 19:36, Yudi Darmadi wrote: Hi, Please help, does TSM Image backup (on AIX B/A Client V6.3) can use encryption? Existing File level backups on that client works fine with encryption, but the image backups seems can't be encrypted. Regards, Yudi
TSM Image backup encryption
Hi, Please help, does TSM Image backup (on AIX B/A Client V6.3) can use encryption? Existing File level backups on that client works fine with encryption, but the image backups seems can't be encrypted. Regards, Yudi
Re: Who is performing Client Based Encryption and Compression
I am not aware of any way to detect client based encryption via a server-based query. However, you can see this from a client-side CLI query (DSMC Q BACKUP), so there must be information somewhere that reflects this. For anyone considering SUR pricing (capacity-based), you might consider looking at TSM-based deduplication instead of VTL-based deduplication, as your TB license requirements will be lower. Or at least, that's what I was told by an IBMer describing the SUR pricing model to me. Granted, you would need a more powerful TSM server, but you could offset that cost by purchasing disk less expensively than a VTL vendor would charge. ..Paul At 04:13 PM 11/28/2012, Harris, Chad wrote: >Thank you all for your sage advice. > >I am able to find the servers that are using compression, unfortunately >though, some of my client Admins have let it slip that they are not always >using compression when they are setting up encryption, despite our best >efforts to guide them that way. > >Anyone else know a way to find nodes only performing client encryption? > >Thanks again, >Chad > >-Original Message- >From: ADSM: Dist Stor Manager [mailto:ADSM-L@vm.marist.edu] On Behalf Of Bill >Boyer >Sent: Wednesday, November 28, 2012 12:01 PM >To: ADSM-L@vm.marist.edu >Subject: Re: [ADSM-L] Who is performing Client Based Encryption and Compression > >You could start by getting a list of nodes that are set to either >COMPRESSION=CLIENT or YES and those with DEDUPLICATION=CLIENTORSERVER. The >default is SERVERONLY. Those would be good candidates to start with. You can't >do client-side dedup without setting the node attribute. > >Bill >"When the pin is pulled, Mr. Grenade is NOT your friend!" - USMC > >-Original Message- >From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of >Ehresman,David E. >Sent: Wednesday, November 28, 2012 9:53 AM >To: ADSM-L@VM.MARIST.EDU >Subject: Re: [ADSM-L] Who is performing Client Based Encryption and Compression > >I think "q actlog begindate=today-ndays msgno=4968" is more efficient. > >-Original Message- >From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of >Prather, Wanda >Sent: Tuesday, November 27, 2012 5:18 PM >To: ADSM-L@VM.MARIST.EDU >Subject: Re: [ADSM-L] Who is performing Client Based Encryption and Compression > >For compression: > >q actlog begindate=today-ndays search=ane4968 > >Non-zero values mean the client is compressing. > > > > >-Original Message- >From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of >Harris, Chad >Sent: Tuesday, November 27, 2012 5:04 PM >To: ADSM-L@VM.MARIST.EDU >Subject: [ADSM-L] Who is performing Client Based Encryption and Compression > >Fellow TSM Admins, > >We are in the process of bringing VTLs into our TSM Environment. In order to >take full advantage of deduplication features on the VTL we need to go after >the clients that are performing client based encryption and compression. With >that in mind, does anyone know an easy way to tell which clients are using >these features? > >Thanks, >Chad Harris -- Paul ZarnowskiPh: 607-255-4757 CIT Infrastructure / Storage Services Fx: 607-255-8521 719 Rhodes Hall, Ithaca, NY 14853-3801Em: p...@cornell.edu
Re: Who is performing Client Based Encryption and Compression
Thank you all for your sage advice. I am able to find the servers that are using compression, unfortunately though, some of my client Admins have let it slip that they are not always using compression when they are setting up encryption, despite our best efforts to guide them that way. Anyone else know a way to find nodes only performing client encryption? Thanks again, Chad -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@vm.marist.edu] On Behalf Of Bill Boyer Sent: Wednesday, November 28, 2012 12:01 PM To: ADSM-L@vm.marist.edu Subject: Re: [ADSM-L] Who is performing Client Based Encryption and Compression You could start by getting a list of nodes that are set to either COMPRESSION=CLIENT or YES and those with DEDUPLICATION=CLIENTORSERVER. The default is SERVERONLY. Those would be good candidates to start with. You can't do client-side dedup without setting the node attribute. Bill "When the pin is pulled, Mr. Grenade is NOT your friend!" - USMC -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Ehresman,David E. Sent: Wednesday, November 28, 2012 9:53 AM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Who is performing Client Based Encryption and Compression I think "q actlog begindate=today-ndays msgno=4968" is more efficient. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Prather, Wanda Sent: Tuesday, November 27, 2012 5:18 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Who is performing Client Based Encryption and Compression For compression: q actlog begindate=today-ndays search=ane4968 Non-zero values mean the client is compressing. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Harris, Chad Sent: Tuesday, November 27, 2012 5:04 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Who is performing Client Based Encryption and Compression Fellow TSM Admins, We are in the process of bringing VTLs into our TSM Environment. In order to take full advantage of deduplication features on the VTL we need to go after the clients that are performing client based encryption and compression. With that in mind, does anyone know an easy way to tell which clients are using these features? Thanks, Chad Harris
Re: Who is performing Client Based Encryption and Compression
You could start by getting a list of nodes that are set to either COMPRESSION=CLIENT or YES and those with DEDUPLICATION=CLIENTORSERVER. The default is SERVERONLY. Those would be good candidates to start with. You can't do client-side dedup without setting the node attribute. Bill "When the pin is pulled, Mr. Grenade is NOT your friend!" - USMC -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Ehresman,David E. Sent: Wednesday, November 28, 2012 9:53 AM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Who is performing Client Based Encryption and Compression I think "q actlog begindate=today-ndays msgno=4968" is more efficient. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Prather, Wanda Sent: Tuesday, November 27, 2012 5:18 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Who is performing Client Based Encryption and Compression For compression: q actlog begindate=today-ndays search=ane4968 Non-zero values mean the client is compressing. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Harris, Chad Sent: Tuesday, November 27, 2012 5:04 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Who is performing Client Based Encryption and Compression Fellow TSM Admins, We are in the process of bringing VTLs into our TSM Environment. In order to take full advantage of deduplication features on the VTL we need to go after the clients that are performing client based encryption and compression. With that in mind, does anyone know an easy way to tell which clients are using these features? Thanks, Chad Harris
Re: Who is performing Client Based Encryption and Compression
I think "q actlog begindate=today-ndays msgno=4968" is more efficient. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Prather, Wanda Sent: Tuesday, November 27, 2012 5:18 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Who is performing Client Based Encryption and Compression For compression: q actlog begindate=today-ndays search=ane4968 Non-zero values mean the client is compressing. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Harris, Chad Sent: Tuesday, November 27, 2012 5:04 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Who is performing Client Based Encryption and Compression Fellow TSM Admins, We are in the process of bringing VTLs into our TSM Environment. In order to take full advantage of deduplication features on the VTL we need to go after the clients that are performing client based encryption and compression. With that in mind, does anyone know an easy way to tell which clients are using these features? Thanks, Chad Harris
Who is performing Client Based Encryption and Compression
Fellow TSM Admins, We are in the process of bringing VTLs into our TSM Environment. In order to take full advantage of deduplication features on the VTL we need to go after the clients that are performing client based encryption and compression. With that in mind, does anyone know an easy way to tell which clients are using these features? Thanks, Chad Harris
Re: Who is performing Client Based Encryption and Compression
For compression: q actlog begindate=today-ndays search=ane4968 Non-zero values mean the client is compressing. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Harris, Chad Sent: Tuesday, November 27, 2012 5:04 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Who is performing Client Based Encryption and Compression Fellow TSM Admins, We are in the process of bringing VTLs into our TSM Environment. In order to take full advantage of deduplication features on the VTL we need to go after the clients that are performing client based encryption and compression. With that in mind, does anyone know an easy way to tell which clients are using these features? Thanks, Chad Harris
Re: More tsm encryption questions
