client side encryption question

[Lee, Gary]

We are being asked about encrypting our backups.

Looking at client side encryption, if they want to encrypt all contents of a 
drive under windows, is

Include.encrypt c:\...\*

The best way?

Also, what about a bare metal restore of an encrypted client?
Using encryptkey=generate

Will doing a systemstate restore first bring back the key so as to restore 
files?

Thank you all. This will get me started.

Re: Spectrum Protect Encryption

[Del Hoobler]

Hi Ricky,

IBM Spectrum Protect supports AES-128 and AES-256 for client-side data 
encryption, and AES-256 for cloud-container storage pools on the server. 
It also supports SSL/TLS communication encryption up to TLS 1.2.
  
Thank you,

Del



"ADSM: Dist Stor Manager"  wrote on 03/25/2016 
02:16:30 PM:

> From: "Plair, Ricky" 
> To: ADSM-L@VM.MARIST.EDU
> Date: 03/25/2016 02:17 PM
> Subject: Spectrum Protect Encryption
> Sent by: "ADSM: Dist Stor Manager" 
> 
> Can anyone tell me what type/version of encryption that the new IBM 
> Spectrum Protect uses.
> 
> Is it the same as the older versions AES 128?
> 
> I appreciate the help.
> 
> Ricky M. Plair
> Storage Engineer
> HealthPlan Services
> Office: 813 289 1000 Ext 2273
> Mobile: 813 357 9673

Spectrum Protect Encryption

[Plair, Ricky]

Can anyone tell me what type/version of encryption that the new IBM Spectrum 
Protect uses.

Is it the same as the older versions AES 128?

I appreciate the help.

Ricky M. Plair
Storage Engineer
HealthPlan Services
Office: 813 289 1000 Ext 2273
Mobile: 813 357 9673



_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
CONFIDENTIALITY NOTICE: This email message, including any attachments, is for 
the sole use of the intended recipient(s) and may contain confidential and 
privileged information and/or Protected Health Information (PHI) subject to 
protection under the law, including the Health Insurance Portability and 
Accountability Act of 1996, as amended (HIPAA). If you are not the intended 
recipient or the person responsible for delivering the email to the intended 
recipient, be advised that you have received this email in error and that any 
use, disclosure, distribution, forwarding, printing, or copying of this email 
is strictly prohibited. If you have received this email in error, please notify 
the sender immediately and destroy all copies of the original message.

TSM Encryption security gap?

[Roger Deschner]

We are starting to make more use of TSM Encryption. There is a
combination of features that appears to leave a security gap.

We have decided to use ENCRYPTKEY GENERATE, because it provides what is
in effect encryption key escrow. We require key escrow whenever
encryption is used for university data - it's surprising how many times
encryption keys get lost. We also use PASSWORDACCESS GENERATE, in order
to enable automatic scheduled backups.

The gap is in restore. If I have an encrypted drive, whose contents are
backed up using TSM encryption, and then I unplug that drive thinking it
is secure, it is not. Anyone who can boot the machine can restore
everything from the encrypted drive, without entering any key or
password, due to PASSWORDACCESS GENERATE.

We are thinking of instructing users to always do a complete shutdown
(not sleep or hibernate), and to encrypt their boot drive if they have
any sensitive data, even if that data resides somewhere other than the
boot drive. However, this is herding cats. It's unlikely to be followed
in all cases.

A possible solution would be to require re-entry of the TSM password to
restore encrypted data, if both ENCRYPTKEY GENERATE and PASSWORDACCESS
GENERATE are in effect.

Am I understanding this correctly? Is there something I am missing here?

Roger Deschner  University of Illinois at Chicago rog...@uic.edu
==I have not lost my mind -- it is backed up on tape somewhere.=

Get rid of old encryption key on tapes.

[Plair, Ricky]

Need a lot of help with this one.

We have changed from using IBM Encryption Key Management to IBM Security Key 
Lifecycle Manager for encrypting  tapes in our TS3310 library using TSM 7.1.1 
on a Linux system. The problem is all the tapes have been encrypted by the old 
EKM and now we are using SKLM. TSM rejects the tape because it already has a 
encryption key from EKM. I don't need the data that is on any of the tapes I 
just need to be able to use them with SKLM. I have used the LABLE command with 
the OVERWRITE option and that seems to work on some but not many.