Depends on your goal for encryption. If you need it for encrypting during transport ( or maybe use SSL ), encrypted data at rest on your storage, data is encrypted on the tapes going offsite,... Yeah the key is in the TSM DB, but your need to restore/rebuild TSM to be able to get it. Just dumping out the tape isn't going to get you any eye-readable material. Don't know if the auditors or lawyers would accept it, but it's better than nothing. I've referred to it in the past as the cheap managers' encryption scheme. If you really need to lock it down, then hardware encryption is the way to go with an external key manager, but that co$t$, is vender specific as you need TKLM if you use IBM hardware and you can't mix it if you go to a recovery site. So it depends on what you're trying to accomplish and the budget you have. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Steven Langdale Sent: Thursday, March 22, 2012 5:10 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] More tsm encryption questions Well, there you go. you're spot on there Bill! I'm struggling to see what use generate is, What't the point of encrypting the data when the key is handed out whenever a restore is performed? That must be why I've only ever used "encryptkey save" in the past. On 22 March 2012 19:57, Bill Boyer wrote: > With the ENCRYPTKEY GENERATE specified the client creates the key at > the beginning of the backup and that key is kept with the data stream > stored on the TSM server. When you restore this the key in the data > stream is used. I believe they also refer to this as transparent encryption. > > The include.encrypt will only effect future backups, not any backups > already encrypted and stored on the TSM server. > > > Bill Boyer > "There are 10 kinds of people in the world. Those that understand > binary and those that don't." - ?? > > > > > -Original Message- > From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf > Of Steven Langdale > Sent: Thursday, March 22, 2012 2:21 PM > To: ADSM-L@VM.MARIST.EDU > Subject: Re: [ADSM-L] More tsm encryption questions > > They restored because the client had an encryption key, delete that, > or possibly the encryptiontype line and you will be prompted for it. > > As for testing to see if they ARE encrypted, i think the client may > say with a q backup (but not sure). The test I used was to try a > restore after I had removed the key file. > > One aside, if you are using tape technology that compresses, the > compression will do down the drain. > > Steven > > > > On 22 March 2012 18:01, Lee, Gary wrote: > > > Ok. Think I have encryption working. > > > > Tried the following experiment. > > > > 1. Added these lines to dsm.opt > > > > encryptiontype aes128 > > encryptkey generate > > include.encrypt "c:\Documents and Settings\glee.BSU\My > > Documents\crypt\...\*" > > > > 2. did an incremental backup to pick up the crypt folder just > > created and filled. > > > > 3. deleted all files starting with "phon" > > > > 4. restored files starting with phon back to crypt folder, . Went well. > > > > 5. commented all encryption related lines out of dsm.opt. > > > > 6. removed phone* from crypt folder again. > > > > 7. restored phone* back to crypt folder. > > > > I thought that with encryption lines removed from dsm.opt, either > > the encrypted files wouldn't restore, or would be restored as garbage. > > Not so. Restored perfectly. > > > > What have I missed? > > Also, is there a way to verify that the specified files are truly > > encrypted? > > > > Thanks again for the assistance. > > > > > > > > > > Gary Lee > > Senior System Programmer > > Ball State University > > phone: 765-285-1310 > > > > >
Re: More tsm encryption questions
>>I'm struggling to see what use generate is, What't the point of encrypting >>the data when the key is handed out whenever a restore is performed? Well, it prevents anybody who doesn't have access to the console of that machine from restoring the data, esp. to a different machine. If you don't use generate, then the backup can't be run by the scheduler because there is no one there to answer the prompt for the key. If you want to do a manual backup and supply the ken, specify encryptkey prompt. Here is info you can use to verify whether the data is encrypted: http://adsm.org/lists/html/ADSM-L/2009-03/msg00425.html That must be why I've only ever used "encryptkey save" in the past. On 22 March 2012 19:57, Bill Boyer wrote: > With the ENCRYPTKEY GENERATE specified the client creates the key at > the beginning of the backup and that key is kept with the data stream > stored on the TSM server. When you restore this the key in the data > stream is used. I believe they also refer to this as transparent encryption. > > The include.encrypt will only effect future backups, not any backups > already encrypted and stored on the TSM server. > > > Bill Boyer > "There are 10 kinds of people in the world. Those that understand > binary and those that don't." - ?? > > > > > -Original Message- > From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf > Of Steven Langdale > Sent: Thursday, March 22, 2012 2:21 PM > To: ADSM-L@VM.MARIST.EDU > Subject: Re: [ADSM-L] More tsm encryption questions > > They restored because the client had an encryption key, delete that, > or possibly the encryptiontype line and you will be prompted for it. > > As for testing to see if they ARE encrypted, i think the client may > say with a q backup (but not sure). The test I used was to try a > restore after I had removed the key file. > > One aside, if you are using tape technology that compresses, the > compression will do down the drain. > > Steven > > > > On 22 March 2012 18:01, Lee, Gary wrote: > > > Ok. Think I have encryption working. > > > > Tried the following experiment. > > > > 1. Added these lines to dsm.opt > > > > encryptiontype aes128 > > encryptkey generate > > include.encrypt "c:\Documents and Settings\glee.BSU\My > > Documents\crypt\...\*" > > > > 2. did an incremental backup to pick up the crypt folder just > > created and filled. > > > > 3. deleted all files starting with "phon" > > > > 4. restored files starting with phon back to crypt folder, . Went well. > > > > 5. commented all encryption related lines out of dsm.opt. > > > > 6. removed phone* from crypt folder again. > > > > 7. restored phone* back to crypt folder. > > > > I thought that with encryption lines removed from dsm.opt, either > > the encrypted files wouldn't restore, or would be restored as garbage. > > Not so. Restored perfectly. > > > > What have I missed? > > Also, is there a way to verify that the specified files are truly > > encrypted? > > > > Thanks again for the assistance. > > > > > > > > > > Gary Lee > > Senior System Programmer > > Ball State University > > phone: 765-285-1310 > > > > >
Re: More tsm encryption questions
Well, there you go. you're spot on there Bill! I'm struggling to see what use generate is, What't the point of encrypting the data when the key is handed out whenever a restore is performed? That must be why I've only ever used "encryptkey save" in the past. On 22 March 2012 19:57, Bill Boyer wrote: > With the ENCRYPTKEY GENERATE specified the client creates the key at the > beginning of the backup and that key is kept with the data stream stored on > the TSM server. When you restore this the key in the data stream is used. I > believe they also refer to this as transparent encryption. > > The include.encrypt will only effect future backups, not any backups > already > encrypted and stored on the TSM server. > > > Bill Boyer > "There are 10 kinds of people in the world. Those that understand binary > and > those that don't." - ?? > > > > > -Original Message- > From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of > Steven Langdale > Sent: Thursday, March 22, 2012 2:21 PM > To: ADSM-L@VM.MARIST.EDU > Subject: Re: [ADSM-L] More tsm encryption questions > > They restored because the client had an encryption key, delete that, or > possibly the encryptiontype line and you will be prompted for it. > > As for testing to see if they ARE encrypted, i think the client may say > with > a q backup (but not sure). The test I used was to try a restore after I > had > removed the key file. > > One aside, if you are using tape technology that compresses, the > compression > will do down the drain. > > Steven > > > > On 22 March 2012 18:01, Lee, Gary wrote: > > > Ok. Think I have encryption working. > > > > Tried the following experiment. > > > > 1. Added these lines to dsm.opt > > > > encryptiontype aes128 > > encryptkey generate > > include.encrypt "c:\Documents and Settings\glee.BSU\My > > Documents\crypt\...\*" > > > > 2. did an incremental backup to pick up the crypt folder just created > > and filled. > > > > 3. deleted all files starting with "phon" > > > > 4. restored files starting with phon back to crypt folder, . Went well. > > > > 5. commented all encryption related lines out of dsm.opt. > > > > 6. removed phone* from crypt folder again. > > > > 7. restored phone* back to crypt folder. > > > > I thought that with encryption lines removed from dsm.opt, either the > > encrypted files wouldn't restore, or would be restored as garbage. > > Not so. Restored perfectly. > > > > What have I missed? > > Also, is there a way to verify that the specified files are truly > > encrypted? > > > > Thanks again for the assistance. > > > > > > > > > > Gary Lee > > Senior System Programmer > > Ball State University > > phone: 765-285-1310 > > > > >
Re: More tsm encryption questions
With the ENCRYPTKEY GENERATE specified the client creates the key at the beginning of the backup and that key is kept with the data stream stored on the TSM server. When you restore this the key in the data stream is used. I believe they also refer to this as transparent encryption. The include.encrypt will only effect future backups, not any backups already encrypted and stored on the TSM server. Bill Boyer "There are 10 kinds of people in the world. Those that understand binary and those that don't." - ?? -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Steven Langdale Sent: Thursday, March 22, 2012 2:21 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] More tsm encryption questions They restored because the client had an encryption key, delete that, or possibly the encryptiontype line and you will be prompted for it. As for testing to see if they ARE encrypted, i think the client may say with a q backup (but not sure). The test I used was to try a restore after I had removed the key file. One aside, if you are using tape technology that compresses, the compression will do down the drain. Steven On 22 March 2012 18:01, Lee, Gary wrote: > Ok. Think I have encryption working. > > Tried the following experiment. > > 1. Added these lines to dsm.opt > > encryptiontype aes128 > encryptkey generate > include.encrypt "c:\Documents and Settings\glee.BSU\My > Documents\crypt\...\*" > > 2. did an incremental backup to pick up the crypt folder just created > and filled. > > 3. deleted all files starting with "phon" > > 4. restored files starting with phon back to crypt folder, . Went well. > > 5. commented all encryption related lines out of dsm.opt. > > 6. removed phone* from crypt folder again. > > 7. restored phone* back to crypt folder. > > I thought that with encryption lines removed from dsm.opt, either the > encrypted files wouldn't restore, or would be restored as garbage. > Not so. Restored perfectly. > > What have I missed? > Also, is there a way to verify that the specified files are truly > encrypted? > > Thanks again for the assistance. > > > > > Gary Lee > Senior System Programmer > Ball State University > phone: 765-285-1310 > >
Re: More tsm encryption questions
They restored because the client had an encryption key, delete that, or possibly the encryptiontype line and you will be prompted for it. As for testing to see if they ARE encrypted, i think the client may say with a q backup (but not sure). The test I used was to try a restore after I had removed the key file. One aside, if you are using tape technology that compresses, the compression will do down the drain. Steven On 22 March 2012 18:01, Lee, Gary wrote: > Ok. Think I have encryption working. > > Tried the following experiment. > > 1. Added these lines to dsm.opt > > encryptiontype aes128 > encryptkey generate > include.encrypt "c:\Documents and Settings\glee.BSU\My > Documents\crypt\...\*" > > 2. did an incremental backup to pick up the crypt folder just created and > filled. > > 3. deleted all files starting with "phon" > > 4. restored files starting with phon back to crypt folder, . Went well. > > 5. commented all encryption related lines out of dsm.opt. > > 6. removed phone* from crypt folder again. > > 7. restored phone* back to crypt folder. > > I thought that with encryption lines removed from dsm.opt, either the > encrypted files wouldn't restore, or would be restored as garbage. Not > so. Restored perfectly. > > What have I missed? > Also, is there a way to verify that the specified files are truly > encrypted? > > Thanks again for the assistance. > > > > > Gary Lee > Senior System Programmer > Ball State University > phone: 765-285-1310 > >