How can I get rid of the old EKM encryption key on each tape so it will get a 
new encryption key from SKLM?

Thanks for any help this is a doozy

Ricky M. Plair
Storage Engineer
HealthPlan Services
Office: 813 289 1000 Ext 2273
Mobile: 813 357 9673



_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
CONFIDENTIALITY NOTICE: This email message, including any attachments, is for 
the sole use of the intended recipient(s) and may contain confidential and 
privileged information and/or Protected Health Information (PHI) subject to 
protection under the law, including the Health Insurance Portability and 
Accountability Act of 1996, as amended (HIPAA). If you are not the intended 
recipient or the person responsible for delivering the email to the intended 
recipient, be advised that you have received this email in error and that any 
use, disclosure, distribution, forwarding, printing, or copying of this email 
is strictly prohibited. If you have received this email in error, please notify 
the sender immediately and destroy all copies of the original message.

Re: Tape Encryption

[David Ehresman]

The TSM Redbook found at http://www.redbooks.ibm.com/redbooks/pdfs/sg247505.pdf 
has a chapter on TSM managed tape encryption and how it is handled.

David

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
McWilliams, Eric
Sent: Wednesday, July 08, 2015 2:50 PM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] Tape Encryption

We are currently encrypting our data as it is being written to tape.  The 
auditors want to know how the encryption keys are managed.  All I can find is 
that the keys are managed by the Tivoli Storage Manager.

Does anyone have any documentation that explains how the keys are managed and 
what keeps someone from decrypting a tape that is lost or stolen?

tsm: >q dev ltodevc f=d

 Device Class Name: LTODEVC
Device Access Strategy: Sequential
Storage Pool Count: 1
   Device Type: LTO
Format: DRIVE
 Est/Max Capacity (MB):
   Mount Limit: DRIVES
  Mount Wait (min): 60
 Mount Retention (min): 60
  Label Prefix: ADSM
  Drive Letter:
   Library: MEDSLIB
 Directory:
   Server Name:
  Retry Period:
Retry Interval:
  Twosided:
Shared:
High-level Address:
  Minimum Capacity:
  WORM: No
  Drive Encryption: On
   Scaled Capacity:
   Primary Allocation (MB):
 Secondary Allocation (MB):
   Compression:
 Retention:
Protection:
   Expiration Date:
  Unit:
  Logical Block Protection: No
Last Update by (administrator):
 Last Update Date/Time: 12/08/2014 13:14:44

   Volume Name: XXX
 Storage Pool Name: TAPEPOOL
 Device Class Name: LTODEVC
Estimated Capacity: 2.3 T
   Scaled Capacity Applied:
  Pct Util: 100.0
 Volume Status: Full
Access: Read/Write
Pct. Reclaimable Space: 0.0
   Scratch Volume?: Yes
   In Error State?: No
  Number of Writable Sides: 1
   Number of Times Mounted: 1
 Write Pass Number: 1
 Approx. Date Last Written: 07/02/2015 05:16:24
Approx. Date Last Read: 07/02/2015 05:16:24
   Date Became Pending:
Number of Write Errors: 0
 Number of Read Errors: 0
   Volume Location:
Volume is MVS Lanfree Capable : No
Last Update by (administrator):
 Last Update Date/Time: 06/30/2015 18:17:40
  Begin Reclaim Period:
End Reclaim Period:
  Drive Encryption Key Manager: Tivoli Storage Manager
   Logical Block Protected: No

Thanks

Eric

**
*** CONFIDENTIALITY NOTICE *** 

 This message and any included attachments are from MedSynergies, Inc. and are 
intended only for the addressee. The contents of this message contain 
confidential information belonging to the sender that is legally protected. 
Unauthorized forwarding, printing, copying, distribution, or use of such 
information is strictly prohibited and may be unlawful. If you are not the 
addressee, please promptly delete this message and notify the sender of the 
delivery error by e-mail or contact MedSynergies, Inc. at 
postmas...@medsynergies.com.

Re: Tape Encryption

[Thomas Denier]

The Redbook "IBM Tivoli Storage Manager: Building a Secure Environment" 
(SG24-7505-00) goes into a bit more detail.