More tsm encryption questions
Ok. Think I have encryption working. Tried the following experiment. 1. Added these lines to dsm.opt encryptiontype aes128 encryptkey generate include.encrypt "c:\Documents and Settings\glee.BSU\My Documents\crypt\...\*" 2. did an incremental backup to pick up the crypt folder just created and filled. 3. deleted all files starting with "phon" 4. restored files starting with phon back to crypt folder, . Went well. 5. commented all encryption related lines out of dsm.opt. 6. removed phone* from crypt folder again. 7. restored phone* back to crypt folder. I thought that with encryption lines removed from dsm.opt, either the encrypted files wouldn't restore, or would be restored as garbage. Not so. Restored perfectly. What have I missed? Also, is there a way to verify that the specified files are truly encrypted? Thanks again for the assistance. Gary Lee Senior System Programmer Ball State University phone: 765-285-1310
Re: Encryption include clarification
Yep in filenames, not in directory names. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Lee, Gary Sent: Thursday, March 22, 2012 11:07 AM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Encryption include clarification Thanks to Wanda for the solution. I forgot about ... So finally, "*" matches everything, as always in unix linux, etc. Gary Lee Senior System Programmer Ball State University phone: 765-285-1310 -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Prather, Wanda Sent: Thursday, March 22, 2012 11:01 AM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Encryption include clarification ... is a wildcard for subdirectories Do not use the notation *.*, as that pattern will only match files with a . in the name. (There is a lot of old incorrect doc out there with that notation left over from pre-long file name windows, but don't use it.) What you want is: Include.encrypt "c:\crypt\...\*" -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Lee, Gary Sent: Thursday, March 22, 2012 10:55 AM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Encryption include clarification I wish to encrypt all files in c:\crypt and all its subdirectories. If I read the client manual correctly, this will take two include.encrypt statements as follows: Include.encrypt "c:\crypt\*.*" Include.encrypt "c:\crypt\" Is this correct, if not where have I gone wrong? Thanks for the help. Gary Lee Senior System Programmer Ball State University phone: 765-285-1310
Re: Encryption include clarification
Thanks to Wanda for the solution. I forgot about ... So finally, "*" matches everything, as always in unix linux, etc. Gary Lee Senior System Programmer Ball State University phone: 765-285-1310 -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Prather, Wanda Sent: Thursday, March 22, 2012 11:01 AM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Encryption include clarification ... is a wildcard for subdirectories Do not use the notation *.*, as that pattern will only match files with a . in the name. (There is a lot of old incorrect doc out there with that notation left over from pre-long file name windows, but don't use it.) What you want is: Include.encrypt "c:\crypt\...\*" -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Lee, Gary Sent: Thursday, March 22, 2012 10:55 AM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Encryption include clarification I wish to encrypt all files in c:\crypt and all its subdirectories. If I read the client manual correctly, this will take two include.encrypt statements as follows: Include.encrypt "c:\crypt\*.*" Include.encrypt "c:\crypt\" Is this correct, if not where have I gone wrong? Thanks for the help. Gary Lee Senior System Programmer Ball State University phone: 765-285-1310
Re: Encryption include clarification
... is a wildcard for subdirectories Do not use the notation *.*, as that pattern will only match files with a . in the name. (There is a lot of old incorrect doc out there with that notation left over from pre-long file name windows, but don't use it.) What you want is: Include.encrypt "c:\crypt\...\*" -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Lee, Gary Sent: Thursday, March 22, 2012 10:55 AM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Encryption include clarification I wish to encrypt all files in c:\crypt and all its subdirectories. If I read the client manual correctly, this will take two include.encrypt statements as follows: Include.encrypt "c:\crypt\*.*" Include.encrypt "c:\crypt\" Is this correct, if not where have I gone wrong? Thanks for the help. Gary Lee Senior System Programmer Ball State University phone: 765-285-1310
Encryption include clarification
I wish to encrypt all files in c:\crypt and all its subdirectories. If I read the client manual correctly, this will take two include.encrypt statements as follows: Include.encrypt "c:\crypt\*.*" Include.encrypt "c:\crypt\" Is this correct, if not where have I gone wrong? Thanks for the help. Gary Lee Senior System Programmer Ball State University phone: 765-285-1310
Re: Detect client-level encryption from the TSM server?
For TSM 5.5.6: - encryption for files only from client: dsmc query backup "/" -detail -traceflags=query - for TDP for Oracle on TSM Server: Q ACTLOG OR=CLIENT NODE= and check end of "backup/restore details ...." lines for "Encryption: AES_128BIT" Good luck! Grigori G. Solonovitch Senior Technical Architect Ahli United Bank Kuwait www.ahliunited.com.kw Please consider the environment before printing this E-mail -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Keith Arbogast Sent: 08 02 2012 11:52 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Detect client-level encryption from the TSM server? Can one detect from the TSM server whether client-level encryption is set on or off for each backup node? Inquiring security admins want to know. With my thanks and best wishes, Keith Arbogast Indiana University Please consider the environment before printing this Email. CONFIDENTIALITY AND WAIVER: The information contained in this electronic mail message and any attachments hereto may be legally privileged and confidential. The information is intended only for the recipient(s) named in this message. If you are not the intended recipient you are notified that any use, disclosure, copying or distribution is prohibited. If you have received this in error please contact the sender and delete this message and any attachments from your computer system. We do not guarantee that this message or any attachment to it is secure or free from errors, computer viruses or other conditions that may damage or interfere with data, hardware or software.
Re: Detect client-level encryption from the TSM server?
Keith, This is not something that the TSM admin controls, and it is not enabled by node. The only way I know of to detect encrypted files is from the client-side DSMC CLI. E.g., dsmc query backup -detail, should show you which files are encrypted and using what encryption algorithm. I do not think this will show you how the encryption keys are managed, however. Note that if a file is backed up unencrypted, adding an "include.encrypt" rule to encrypt it does not automatically cause that file to be backed up again using encryption. The addition of the encryption include is not recognized by TSM as a reason to backup the file. We have had more than one user surprised by this. Paul Zarnowski Cornell University At 03:52 PM 2/8/2012, Keith Arbogast wrote: >Can one detect from the TSM server whether client-level encryption is set on >or off for each backup node? Inquiring security admins want to know. > >With my thanks and best wishes, >Keith Arbogast >Indiana University -- Paul ZarnowskiPh: 607-255-4757 Manager, Storage Services Fx: 607-255-8521 719 Rhodes Hall, Ithaca, NY 14853-3801Em: p...@cornell.edu
Detect client-level encryption from the TSM server?
Can one detect from the TSM server whether client-level encryption is set on or off for each backup node? Inquiring security admins want to know. With my thanks and best wishes, Keith Arbogast Indiana University
Backupset encryption - quick question
Hi all I need to transport a backup set and need at least some basic encryption. Before I do a load of testing, I thought I'd ask the group Does anyone know if client side encryption "include.encrypt" works with backup sets, or rather, can you restore the stuff! I'll be restoring via a locally attach drive. Thanks Steven
Re: Any default encryption for TSM server??
I would say there are 4 types of encryption. (Chapter 14 in the 5.5 Admin Guide covers alot of this) - TSM Client level encryption (using the include.encrypt and various client options) Data is encrypted before sending to the TSM server. (software based) - TSM Server level encryption (using the devclass DRIVEEncryption option) This is done at the devclass/stgpool level (I.E. DB Backups are not encrypted) (hardware based) - AIX System level. Encryption is handled at the Atape level (hardware based) - Library managed (completely transparent to TSM) (hardware based) 1- no default encryption 2- Each method will have its own way to check. The way we proved to our auditors involved documentating an attempt to restore without the keys (which failed) 3- These have nothing to do with encryption. These are basic client files. Refer to the TSM Client manual. Regards, Shawn Shawn Drew Internet tsm-fo...@backupcentral.com Sent by: ADSM-L@VM.MARIST.EDU 08/09/2011 09:22 PM Please respond to ADSM-L@VM.MARIST.EDU To ADSM-L cc Subject [ADSM-L] Any default encryption for TSM server?? Conclude that the TSM encryption can categories by two types: 1) Software/application layer encryption 2) Hardware layer encryption (Tape drive). Question: 1) Does TSM has any data protection other than this two? Does TSM has default encryption if we never configure any setting to enable the software/application and there are no license key bought for hardware layer to do encryption? 2)If a software/application was configured or installed on the server, how can we check it? (e.g Maybe there are some files or command able to show it and please show me the way to check whether is the encryption enable or not to protect the data) 3) Can you tell me where are these files and what are their content about: - TSM.PWD - Dsm.sys - Dsm.opt And What do INCLUDE.ENCRYPT and EXCLUDE.ENCRYPT statements mean? Where are them? And last question is which file content the encryptkey and encryptiontype parameter? +-- |This was sent by terrancey...@yahoo.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +-- This message and any attachments (the "message") is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. The internet can not guarantee the integrity of this message. BNP PARIBAS (and its subsidiaries) shall (will) not therefore be liable for the message if modified. Please note that certain functions and services for BNP Paribas may be performed by BNP Paribas RCC, Inc.
Re: Any default encryption for TSM server??
There is no default encryption on TSM Server. For hardware encryption you need to look into drive configuration. Software encryption is supported by TSM Client and TDP (API). For example, we need to encrypt all information related to Oracle databases on AIX logical partition (database dumps and database backups via TDPO). Configuration steps are (encryption keys are kept in TSM database): 1) to enable possibility of encryption for AIX file systems add next lines into /usr/tivoli/tm/ba/bin64/dsm.sys: Nodename LPAR05 Encryptiontype AES128 Encryptkey generate InclExcl /backup/tsm/ba/InclExcl.list 2) to enable possibility of encryption for TDP for Oracle backups add next lines into /usr/tivoli/tsm/api/bin64/dsm.sys: NODENAME LPAR05_ORA Encryptiontype AES128 Encryptkey generate Inclexcl /backup/tsm/ba/InclExcl.list 3) set encryption for database dumps and TDPO backups in include/exclude list /backup/tsm/ba/InclExcl.list: include * AIX include /.../* FSLPAR05 include /ifns_ifns/.../* DBLPAR05 include /patm_patm/.../* DBLPAR05 include /ptel_ptel/.../* DBLPAR05 include.encrypt /ifns_ifns/.../* include.encrypt /patm_patm/.../* include.encrypt /ptel_ptel/.../* include.encrypt *.dmp.Z Note, there are 3 databases with file space names ifns_ifns, patm_patm and ptel_ptel (names are defined in TDPO configuration file). In addition, all databases dumps are kept in compressed files *.dmp.Z. List of encrypted files can be expanded by adding INCLUDE.ENCRYPT lines into include/exclude list. To check encryption for databases: q act or=client node=LPAR05_ORA begind=08/09/2011 . Date/Time: 08/09/2011 15:44:51 Message: ANE4991I (Session: 42231, Node: LPAR05_ORA) TDP Oracle AIX ANU0599 TDP for Oracle: (9216226): =>(LPAR05_ORA) ANU2526I Backup details for backup piece /ifns_ifns///LPAR05/ifns.09.1.58075.1.758734242 (database "IFNSDB"). Total bytes sent: 9756213248. Total processing time: 00:14:06. Throughput rate: 11261.88Kb/Sec. Compressed: Yes , 61%. Encryption: AES_128BIT. LAN-Free: No.(SESSION: 42231) .. Date/Time: 08/09/2011 16:05:32 Message: ANE4991I (Session: 44685, Node: LPAR05_ORA) TDP Oracle AIX ANU0599 TDP for Oracle: (10055750): =>(LPAR05_ORA) ANU2526I Backup details for backup piece /patm_patm///LPAR05/Archive_patm.09.50832.1.758736133 (database "PATMDB"). Total bytes sent: 3064201216. Total processing time: 00:03:17. Throughput rate: 15189.77Kb/Sec. Compressed: Yes , 54%. Encryption: AES_128BIT. LAN-Free: No.(SESSION: 44685) To check encryption for database dumps: dsmc query backup "/home/users05/fnsonli/backup/*.dmp.Z" -detail -traceflags=query dsmc query backup "/backup05/exp/patm/*.dmp.Z" -detail -traceflags=query dsmc query backup "/backup05/exp/ptel/*.dmp.Z" -detail -traceflags=query dsmc query backup "/backup05/exp/ptel/*.log" -detail -traceflags=query For example, prove_encryption.sh gives: IBM Tivoli Storage Manager Command Line Backup-Archive Client Interface Client Version 6, Release 2, Level 2.0 Client date/time: 08/10/11 13:20:20 (c) Copyright by IBM Corporation and other(s) 1990, 2010. All Rights Reserved. Node Name: LPAR05 Session established with server BKME: AIX-RS/6000 Server Version 5, Release 5, Level 5.2 Data compression forced on by the server Server date/time: 08/10/11 13:20:20 Last access: 08/09/11 16:49:09 SizeBackup DateMgmt Class A/I File ----- --- 13,012,947,599 B 08/09/11 16:30:00 FSLPAR05 A /home/users05/fnsonli/backup/expfns1.dmp.Z Modified: 08/09/11 01:25:29 Accessed: 08/08/11 16:42:19 Compressed: NOEncryption Type: 128-bit AES Client-deduplicated: NO ... I hope this will answer all your questions. Grigori G. Solonovitch -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of terrance Sent: Wednesday, August 10, 2011 4:22 AM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Any default encryption for TSM server?? Conclude that the TSM encryption can categories by two types: 1) Software/application layer encryption 2) Hardware layer encryption (Tape drive). Question: 1) Does TSM has any data protection other than this two? Does TSM has default encryption if we never configure any setting to enable the software/application and there are no license key bought for hardware layer to do encryption? 2)If a software/application was configured or installed on the server, how can we check it? (e.g Maybe there are some files or command able to show it and please show me the way to check whether is the encryption enable or not to protect the data) 3) Can you tell me where are these f
Any default encryption for TSM server??
can anyone tell me what is the step to restore the data from tape? Let say that if the tape lost, even the catalog tape also lost together with it. so any possible the outsider able to retrieve the data using both of the tape? (as i know that the encryption key will store inside the catalog and backup to a tape)<<(correct?) is it the catalog only can retrieve by particular account inside a same TSM server? so different TSM server different account and password. so do it make sense that the outsider unable to retrieve data which different from the original server? +-- |This was sent by terrancey...@yahoo.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +--
Any default encryption for TSM server??
Conclude that the TSM encryption can categories by two types: 1) Software/application layer encryption 2) Hardware layer encryption (Tape drive). Question: 1) Does TSM has any data protection other than this two? Does TSM has default encryption if we never configure any setting to enable the software/application and there are no license key bought for hardware layer to do encryption? 2)If a software/application was configured or installed on the server, how can we check it? (e.g Maybe there are some files or command able to show it and please show me the way to check whether is the encryption enable or not to protect the data) 3) Can you tell me where are these files and what are their content about: - TSM.PWD - Dsm.sys - Dsm.opt And What do INCLUDE.ENCRYPT and EXCLUDE.ENCRYPT statements mean? Where are them? And last question is which file content the encryptkey and encryptiontype parameter? +-- |This was sent by terrancey...@yahoo.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +--
Verifying IBM TSM Encryption types
I checked my TSM server with this command "q devclass f=d" and it shows the Driver Encryption is set ON. So I know that my TSM server is using AME method to encrypt the data But any prerequisite and configure steps to achieve it? +-- |This was sent by terrancey...@yahoo.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +--
Verifying IBM TSM Encryption types
1)Any prerequisite or condition require before the data been encrypted such as according to my understanding, TSM is a storage manager server, so any driver or software need to install or configure to enable the encryption method either by client side or driver side? 2) According to the information I found that EKM must be installed before configure the TSM with LME and SME. So in this stage how can i verify or justify the EKM is installed in TSM server? +-- |This was sent by terrancey...@yahoo.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +--
Re: Verifying IBM TSM Encryption types
On Aug 1, 2011, at 10:59 PM, terrance wrote: > So What you mean is TSM server don't has its own encryption instead help by > the driver or client side encryption? > ... The Administrator's Guide for your given TSM release will describe encryption opportunities available from the standpoint of the TSM server. The server developers don't waste time creating functionality which is provided by other means, such as tape drives (let the hardware do the work) or the client (where data must be secure in network conveyance and disk storage pool residency). Certainly, it's possible to encrypt data twice, just as it can be subjected to multiple phases of processing performing compression in passing data. Richard Sims
Verifying IBM TSM Encryption types
So What you mean is TSM server don't has its own encryption instead help by the driver or client side encryption? 1) What i mean is that when data store inside the storage, any encryption step will run in this stage before it backup into a tape? 2) Will it possible a TSM server using both encryption such as driver encryption (AME, LME or SME) and client side encryption? For example, when a client submit a data or info to the storage, the data was encrypted and stored in the storage. After that when backup is start, the data will encrypted second time and stored into a tape by the driver. so does it make sense? +-- |This was sent by terrancey...@yahoo.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +--
Re: Verifying IBM TSM Encryption types
In addition - in case of using TDP for Oracle you can inspect TSM Server logs for TDP nodes. I think for other TDPs it is the same. Be careful with encryption for TDP backups - some additional configuration efforts are required . From: ADSM: Dist Stor Manager [ADSM-L@VM.MARIST.EDU] On Behalf Of Richard Sims [r...@bu.edu] Sent: Monday, August 01, 2011 8:10 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Verifying IBM TSM Encryption types TSM client encryption can be verified per IBM Technote 1303197. Tape drive encryption is a hardware topic addressed by the documentation for the particular drive model, as in recent 3592 model variants. Richard Sims Please consider the environment before printing this Email. CONFIDENTIALITY AND WAIVER: The information contained in this electronic mail message and any attachments hereto may be legally privileged and confidential. The information is intended only for the recipient(s) named in this message. If you are not the intended recipient you are notified that any use, disclosure, copying or distribution is prohibited. If you have received this in error please contact the sender and delete this message and any attachments from your computer system. We do not guarantee that this message or any attachment to it is secure or free from errors, computer viruses or other conditions that may damage or interfere with data, hardware or software.