A stolen storage pool tape is not, in and of itself, a security exposure; the 
thief will not have access to the TSM database entry containing the encryption 
key. If someone steals a storage pool tape and the various items needed for a 
database restore (database backup tape, volume history file, and device 
configuration file), they can decrypt the contents of the storage pool tape, as 
long as they have the necessary hardware and the knowledge needed to carry out 
what amounts to a TSM DR process.

Thomas Denier
Thomas Jefferson University

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
McWilliams, Eric
Sent: Wednesday, July 08, 2015 2:50 PM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] Tape Encryption

We are currently encrypting our data as it is being written to tape.  The 
auditors want to know how the encryption keys are managed.  All I can find is 
that the keys are managed by the Tivoli Storage Manager.

Does anyone have any documentation that explains how the keys are managed and 
what keeps someone from decrypting a tape that is lost or stolen?

tsm: >q dev ltodevc f=d

 Device Class Name: LTODEVC
Device Access Strategy: Sequential
Storage Pool Count: 1
   Device Type: LTO
Format: DRIVE
 Est/Max Capacity (MB):
   Mount Limit: DRIVES
  Mount Wait (min): 60
 Mount Retention (min): 60
  Label Prefix: ADSM
  Drive Letter:
   Library: MEDSLIB
 Directory:
   Server Name:
  Retry Period:
Retry Interval:
  Twosided:
Shared:
High-level Address:
  Minimum Capacity:
  WORM: No
      Drive Encryption: On
   Scaled Capacity:
   Primary Allocation (MB):
 Secondary Allocation (MB):
   Compression:
 Retention:
Protection:
   Expiration Date:
  Unit:
  Logical Block Protection: No
Last Update by (administrator):
 Last Update Date/Time: 12/08/2014 13:14:44

   Volume Name: XXX
 Storage Pool Name: TAPEPOOL
 Device Class Name: LTODEVC
Estimated Capacity: 2.3 T
   Scaled Capacity Applied:
  Pct Util: 100.0
 Volume Status: Full
Access: Read/Write
Pct. Reclaimable Space: 0.0
   Scratch Volume?: Yes
   In Error State?: No
  Number of Writable Sides: 1
   Number of Times Mounted: 1
 Write Pass Number: 1
 Approx. Date Last Written: 07/02/2015 05:16:24
Approx. Date Last Read: 07/02/2015 05:16:24
   Date Became Pending:
Number of Write Errors: 0
 Number of Read Errors: 0
   Volume Location:
Volume is MVS Lanfree Capable : No
Last Update by (administrator):
 Last Update Date/Time: 06/30/2015 18:17:40
  Begin Reclaim Period:
End Reclaim Period:
  Drive Encryption Key Manager: Tivoli Storage Manager
   Logical Block Protected: No

Thanks

Eric

**
*** CONFIDENTIALITY NOTICE ***

 This message and any included attachments are from MedSynergies, Inc. and are 
intended only for the addressee. The contents of this message contain 
confidential information belonging to the sender that is legally protected. 
Unauthorized forwarding, printing, copying, distribution, or use of such 
information is strictly prohibited and may be unlawful. If you are not the 
addressee, please promptly delete this message and notify the sender of the 
delivery error by e-mail or contact MedSynergies, Inc. at 
postmas...@medsynergies.com.
The information contained in this transmission contains privileged and 
confidential information. It is intended only for the use of the person named 
above. If you are not the intended recipient, you are hereby notified that any 
review, dissemination, distribution or duplication of this communication is 
strictly prohibited. If you are not the intended recipient, please contact the 
sender by reply email and destroy all copies of the original message.

CAUTION: Intended recipients should NOT use email communication for emergent or 
urgent health care matters.

Tape Encryption

[McWilliams, Eric]

We are currently encrypting our data as it is being written to tape.  The 
auditors want to know how the encryption keys are managed.  All I can find is 
that the keys are managed by the Tivoli Storage Manager.