Re: Verifying IBM TSM Encryption types
TSM client encryption can be verified per IBM Technote 1303197. Tape drive encryption is a hardware topic addressed by the documentation for the particular drive model, as in recent 3592 model variants. Richard Sims
Verifying IBM TSM Encryption types
How can I retrieve all the information about the what kind of encryption method or type is using on my TSM server? What I mean is how to check the backup data and store into a tape whether encrypted or not? Isn't it related to the default encrypted method AES 128 or alternative encrypted method DES56? Or else it is related to the AME, LME or SME? Please proivde me the method or command even the file's path to verify or justify the information above. Thank you. +-- |This was sent by terrancey...@yahoo.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +--
Re: tape encryption in TSM environment
On 13 jun 2011, at 21:53, Keith Arbogast wrote: > Someone here is not willing to bet his career on the reliability of a TSM > server managed encryption key. He reasons that if a key is lost on the TSM > server side of backups, the data could not be recovered, and we would be > accountable. If a client admin loses an encryption key, he is accountable. So > we do not use drive-based encryption, and tell our customers to use > client-based encryption, specifying 'encryptkey save'. > > I cannot guarantee that TSM will never lose an application managed encryption > key. Am I missing something? > > With my thanks, > Keith Arbogast if your devclass has drive encryption set to on, the database backups are still unencrypted, so the changes of recovering your database are still as good as they were without encryption. -- Met vriendelijke groeten/Kind Regards, Remco Post r.p...@plcs.nl +31 6 248 21 622
Re: tape encryption in TSM environment
With TSM, you are already assuming the database will be consistent to be able to restore anything, encryption or not. TSM isn't more or less likely to lose an application managed encryption key than it will lose an inventory reference to any particular file. WIth Application managed encryption, you are storing the keys in the TSM DB along with all the other metadata, so you aren't adding any points of failure. You will need to protect your database using different storage since it won't be encrypted. (I.E. on disk/vtl with offsite replication or something like that) with encryptkey=save, the key is stored on the filesystem, and as a result, the normal TSM backups, One could argue that this has more points of failure. (The TSM database reference and the storage media that the key is actually stored on) as opposed to only in the TSM DB. Even if your goal is only to offload responsibility to the customer, when their keyfile gets corrupted, the'll come to TSM to restore the key anyway. And if it is windows, who wants to restore a registry?! random encryption ramblings... Regards, Shawn Shawn Drew Internet warbo...@indiana.edu Sent by: ADSM-L@VM.MARIST.EDU 06/13/2011 03:53 PM Please respond to ADSM-L@VM.MARIST.EDU To ADSM-L cc Subject Re: [ADSM-L] tape encryption in TSM environment Someone here is not willing to bet his career on the reliability of a TSM server managed encryption key. He reasons that if a key is lost on the TSM server side of backups, the data could not be recovered, and we would be accountable. If a client admin loses an encryption key, he is accountable. So we do not use drive-based encryption, and tell our customers to use client-based encryption, specifying 'encryptkey save'. I cannot guarantee that TSM will never lose an application managed encryption key. Am I missing something? With my thanks, Keith Arbogast This message and any attachments (the "message") is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. The internet can not guarantee the integrity of this message. BNP PARIBAS (and its subsidiaries) shall (will) not therefore be liable for the message if modified. Please note that certain functions and services for BNP Paribas may be performed by BNP Paribas RCC, Inc.
Re: tape encryption in TSM environment
Someone here is not willing to bet his career on the reliability of a TSM server managed encryption key. He reasons that if a key is lost on the TSM server side of backups, the data could not be recovered, and we would be accountable. If a client admin loses an encryption key, he is accountable. So we do not use drive-based encryption, and tell our customers to use client-based encryption, specifying 'encryptkey save'. I cannot guarantee that TSM will never lose an application managed encryption key. Am I missing something? With my thanks, Keith Arbogast
Re: tape encryption in TSM environment
Just a reminder also, that "Encryption" on a 3584/3500 library is another Feature Code for the library - to be purchased. David Longo >>> Howard Coles 6/13/2011 2:51 PM >>> Using a TKLM server you can point your Library to the IP address of the server, and it will handle the keys, so that even your TSM DB backup tape is encrypted. (as some have asked this as well): You do have to tell the Library where the Encryption Key servers are, and then modify the Logical library's Encryption policy. We've had one instance where we had to reconfigure the logical library after a firmware update (to support LTO4s). >From all I've seen the performance hit isn't noticeable, I think the compression affects it more, and that's very minimal if any. As far as whether its needed or not, the answer is yes, as Wanda said, if you are in our case and have regulatory requirements. Even without them it's a good idea. Gives the execs a warm and fuzzy about trade secrets, customer data, etc. etc. We now have it running at three sites, and so far so good. You just have to have hardware drives that support that kind of encryption. See Ya' Howard Coles Jr., RHCE, CNE, CDE John 3:16! -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Mehdi Salehi Sent: Sunday, June 12, 2011 11:13 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] tape encryption in TSM environment How much performance degradation would there if encryption is on? Although it is the duty of drive itself (I suppose), it might have negative influence on backup and even restore performance? # This message is for the named person's use only. It may contain private, proprietary, or legally privileged information. No privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it, and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Health First reserves the right to monitor all e-mail communications through its networks. Any views or opinions expressed in this message are solely those of the individual sender, except (1) where the message states such views or opinions are on behalf of a particular entity; and (2) the sender is authorized by the entity to give such views or opinions. #
Re: tape encryption in TSM environment
We are using TKLM (Tickle 'em) also. Compression first, then encryption. I was told our 3592-E06 (TS1130) drives would experience <1% degradation (Negligable) in performance while encrypting. Your tape drive model/manufacturer experience may vary, but probably not much. I agree with Howard on the "warm fuzzy"... All tape handling inside/outside our facilities is done by us. But still if someone were to lose one... Being a health organization, losing PHI (Patient Health Information) would be a bit embarrasing. I found that management was quite cooperative when asking for funding to encrypt. -Jeff -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@vm.marist.edu] On Behalf Of Howard Coles Sent: Monday, June 13, 2011 1:52 PM To: ADSM-L@vm.marist.edu Subject: Re: [ADSM-L] tape encryption in TSM environment Using a TKLM server you can point your Library to the IP address of the server, and it will handle the keys, so that even your TSM DB backup tape is encrypted. (as some have asked this as well): You do have to tell the Library where the Encryption Key servers are, and then modify the Logical library's Encryption policy. We've had one instance where we had to reconfigure the logical library after a firmware update (to support LTO4s). >From all I've seen the performance hit isn't noticeable, I think the compression affects it more, and that's very minimal if any. As far as whether its needed or not, the answer is yes, as Wanda said, if you are in our case and have regulatory requirements. Even without them it's a good idea. Gives the execs a warm and fuzzy about trade secrets, customer data, etc. etc. We now have it running at three sites, and so far so good. You just have to have hardware drives that support that kind of encryption. See Ya' Howard Coles Jr., RHCE, CNE, CDE John 3:16! -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Mehdi Salehi Sent: Sunday, June 12, 2011 11:13 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] tape encryption in TSM environment How much performance degradation would there if encryption is on? Although it is the duty of drive itself (I suppose), it might have negative influence on backup and even restore performance?
Re: tape encryption in TSM environment
Using a TKLM server you can point your Library to the IP address of the server, and it will handle the keys, so that even your TSM DB backup tape is encrypted. (as some have asked this as well): You do have to tell the Library where the Encryption Key servers are, and then modify the Logical library's Encryption policy. We've had one instance where we had to reconfigure the logical library after a firmware update (to support LTO4s). >From all I've seen the performance hit isn't noticeable, I think the compression affects it more, and that's very minimal if any. As far as whether its needed or not, the answer is yes, as Wanda said, if you are in our case and have regulatory requirements. Even without them it's a good idea. Gives the execs a warm and fuzzy about trade secrets, customer data, etc. etc. We now have it running at three sites, and so far so good. You just have to have hardware drives that support that kind of encryption. See Ya' Howard Coles Jr., RHCE, CNE, CDE John 3:16! -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Mehdi Salehi Sent: Sunday, June 12, 2011 11:13 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] tape encryption in TSM environment How much performance degradation would there if encryption is on? Although it is the duty of drive itself (I suppose), it might have negative influence on backup and even restore performance?
Re: tape encryption in TSM environment
Yes. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Keith Arbogast Sent: Monday, June 13, 2011 8:20 AM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] tape encryption in TSM environment I thought a setup step was required on the 3584 to: [+] Library / Logical Libraries / Modify Encryption Method / Application-Managed Yes/No? Keith
Re: tape encryption in TSM environment
Encryption is done outboard in the drive, just like drive compression is done outboard in the drive. No impact on backup or restore performance. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Mehdi Salehi Sent: Monday, June 13, 2011 12:13 AM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] tape encryption in TSM environment How much performance degradation would there if encryption is on? Although it is the duty of drive itself (I suppose), it might have negative influence on backup and even restore performance?
Re: tape encryption in TSM environment
I thought a setup step was required on the 3584 to: [+] Library / Logical Libraries / Modify Encryption Method / Application-Managed Yes/No? Keith
Re: tape encryption in TSM environment
ekm encryption is negligible. not sure about tklm. any takers on that? On Mon, Jun 13, 2011 at 12:13 AM, Mehdi Salehi wrote: > How much performance degradation would there if encryption is on? Although > it is the duty of drive itself (I suppose), it might have negative > influence > on backup and even restore performance? >
Re: tape encryption in TSM environment
How much performance degradation would there if encryption is on? Although it is the duty of drive itself (I suppose), it might have negative influence on backup and even restore performance?
Re: tape encryption in TSM environment
In the US, encryption also covers a regulatory issue. Many states now have laws that spell out the responsibilities of sites to protect "personally identifiable information" (information about persons including their financial info, medical info, etc.) The short version is that if a tape goes missing and is not encrypted, the company is legally liable. If the tape goes missing but is encrypted, no problem. You can turn on encryption for 3592 and LTO tape drives just by adding the appropriate parms to the device class in TSM. Very, very easy way to eliminate the legal issue. As a result, most of my customers who send tapes offsite use TSM encryption. The ones with the most sensitive data (financial and medical companies) use encryption for tapes that stay onsite, as well. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Remco Post Sent: Sunday, June 12, 2011 3:39 AM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] tape encryption in TSM environment Hi, On 12 jun 2011, at 05:53, Mehdi Salehi wrote: > Hi, > Tape volumes canned be accessed if there is no TSM database. If > happens, this is not exactly true. The tapes can be accessed. IBM just claims that it's hard/impossible to make sense of the data. That may or may not be true. There are some open source tools that do exactly that.. > restoring the database and gaining access to data seem to be very > difficult (at least for me ;) ). Do you think encryption feature of > tape drives has any value in TSM environments? > Depending on your level op paranoia, and wether or not your shipping tapes off-site frequently yes. > Thank you, > Mehdi -- Met vriendelijke groeten/Kind Regards, Remco Post r.p...@plcs.nl +31 6 248 21 622
Re: tape encryption in TSM environment
Yes but you need to use TKLM or its MF equiv to be of value unless you use an appliiance. On 6/11/11, Mehdi Salehi wrote: > Hi, > Tape volumes canned be accessed if there is no TSM database. If happens, > restoring the database and gaining access to data seem to be very difficult > (at least for me ;) ). Do you think encryption feature of tape drives has > any value in TSM environments? > > Thank you, > Mehdi > -- Sent from my mobile device Thank you, Bob Molerio Systems Administrator New York University ITS Computer Facilities Services/Infrastructure Level C-2 75 Third Avenue New York NY 10003-5527 email:robert.mole...@nyu.edu
Re: tape encryption in TSM environment
Hi, On 12 jun 2011, at 05:53, Mehdi Salehi wrote: > Hi, > Tape volumes canned be accessed if there is no TSM database. If happens, this is not exactly true. The tapes can be accessed. IBM just claims that it's hard/impossible to make sense of the data. That may or may not be true. There are some open source tools that do exactly that.. > restoring the database and gaining access to data seem to be very difficult > (at least for me ;) ). Do you think encryption feature of tape drives has > any value in TSM environments? > Depending on your level op paranoia, and wether or not your shipping tapes off-site frequently yes. > Thank you, > Mehdi -- Met vriendelijke groeten/Kind Regards, Remco Post r.p...@plcs.nl +31 6 248 21 622
tape encryption in TSM environment
Hi, Tape volumes canned be accessed if there is no TSM database. If happens, restoring the database and gaining access to data seem to be very difficult (at least for me ;) ). Do you think encryption feature of tape drives has any value in TSM environments? Thank you, Mehdi
Re: ORACLE Encryption
I am using InclExcl list for include.encrypt. For example: include * AIX include /.../* FSLPAR05 include /ifns_ifns/.../* DBLPAR05 include /patm_patm/.../* DBLPAR05 include /ptel_ptel/.../* DBLPAR05 exclude.dir /home/oracle/admin/ifns/adump exclude.dir /home/oracle/admin/patm/adump exclude.dir /home/oracle/admin/ptel/adump exclude.dir /home/oracle/product exclude.compression *.Z exclude.compression /backup05/ias/FS.* include.encrypt /ifns_ifns/.../* include.encrypt /patm_patm/.../* include.encrypt /ptel_ptel/.../* include.encrypt *.dmp.Z It means I have include.encrypt in include/exclude list for the both file systems and databases. Grigori G. Solonovitch Senior Technical Architect Information Technology Bank of Kuwait and Middle East http://www.bkme.com Phone: (+965) 2231-2274 Mobile: (+965) 99798073 E-Mail: g.solonovi...@bkme.com Please consider the environment before printing this Email -Original Message- From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of Fred Johanson Sent: Monday, February 01, 2010 5:41 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] ORACLE Encryption We register the TDPO as a distinct client. Most are on various flavors of UNIX. So where do we put the "include.encrypt". Does it go in the dsmi_opt file or an incleexcl file referenced in that file? The manual isn't very clear. Fred Johanson TSM Administrator University of Chicago 773-702-8464 Please consider the environment before printing this Email. "This email message and any attachments transmitted with it may contain confidential and proprietary information, intended only for the named recipient(s). If you have received this message in error, or if you are not the named recipient(s), please delete this email after notifying the sender immediately. BKME cannot guarantee the integrity of this communication and accepts no liability for any damage caused by this email or its attachments due to viruses, any other defects, interception or unauthorized modification. The information, views, opinions and comments of this message are those of the individual and not necessarily endorsed by BKME."
Re: ORACLE Encryption
Hi Fred, To encrypt all files, add the following options to dsm.sys ENABLECLIENTENCRYPTKEY YES include.encrypt /.../* Regards, Mark From: Fred Johanson To: ADSM-L@vm.marist.edu Date: 02/01/2010 06:42 AM Subject:[ADSM-L] ORACLE Encryption We register the TDPO as a distinct client. Most are on various flavors of UNIX. So where do we put the "include.encrypt". Does it go in the dsmi_opt file or an incleexcl file referenced in that file? The manual isn't very clear. Fred Johanson TSM Administrator University of Chicago 773-702-8464
ORACLE Encryption
We register the TDPO as a distinct client. Most are on various flavors of UNIX. So where do we put the "include.encrypt". Does it go in the dsmi_opt file or an incleexcl file referenced in that file? The manual isn't very clear. Fred Johanson TSM Administrator University of Chicago 773-702-8464
Re: Encryption
We are working on setting up encryption with LTO4's and we are using multiple backup products so there are several different methods to control encryption. Several emails in the recent past talk about how to encrypt or not using the tools within TSM. If you are not using tsm's application encryption support you can control encryption with bar code rules if using a 3584 tape library. If you are using netbackup or networker you can use the volume pool id data written in the tape label for this control. For TS3310 tape libraries there is no bar code support that I have found. Len PS The last time I checked hardware encryption in lto4's is at no extra cost. If going by the rule of a new lto tape drive every two years the lto5 tape drive should have been release in 2009. Rumor has it that they should be released in 2010. See the url www.lto.org for a little bit more info. len -Original Message- From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of Howard Coles Sent: Wednesday, January 20, 2010 12:59 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Encryption Good question, I was about to ask that same thing. We're about to put in LTO4's at our main DC (wanted to go VTL or Disk, but . . . ). My boss has already spec'd and priced out getting the Hardware encryption, but I'd like to know if that's the best route. The question is if we did that how would we create an unencrypted backupset (for example if it had to be produced for a legal proceeding)? I'm thinking the encryption options would depend on TSM application encryption, or did I miss some of that previous thread? See Ya' Howard Coles Jr. John 3:16! -Original Message- From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of Scott Bellew Sent: Wednesday, January 20, 2010 11:34 AM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Encryption Hi Joni, We use Application Managed Encryption, with IBM 3584 library and LTO4 drives. This only works for a storage pool with DRIVEENCRYPTION=ON. It does not encrypt the db backup tape. TSM handles the keys. We use this for off-site archive tapes. Currently in the process of recalling all LTO2 archive tapes and moving them to LTO4 tapes in this Encrypted storage pool. Not hard to set up. Checkout this link: http://www-01.ibm.com/support/docview.wss?rs=663&uid=swg27009625 --- Scott Bellew Systems Programmer Informatin Systems Regional Health -Original Message- From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of Moyer, Joni M Sent: Tuesday, January 12, 2010 6:51 AM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Encryption Hello everyone, I am beginning the process of deciding upon a method of encryption. I was just wondering if anyone utilizes TSM to encrypt data? It seems to be quite a cumbersome method of encryption... I was also wondering if anyone was using hardware encryption in their environments? And what type of set up do you have? Thanks in advance Joni Moyer Storage Administrator III (717)302-9966 joni.mo...@highmark.com This e-mail and any attachments to it are confidential and are intended solely for use of the individual or entity to whom they are addressed. If you have received this e-mail in error, please notify the sender immediately and then delete it. If you are not the intended recipient, you must not keep, use, disclose, copy or distribute this e-mail without the author's prior permission. The views expressed in this e-mail message do not necessarily represent the views of Highmark Inc., its subsidiaries, or affiliates.