Does anyone have any documentation that explains how the keys are managed and 
what keeps someone from decrypting a tape that is lost or stolen?

tsm: >q dev ltodevc f=d

 Device Class Name: LTODEVC
Device Access Strategy: Sequential
Storage Pool Count: 1
   Device Type: LTO
Format: DRIVE
 Est/Max Capacity (MB):
   Mount Limit: DRIVES
  Mount Wait (min): 60
 Mount Retention (min): 60
  Label Prefix: ADSM
  Drive Letter:
   Library: MEDSLIB
 Directory:
   Server Name:
  Retry Period:
Retry Interval:
  Twosided:
Shared:
High-level Address:
  Minimum Capacity:
  WORM: No
  Drive Encryption: On
   Scaled Capacity:
   Primary Allocation (MB):
 Secondary Allocation (MB):
   Compression:
 Retention:
Protection:
   Expiration Date:
  Unit:
  Logical Block Protection: No
Last Update by (administrator):
 Last Update Date/Time: 12/08/2014 13:14:44

   Volume Name: XXX
 Storage Pool Name: TAPEPOOL
 Device Class Name: LTODEVC
Estimated Capacity: 2.3 T
   Scaled Capacity Applied:
  Pct Util: 100.0
 Volume Status: Full
Access: Read/Write
Pct. Reclaimable Space: 0.0
   Scratch Volume?: Yes
   In Error State?: No
  Number of Writable Sides: 1
   Number of Times Mounted: 1
 Write Pass Number: 1
 Approx. Date Last Written: 07/02/2015 05:16:24
Approx. Date Last Read: 07/02/2015 05:16:24
   Date Became Pending:
Number of Write Errors: 0
 Number of Read Errors: 0
   Volume Location:
Volume is MVS Lanfree Capable : No
Last Update by (administrator):
 Last Update Date/Time: 06/30/2015 18:17:40
  Begin Reclaim Period:
End Reclaim Period:
  Drive Encryption Key Manager: Tivoli Storage Manager
   Logical Block Protected: No

Thanks

Eric

**
*** CONFIDENTIALITY NOTICE *** 

 This message and any included attachments are from MedSynergies, Inc. and are 
intended only for the addressee. The contents of this message contain 
confidential information belonging to the sender that is legally protected. 
Unauthorized forwarding, printing, copying, distribution, or use of such 
information is strictly prohibited and may be unlawful. If you are not the 
addressee, please promptly delete this message and notify the sender of the 
delivery error by e-mail or contact MedSynergies, Inc. at 
postmas...@medsynergies.com.

Re: Old Technote: TSM encryption compliance with FIPS 140-2

[Mitchell, Ruth Slovik]

Hi Del,

That's very much appreciated!

Best,
Ruth
U of I, Urbana, IL

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Del 
Hoobler
Sent: Monday, March 16, 2015 5:57 AM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Old Technote: TSM encryption compliance with FIPS 140-2

Hi Ruth,

You did it the correct way.
I have also reached out to the team to get your comment sent to the owner of 
that specific technote.


Del






"ADSM: Dist Stor Manager"  wrote on 03/12/2015
05:56:34 PM:

> From: "Mitchell, Ruth Slovik" 
> To: ADSM-L@VM.MARIST.EDU
> Date: 03/12/2015 05:57 PM
> Subject: Old Technote: TSM encryption compliance with FIPS 140-2 Sent 
> by: "ADSM: Dist Stor Manager" 
>
> Hi All,
>
> I know we all grapple with outdated online documentation from time to 
> time. Does anyone have a suggestion for the best way to request IBM 
> update an out of date technote? I've already submitted feedback via 
> the 'rate this page' link. Is it better to open a service request? To 
> me that seems like overkill.
>
> The page in question is,  http://www-01.ibm.com/support/docview.wss?
> uid=swg21442342, last updated in 2012. We'd like to point customers to 
> a current IBM page for this type of information, but such out of date 
> details aren't very helpful.
>
> Thanks in advance for recommendations.
>
> Ruth
> U of I, Urbana, IL
>

Re: Old Technote: TSM encryption compliance with FIPS 140-2

[Del Hoobler]

Hi Ruth,

You did it the correct way.
I have also reached out to the team to get your comment
sent to the owner of that specific technote.