Re: Encryption
Good question, I was about to ask that same thing. We're about to put in LTO4's at our main DC (wanted to go VTL or Disk, but . . . ). My boss has already spec'd and priced out getting the Hardware encryption, but I'd like to know if that's the best route. The question is if we did that how would we create an unencrypted backupset (for example if it had to be produced for a legal proceeding)? I'm thinking the encryption options would depend on TSM application encryption, or did I miss some of that previous thread? See Ya' Howard Coles Jr. John 3:16! -Original Message- From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of Scott Bellew Sent: Wednesday, January 20, 2010 11:34 AM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Encryption Hi Joni, We use Application Managed Encryption, with IBM 3584 library and LTO4 drives. This only works for a storage pool with DRIVEENCRYPTION=ON. It does not encrypt the db backup tape. TSM handles the keys. We use this for off-site archive tapes. Currently in the process of recalling all LTO2 archive tapes and moving them to LTO4 tapes in this Encrypted storage pool. Not hard to set up. Checkout this link: http://www-01.ibm.com/support/docview.wss?rs=663&uid=swg27009625 --- Scott Bellew Systems Programmer Informatin Systems Regional Health -Original Message- From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of Moyer, Joni M Sent: Tuesday, January 12, 2010 6:51 AM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Encryption Hello everyone, I am beginning the process of deciding upon a method of encryption. I was just wondering if anyone utilizes TSM to encrypt data? It seems to be quite a cumbersome method of encryption... I was also wondering if anyone was using hardware encryption in their environments? And what type of set up do you have? Thanks in advance Joni Moyer Storage Administrator III (717)302-9966 joni.mo...@highmark.com This e-mail and any attachments to it are confidential and are intended solely for use of the individual or entity to whom they are addressed. If you have received this e-mail in error, please notify the sender immediately and then delete it. If you are not the intended recipient, you must not keep, use, disclose, copy or distribute this e-mail without the author's prior permission. The views expressed in this e-mail message do not necessarily represent the views of Highmark Inc., its subsidiaries, or affiliates.
Re: Encryption
Hi Joni, We use Application Managed Encryption, with IBM 3584 library and LTO4 drives. This only works for a storage pool with DRIVEENCRYPTION=ON. It does not encrypt the db backup tape. TSM handles the keys. We use this for off-site archive tapes. Currently in the process of recalling all LTO2 archive tapes and moving them to LTO4 tapes in this Encrypted storage pool. Not hard to set up. Checkout this link: http://www-01.ibm.com/support/docview.wss?rs=663&uid=swg27009625 --- Scott Bellew Systems Programmer Informatin Systems Regional Health -Original Message- From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of Moyer, Joni M Sent: Tuesday, January 12, 2010 6:51 AM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Encryption Hello everyone, I am beginning the process of deciding upon a method of encryption. I was just wondering if anyone utilizes TSM to encrypt data? It seems to be quite a cumbersome method of encryption... I was also wondering if anyone was using hardware encryption in their environments? And what type of set up do you have? Thanks in advance Joni Moyer Storage Administrator III (717)302-9966 joni.mo...@highmark.com This e-mail and any attachments to it are confidential and are intended solely for use of the individual or entity to whom they are addressed. If you have received this e-mail in error, please notify the sender immediately and then delete it. If you are not the intended recipient, you must not keep, use, disclose, copy or distribute this e-mail without the author's prior permission. The views expressed in this e-mail message do not necessarily represent the views of Highmark Inc., its subsidiaries, or affiliates.
Re: Turning Encryption Off/On
I configured dedicated Device classes and storage pools because of the following note in the Admin guide. When using encryption-capable drives with a supported encryption method, a new format will be used to write encrypted data to tapes. If data is written to volumes using the new format and if the volumes are then returned to scratch, they will contain labels that are only readable by encryption-enabled drives. To use these scratch volumes in a drive that is not enabled for encryption, either because the hardware is not capable of encryption or because the encryption method is set to NONE, you must relabel the volumes. From: ADSM: Dist Stor Manager [ads...@vm.marist.edu] on behalf of Wanda Prather [wanda.prat...@jasi.com] Sent: 13 January 2010 14:09 To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Turning Encryption Off/On This is for TSM-managed encryption (the library is set to application-managed). You only need 1 set of scratch tapes. One library, two storage pools, two devclasses, one encrypted, one not. Same pool of scratch tapes. When an encrypted tape goes scratch and comes back from the vault, it can be reused non-encrypted. (I think that is because the label isn't encrypted, just the data.) TSM DB backups are never encrypted, either. Works fine. Beauty of TSM-managed encryption; easy peasy. Set it and forget it. On Wed, Jan 13, 2010 at 6:06 AM, Stefan Folkerts wrote: > I don't think you can have two devices classes (one with and one without > encryption) sharing the same pool of scratch volumes (one logical library) > using LTO hardware encryption. > This is because the volume label on the tape is either written encrypted or > it is not, I don't think the none encrypted deviceclass is able to write to > a scratch tape labeled within an encrypted deviceclass configuration because > the first thing it does is check the label, that's encrypted so label > doesn't match eject -> set to private, next volume please...etc etc. > > > > > -Oorspronkelijk bericht- > Van: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] Namens > Druckenmiller, David > Verzonden: dinsdag 12 januari 2010 18:07 > Aan: ADSM-L@VM.MARIST.EDU > Onderwerp: Re: [ADSM-L] Turning Encryption Off/On > > Using hardware encryption, managed by TSM. > > Are you saying I can have two device classes sharing the same devices? For > some reason, I was always under the impression that you couldn't. But after > scanning the help, I don't know where I came up with that notion. That > would definitely make things simple for me. > > Thanks. > > -Original Message- > From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of > Wanda Prather > Sent: Tuesday, January 12, 2010 10:20 AM > To: ADSM-L@VM.MARIST.EDU > Subject: Re: [ADSM-L] Turning Encryption Off/On > > Is your encryption application-managed (controlled by TSM) or > library-managed (controlled by EKM/TKLM)? > > If application managed, IBM is correct, you just need a different devclass > that specifies drive encryption OFF, pointing to the same library, and a > new > storage pool that specifies the non-encrypted devclass. . > > I've got 4 LTO drives, onsite pool is NOT encrypted (long story there), > COPY > pool IS encrypted. No biggie. > > W > > > On Tue, Jan 12, 2010 at 9:10 AM, Druckenmiller, David > wrote: > > > We currently encrypt all our offsite tapes. Mgmt wants to me create a > > single unencrypted archive tape to be stored offsite long term for > > litigation reasons. > > > > My question is: If I turn off encryption long enough to get some data > > written to this one tape, then turn encryption back on, could I then > > continue to write uncrypted data to this one tape while all other tapes > > would be encrypted? > > > > IBM is being non-committal saying we should really use new device class, > > but I'd then have to move one tape drive over to new class each time I > want > > to write unencrypted. > > > > TSM 5.5.3 > > AIX 6.1 > > Tapes are LTO4 > > > > Thanks > > Dave > > > > - > > CONFIDENTIALITY NOTICE: This email and any attachments may contain > > confidential information that is protected by law and is for the > > sole use of the individuals or entities to which it is addressed. > > If you are not the intended recipient, please notify the sender by > > replying to this email and destroying all copies of the > > communication and attachments. Further use, disclosure, copying, > > distribution of, or reliance upon the contents of this email and > > attachments is strictly prohibited. To contact Albany Medical > > Center, or for a copy of our privacy practices, please visit us on > > the Internet at www.amc.edu. > > >
Re: [adsm] Re: Encryption
Actually, the encryption isn't bad from a performance perspective. In our testing, enabling encryption only incurred a 5-10% perfromance penalty. The real issues come from the fact that encrypted data doesn't compress, so if you encrypt on the client without using client compression, your tape useage will likely increase. And if you encrypt AND compress on the client, then you get hit with a significant client performance penalty...but it's the compression that kills you, not the encryption. But you're right...doing it on the drive is usually a much better way to go. -Lloyd On Tue, 12 Jan 2010 10:13:39 -0500 Wanda Prather wrote: > Encryption with the client is very CPU intensive, both on backup and on > restore. > > If you have LTO4 or 3592 tape, or STK tape drives that encrypt, it is far, > far better to do it in the hardware. > > W > > On Tue, Jan 12, 2010 at 8:50 AM, Moyer, Joni M wrote: > > > Hello everyone, > > > > I am beginning the process of deciding upon a method of encryption. I was > > just wondering if anyone utilizes TSM to encrypt data? It seems to be quite > > a cumbersome method of encryption... > > > > I was also wondering if anyone was using hardware encryption in their > > environments? And what type of set up do you have? > > > > Thanks in advance > > > > Joni Moyer > > Storage Administrator III > > (717)302-9966 > > joni.mo...@highmark.com > > > > > > > > This e-mail and any attachments to it are confidential and are intended > > solely for use of the individual or entity to whom they are addressed. If > > you have received this e-mail in error, please notify the sender immediately > > and then delete it. If you are not the intended recipient, you must not > > keep, use, disclose, copy or distribute this e-mail without the author's > > prior permission. The views expressed in this e-mail message do not > > necessarily represent the views of Highmark Inc., its subsidiaries, or > > affiliates. > >
Re: Turning Encryption Off/On