Del






"ADSM: Dist Stor Manager"  wrote on 03/12/2015
05:56:34 PM:

> From: "Mitchell, Ruth Slovik" 
> To: ADSM-L@VM.MARIST.EDU
> Date: 03/12/2015 05:57 PM
> Subject: Old Technote: TSM encryption compliance with FIPS 140-2
> Sent by: "ADSM: Dist Stor Manager" 
>
> Hi All,
>
> I know we all grapple with outdated online documentation from time
> to time. Does anyone have a suggestion for the best way to request
> IBM update an out of date technote? I've already submitted feedback
> via the 'rate this page' link. Is it better to open a service
> request? To me that seems like overkill.
>
> The page in question is,  http://www-01.ibm.com/support/docview.wss?
> uid=swg21442342, last updated in 2012. We'd like to point customers
> to a current IBM page for this type of information, but such out of
> date details aren't very helpful.
>
> Thanks in advance for recommendations.
>
> Ruth
> U of I, Urbana, IL
>

Old Technote: TSM encryption compliance with FIPS 140-2

[Mitchell, Ruth Slovik]

Hi All,

I know we all grapple with outdated online documentation from time to time. 
Does anyone have a suggestion for the best way to request IBM update an out of 
date technote? I've already submitted feedback via the 'rate this page' link. 
Is it better to open a service request? To me that seems like overkill.

The page in question is,  
http://www-01.ibm.com/support/docview.wss?uid=swg21442342, last updated in 
2012. We'd like to point customers to a current IBM page for this type of 
information, but such out of date details aren't very helpful.

Thanks in advance for recommendations.

Ruth
U of I, Urbana, IL

Re: TSM based encryption

[Prather, Wanda]

No problems with the export/import.

But,
if you are talking about encryption that is done by the TSM client, it is 
encrypted before being sent to the server, and when it's transmitted to the new 
server it will still be encrypted.

If you are talking about the TSM server managing encryption being done by tape 
drives, when the data is read back the drive will decrypt it, and it will be 
transmitted to the new server in non-encrypted form.  Whether it's encrypted on 
the target server, depends on whether you are encrypting the target media.



-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Ochs, 
Duane
Sent: Friday, October 03, 2014 1:42 PM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] TSM based encryption

Good day everyone,
I'm planning a large project for an acquired company and have no working 
experience with TSM based encryption.

Will I run into problems while doing server to server exports with data that 
was archived using TSM based encryption?

Thanks,
Duane
Follow Quad/Graphics in social media<http://www.qg.com/socialmedia>

TSM based encryption

[Ochs, Duane]

Good day everyone,
I'm planning a large project for an acquired company and have no working 
experience with TSM based encryption.

Will I run into problems while doing server to server exports with data that 
was archived using TSM based encryption?

Thanks,
Duane
Follow Quad/Graphics in social media<http://www.qg.com/socialmedia>

Re: invalid encryption key

[Prather, Wanda]

Saw that once at a customer, was a V6 Windoze client.
Asked them to open a Tivoli ticket, but never got a follow up from them.
Please post back if you find out what did it!

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
Ehresman,David E.
Sent: Friday, September 27, 2013 3:41 PM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] invalid encryption key

Anyone ever gotten a:

ANS1469E Error processing 
'/soft/soft2/autotree/autosys/log/chmod_cache.060402'; invalid encryption key.

message when doing a file system restore of a file system that has never had 
TSM encryption turned on?

David

invalid encryption key

[Ehresman,David E.]

Anyone ever gotten a:

ANS1469E Error processing 
'/soft/soft2/autotree/autosys/log/chmod_cache.060402'; invalid encryption key.

message when doing a file system restore of a file system that has never had 
TSM encryption turned on?

David

Re: Enabling Encryption in TS3500/E06 Drives

[Billaudeau, Pierre]

Hi Zoltan,
Is the drive encryption enabled at the OS level. On E05 drives, I had 
to update our AIX server drive definition:
chdev  -l 'rmt6' -a wrt_encryption='on'
I did not have to change anything to our new E07 drive, I guess they 
were set OK.

Pierre Billaudeau
SAQ
Montreal

-Message d'origine-
De : ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] De la part de Zoltan 
Forray
Envoyé : 3 septembre 2013 11:15
À : ADSM-L@VM.MARIST.EDU
Objet : Re: [ADSM-L] Enabling Encryption in TS3500/E06 Drives

Well, contrary to the response I received about this being as simple as 
changing the devclass value, I can not get encryption to work.

I changed the devclass to  DRIVEENCRYPTION=ON and the first attempt to write a 
new tape fails with:

9/3/2013 9:59:03 AM ANR8985E The drive 7876475
(/dev/lin_tape/by-serial/07876475) in library TS3500-COPY is using an 
encryption method that is incompatible with the current server settings.

So, I figured I would check the hardware settings of the TS1130 -E06 drives.  
They were all set to NO ENCRYPTION.  I changed this to APPLICATION and figured 
that would take care of it. No such luck.  Same errors.

Tried resetting/cycling the drives - still nothing.

Tried taking all drives and paths offline, figuring this might reset/retrieve 
the new drive setting - still nothing - same errors.

Is there some library (TS3500) setting that may be blocking this?

So, what I am missing?




On Tue, Aug 20, 2013 at 12:34 PM, Zoltan Forray  wrote:

> Well, the saga is coming to a conclusion and I am going to active
> encryption of offsite tapes, via AME/TSM.
>
> Is there anything more I need to do besides update the DEVCLASS to
> DRIVEENCRYPTION=ALLOW on all of my TSM servers?
>
> When I check the drive details via the TS3500 interface, is says
> encryption is disabled?  Do I need to go to each drive and enable it?
>
> --
> *Zoltan Forray*
> TSM Software & Hardware Administrator
> Virginia Commonwealth University
> UCC/Office of Technology Services
> zfor...@vcu.edu - 804-828-4807
> Don't be a phishing victim - VCU and other reputable organizations
> will never use email to request that you reply with your password,
> social security number or confidential personal information. For more
> details visit http://infosecurity.vcu.edu/phishing.html
>



--
*Zoltan Forray*
TSM Software & Hardware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zfor...@vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will never 
use email to request that you reply with your password, social security number 
or confidential personal information. For more details visit 
http://infosecurity.vcu.edu/phishing.html

--


Information confidentielle : Le présent message, ainsi que tout fichier qui y 
est joint, est envoyé à l'intention exclusive de son ou de ses destinataires; 
il est de nature confidentielle et peut constituer une information privilégiée. 
Nous avertissons toute personne autre que le destinataire prévu que tout 
examen, réacheminement, impression, copie, distribution ou autre utilisation de 
ce message et de tout fichier qui y est joint est strictement interdit. Si vous 
n'êtes pas le destinataire prévu, veuillez en aviser immédiatement l'expéditeur 
par retour de courriel et supprimer ce message et tout document joint de votre 
système. Merci.

Re: Enabling Encryption in TS3500/E06 Drives

[Zoltan Forray]

Well, contrary to the response I received about this being as simple as
changing the devclass value, I can not get encryption to work.

I changed the devclass to  DRIVEENCRYPTION=ON and the first attempt to
write a new tape fails with:

9/3/2013 9:59:03 AM ANR8985E The drive 7876475
(/dev/lin_tape/by-serial/07876475) in library TS3500-COPY is using an
encryption method that is incompatible with the current server settings.

So, I figured I would check the hardware settings of the TS1130 -E06
drives.  They were all set to NO ENCRYPTION.  I changed this to APPLICATION
and figured that would take care of it. No such luck.  Same errors.

Tried resetting/cycling the drives - still nothing.

Tried taking all drives and paths offline, figuring this might
reset/retrieve the new drive setting - still nothing - same errors.

Is there some library (TS3500) setting that may be blocking this?

So, what I am missing?




On Tue, Aug 20, 2013 at 12:34 PM, Zoltan Forray  wrote:

> Well, the saga is coming to a conclusion and I am going to active
> encryption of offsite tapes, via AME/TSM.
>
> Is there anything more I need to do besides update the DEVCLASS to
> DRIVEENCRYPTION=ALLOW on all of my TSM servers?
>
> When I check the drive details via the TS3500 interface, is says
> encryption is disabled?  Do I need to go to each drive and enable it?
>
> --
> *Zoltan Forray*
> TSM Software & Hardware Administrator
> Virginia Commonwealth University
> UCC/Office of Technology Services
> zfor...@vcu.edu - 804-828-4807
> Don't be a phishing victim - VCU and other reputable organizations will
> never use email to request that you reply with your password, social
> security number or confidential personal information. For more details
> visit http://infosecurity.vcu.edu/phishing.html
>



--
*Zoltan Forray*
TSM Software & Hardware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zfor...@vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html

Re: Enabling Encryption in TS3500/E06 Drives

[Zoltan Forray]