This is for TSM-managed encryption (the library is set to application-managed). You only need 1 set of scratch tapes. One library, two storage pools, two devclasses, one encrypted, one not. Same pool of scratch tapes. When an encrypted tape goes scratch and comes back from the vault, it can be reused non-encrypted. (I think that is because the label isn't encrypted, just the data.) TSM DB backups are never encrypted, either. Works fine. Beauty of TSM-managed encryption; easy peasy. Set it and forget it. On Wed, Jan 13, 2010 at 6:06 AM, Stefan Folkerts wrote: > I don't think you can have two devices classes (one with and one without > encryption) sharing the same pool of scratch volumes (one logical library) > using LTO hardware encryption. > This is because the volume label on the tape is either written encrypted or > it is not, I don't think the none encrypted deviceclass is able to write to > a scratch tape labeled within an encrypted deviceclass configuration because > the first thing it does is check the label, that's encrypted so label > doesn't match eject -> set to private, next volume please...etc etc. > > > > > -Oorspronkelijk bericht- > Van: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] Namens > Druckenmiller, David > Verzonden: dinsdag 12 januari 2010 18:07 > Aan: ADSM-L@VM.MARIST.EDU > Onderwerp: Re: [ADSM-L] Turning Encryption Off/On > > Using hardware encryption, managed by TSM. > > Are you saying I can have two device classes sharing the same devices? For > some reason, I was always under the impression that you couldn't. But after > scanning the help, I don't know where I came up with that notion. That > would definitely make things simple for me. > > Thanks. > > -Original Message- > From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of > Wanda Prather > Sent: Tuesday, January 12, 2010 10:20 AM > To: ADSM-L@VM.MARIST.EDU > Subject: Re: [ADSM-L] Turning Encryption Off/On > > Is your encryption application-managed (controlled by TSM) or > library-managed (controlled by EKM/TKLM)? > > If application managed, IBM is correct, you just need a different devclass > that specifies drive encryption OFF, pointing to the same library, and a > new > storage pool that specifies the non-encrypted devclass. . > > I've got 4 LTO drives, onsite pool is NOT encrypted (long story there), > COPY > pool IS encrypted. No biggie. > > W > > > On Tue, Jan 12, 2010 at 9:10 AM, Druckenmiller, David > wrote: > > > We currently encrypt all our offsite tapes. Mgmt wants to me create a > > single unencrypted archive tape to be stored offsite long term for > > litigation reasons. > > > > My question is: If I turn off encryption long enough to get some data > > written to this one tape, then turn encryption back on, could I then > > continue to write uncrypted data to this one tape while all other tapes > > would be encrypted? > > > > IBM is being non-committal saying we should really use new device class, > > but I'd then have to move one tape drive over to new class each time I > want > > to write unencrypted. > > > > TSM 5.5.3 > > AIX 6.1 > > Tapes are LTO4 > > > > Thanks > > Dave > > > > - > > CONFIDENTIALITY NOTICE: This email and any attachments may contain > > confidential information that is protected by law and is for the > > sole use of the individuals or entities to which it is addressed. > > If you are not the intended recipient, please notify the sender by > > replying to this email and destroying all copies of the > > communication and attachments. Further use, disclosure, copying, > > distribution of, or reliance upon the contents of this email and > > attachments is strictly prohibited. To contact Albany Medical > > Center, or for a copy of our privacy practices, please visit us on > > the Internet at www.amc.edu. > > >
Re: Turning Encryption Off/On
I don't think you can have two devices classes (one with and one without encryption) sharing the same pool of scratch volumes (one logical library) using LTO hardware encryption. This is because the volume label on the tape is either written encrypted or it is not, I don't think the none encrypted deviceclass is able to write to a scratch tape labeled within an encrypted deviceclass configuration because the first thing it does is check the label, that's encrypted so label doesn't match eject -> set to private, next volume please...etc etc. -Oorspronkelijk bericht- Van: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] Namens Druckenmiller, David Verzonden: dinsdag 12 januari 2010 18:07 Aan: ADSM-L@VM.MARIST.EDU Onderwerp: Re: [ADSM-L] Turning Encryption Off/On Using hardware encryption, managed by TSM. Are you saying I can have two device classes sharing the same devices? For some reason, I was always under the impression that you couldn't. But after scanning the help, I don't know where I came up with that notion. That would definitely make things simple for me. Thanks. -Original Message- From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of Wanda Prather Sent: Tuesday, January 12, 2010 10:20 AM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Turning Encryption Off/On Is your encryption application-managed (controlled by TSM) or library-managed (controlled by EKM/TKLM)? If application managed, IBM is correct, you just need a different devclass that specifies drive encryption OFF, pointing to the same library, and a new storage pool that specifies the non-encrypted devclass. . I've got 4 LTO drives, onsite pool is NOT encrypted (long story there), COPY pool IS encrypted. No biggie. W On Tue, Jan 12, 2010 at 9:10 AM, Druckenmiller, David wrote: > We currently encrypt all our offsite tapes. Mgmt wants to me create a > single unencrypted archive tape to be stored offsite long term for > litigation reasons. > > My question is: If I turn off encryption long enough to get some data > written to this one tape, then turn encryption back on, could I then > continue to write uncrypted data to this one tape while all other tapes > would be encrypted? > > IBM is being non-committal saying we should really use new device class, > but I'd then have to move one tape drive over to new class each time I want > to write unencrypted. > > TSM 5.5.3 > AIX 6.1 > Tapes are LTO4 > > Thanks > Dave > > - > CONFIDENTIALITY NOTICE: This email and any attachments may contain > confidential information that is protected by law and is for the > sole use of the individuals or entities to which it is addressed. > If you are not the intended recipient, please notify the sender by > replying to this email and destroying all copies of the > communication and attachments. Further use, disclosure, copying, > distribution of, or reliance upon the contents of this email and > attachments is strictly prohibited. To contact Albany Medical > Center, or for a copy of our privacy practices, please visit us on > the Internet at www.amc.edu. >
Re: Turning Encryption Off/On
Yes. Storage pool => Device class=> Library => drives Anything you create in the storage pool, is encrypted or not based on the devclass settings. If you need a sample of definitions, will be happy to send them. On Tue, Jan 12, 2010 at 12:06 PM, Druckenmiller, David wrote: > Using hardware encryption, managed by TSM. > > Are you saying I can have two device classes sharing the same devices? For > some reason, I was always under the impression that you couldn't. But after > scanning the help, I don't know where I came up with that notion. That > would definitely make things simple for me. > > Thanks. > > -Original Message- > From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of > Wanda Prather > Sent: Tuesday, January 12, 2010 10:20 AM > To: ADSM-L@VM.MARIST.EDU > Subject: Re: [ADSM-L] Turning Encryption Off/On > > Is your encryption application-managed (controlled by TSM) or > library-managed (controlled by EKM/TKLM)? > > If application managed, IBM is correct, you just need a different devclass > that specifies drive encryption OFF, pointing to the same library, and a > new > storage pool that specifies the non-encrypted devclass. . > > I've got 4 LTO drives, onsite pool is NOT encrypted (long story there), > COPY > pool IS encrypted. No biggie. > > W > > > On Tue, Jan 12, 2010 at 9:10 AM, Druckenmiller, David > wrote: > > > We currently encrypt all our offsite tapes. Mgmt wants to me create a > > single unencrypted archive tape to be stored offsite long term for > > litigation reasons. > > > > My question is: If I turn off encryption long enough to get some data > > written to this one tape, then turn encryption back on, could I then > > continue to write uncrypted data to this one tape while all other tapes > > would be encrypted? > > > > IBM is being non-committal saying we should really use new device class, > > but I'd then have to move one tape drive over to new class each time I > want > > to write unencrypted. > > > > TSM 5.5.3 > > AIX 6.1 > > Tapes are LTO4 > > > > Thanks > > Dave > > > > - > > CONFIDENTIALITY NOTICE: This email and any attachments may contain > > confidential information that is protected by law and is for the > > sole use of the individuals or entities to which it is addressed. > > If you are not the intended recipient, please notify the sender by > > replying to this email and destroying all copies of the > > communication and attachments. Further use, disclosure, copying, > > distribution of, or reliance upon the contents of this email and > > attachments is strictly prohibited. To contact Albany Medical > > Center, or for a copy of our privacy practices, please visit us on > > the Internet at www.amc.edu. > > >
Re: Turning Encryption Off/On
Using hardware encryption, managed by TSM. Are you saying I can have two device classes sharing the same devices? For some reason, I was always under the impression that you couldn't. But after scanning the help, I don't know where I came up with that notion. That would definitely make things simple for me. Thanks. -Original Message- From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of Wanda Prather Sent: Tuesday, January 12, 2010 10:20 AM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Turning Encryption Off/On Is your encryption application-managed (controlled by TSM) or library-managed (controlled by EKM/TKLM)? If application managed, IBM is correct, you just need a different devclass that specifies drive encryption OFF, pointing to the same library, and a new storage pool that specifies the non-encrypted devclass. . I've got 4 LTO drives, onsite pool is NOT encrypted (long story there), COPY pool IS encrypted. No biggie. W On Tue, Jan 12, 2010 at 9:10 AM, Druckenmiller, David wrote: > We currently encrypt all our offsite tapes. Mgmt wants to me create a > single unencrypted archive tape to be stored offsite long term for > litigation reasons. > > My question is: If I turn off encryption long enough to get some data > written to this one tape, then turn encryption back on, could I then > continue to write uncrypted data to this one tape while all other tapes > would be encrypted? > > IBM is being non-committal saying we should really use new device class, > but I'd then have to move one tape drive over to new class each time I want > to write unencrypted. > > TSM 5.5.3 > AIX 6.1 > Tapes are LTO4 > > Thanks > Dave > > - > CONFIDENTIALITY NOTICE: This email and any attachments may contain > confidential information that is protected by law and is for the > sole use of the individuals or entities to which it is addressed. > If you are not the intended recipient, please notify the sender by > replying to this email and destroying all copies of the > communication and attachments. Further use, disclosure, copying, > distribution of, or reliance upon the contents of this email and > attachments is strictly prohibited. To contact Albany Medical > Center, or for a copy of our privacy practices, please visit us on > the Internet at www.amc.edu. >