Sorry - I should have mentioned this is Redhat Linux


On Tue, Sep 3, 2013 at 11:42 AM, Billaudeau, Pierre
wrote:

> Hi Zoltan,
> Is the drive encryption enabled at the OS level. On E05 drives, I
> had to update our AIX server drive definition:
> chdev  -l 'rmt6' -a wrt_encryption='on'
> I did not have to change anything to our new E07 drive, I guess
> they were set OK.
>
> Pierre Billaudeau
> SAQ
> Montreal
>
> -Message d'origine-
> De : ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] De la part de
> Zoltan Forray
> Envoyé : 3 septembre 2013 11:15
> À : ADSM-L@VM.MARIST.EDU
> Objet : Re: [ADSM-L] Enabling Encryption in TS3500/E06 Drives
>
> Well, contrary to the response I received about this being as simple as
> changing the devclass value, I can not get encryption to work.
>
> I changed the devclass to  DRIVEENCRYPTION=ON and the first attempt to
> write a new tape fails with:
>
> 9/3/2013 9:59:03 AM ANR8985E The drive 7876475
> (/dev/lin_tape/by-serial/07876475) in library TS3500-COPY is using an
> encryption method that is incompatible with the current server settings.
>
> So, I figured I would check the hardware settings of the TS1130 -E06
> drives.  They were all set to NO ENCRYPTION.  I changed this to APPLICATION
> and figured that would take care of it. No such luck.  Same errors.
>
> Tried resetting/cycling the drives - still nothing.
>
> Tried taking all drives and paths offline, figuring this might
> reset/retrieve the new drive setting - still nothing - same errors.
>
> Is there some library (TS3500) setting that may be blocking this?
>
> So, what I am missing?
>
>
>
>
> On Tue, Aug 20, 2013 at 12:34 PM, Zoltan Forray  wrote:
>
> > Well, the saga is coming to a conclusion and I am going to active
> > encryption of offsite tapes, via AME/TSM.
> >
> > Is there anything more I need to do besides update the DEVCLASS to
> > DRIVEENCRYPTION=ALLOW on all of my TSM servers?
> >
> > When I check the drive details via the TS3500 interface, is says
> > encryption is disabled?  Do I need to go to each drive and enable it?
> >
> > --
> > *Zoltan Forray*
> > TSM Software & Hardware Administrator
> > Virginia Commonwealth University
> > UCC/Office of Technology Services
> > zfor...@vcu.edu - 804-828-4807
> > Don't be a phishing victim - VCU and other reputable organizations
> > will never use email to request that you reply with your password,
> > social security number or confidential personal information. For more
> > details visit http://infosecurity.vcu.edu/phishing.html
> >
>
>
>
> --
> *Zoltan Forray*
> TSM Software & Hardware Administrator
> Virginia Commonwealth University
> UCC/Office of Technology Services
> zfor...@vcu.edu - 804-828-4807
> Don't be a phishing victim - VCU and other reputable organizations will
> never use email to request that you reply with your password, social
> security number or confidential personal information. For more details
> visit http://infosecurity.vcu.edu/phishing.html
>
> --
>
>
> Information confidentielle : Le présent message, ainsi que tout fichier
> qui y est joint, est envoyé à l'intention exclusive de son ou de ses
> destinataires; il est de nature confidentielle et peut constituer une
> information privilégiée. Nous avertissons toute personne autre que le
> destinataire prévu que tout examen, réacheminement, impression, copie,
> distribution ou autre utilisation de ce message et de tout fichier qui y
> est joint est strictement interdit. Si vous n'êtes pas le destinataire
> prévu, veuillez en aviser immédiatement l'expéditeur par retour de courriel
> et supprimer ce message et tout document joint de votre système. Merci.
>



-- 
*Zoltan Forray*
TSM Software & Hardware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zfor...@vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html

Enabling Encryption in TS3500/E06 Drives

[Zoltan Forray]

Well, the saga is coming to a conclusion and I am going to active
encryption of offsite tapes, via AME/TSM.

Is there anything more I need to do besides update the DEVCLASS to
DRIVEENCRYPTION=ALLOW on all of my TSM servers?

When I check the drive details via the TS3500 interface, is says encryption
is disabled?  Do I need to go to each drive and enable it?

--
*Zoltan Forray*
TSM Software & Hardware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zfor...@vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html

Re: Implementing Encryption

[Zoltan Forray]

True, those pages don't mention a tape library.  In this document on the
TS3500 Tape Library:

http://publib.boulder.ibm.com/infocenter/ts3500tl/v1r0/index.jsp?topic=%2Fcom.ibm.storage.ts3500.doc%2Fipg_3584_managing_encrypt.html

It says:
Planning for application-managed encryption

This topic explains application-managed encryption (AME).

This method is best where operating environments run an application already
capable of generating and managing encryption policies and keys, such as
Tivoli® Storage Manager (TSM). Policies specifying when encryption is to be
used are defined through the application interface. The policies and keys
pass through the data path between the application layer and the encrypting
tape drives. Encryption is the result of interaction between the
application and the encryption-enabled tape drive, and does not require any
changes to the system and library layers. Because the application manages
the encryption keys, data volumes written and encrypted using the
application-managed encryption method can only be read by the same software
application that wrote them.

A key manager *is not required by, or used by, application-managed tape
encryption*.

On Wed, Apr 10, 2013 at 2:04 PM, Alex Paschal wrote:

> That's odd.  On page 23 it didn't mention anything about a robot being
> in the AME workflow.  Might it be on another page?
>
> In the Redbook, AME is on pages 34-37.  There is no mention of the
> library itself being in the data key workflow.
>
> I don't know what to tell you about the conflict.  All I can do is to
> give you my citations.  Please let us know if you find some way to
> answer the question.
>
> On 4/10/2013 7:23 AM, Zoltan Forray wrote:
>
>>  *I don't think there's anything else you need to do.  With AME, the
>>>>>
>>>> robot doesn't talk to TSM for the keys - it's done strictly at the tape
>> drive level.  *
>>
>>
>> You are the second person to make such a comment when documentation I have
>> found says exactly the opposite.  With AME, the TSM server managing the
>> robot acts as the EKM.  The drive requests the key from the robot/ATL when
>> since it was told is using AME passed the request to the TSM server which
>> in turn generates the key and passes it back to the ATL/drive.  From this
>> doc (yes I know it is old but a newer document sent to me says the same
>> thing):
>>
>> http://tsm-symposium.oucs.ox.**ac.uk/2007/papers/Christina%**
>> 20Coutts%20-%20Tape%20Drive%**20Encryption.pdf<http://tsm-symposium.oucs.ox.ac.uk/2007/papers/Christina%20Coutts%20-%20Tape%20Drive%20Encryption.pdf>
>>
>> on page 23, it states:
>>
>> *TSM Application Managed Encryption (AME)*
>>
>>
>> TSM generates encrypts and stores the key in the DB with other meta data
>> - Provides interface to key services
>> - Associates correct key with file
>>
>>
>> On Tue, Apr 9, 2013 at 6:03 PM, Alex Paschal 
>> wrote:
>>
>>  Oh, sorry, rest of the question.  It's easy to convert from AME to LME -
>>> create new library partition, new devclass, set up for LME. Rename some
>>> stgpools and recreate them using the new devclass so you don't have to
>>> modify your daily maintenance scripts or copygroups. Then attrition,
>>> reclamation, or move data scripts.  Pretty much the same way you'd
>>> handle any other media refresh.
>>>
>>> I don't think there's anything else you need to do.  With AME, the robot
>>> doesn't talk to TSM for the keys - it's done strictly at the tape drive
>>> level.  TSM requests a tape mount, the robot moves the tape to the
>>> drive, the drive mounts and sends the volser to TSM, TSM looks up the
>>> data key in the db, sends the data key to the drive, the drive uses the
>>> data key to encrypt.  It's described pretty well in the IBM System
>>> Storage Open Systems Tape Encryption Solutions redbook.
>>> http://www.redbooks.ibm.com/abstracts/sg247907.html<http://www.redbooks.ibm.com/**abstracts/sg247907.html>
>>> http://www.redbooks.ibm.com/abstracts/sg247907.html>
>>> >
>>>
>>>
>>>
>>> On 4/9/2013 9:39 AM, Zoltan Forray wrote:
>>>
>>>  Well folks, this project keeps changing.  Originally figured we would
>>>> use
>>>> EKM/TKLM but then discussions bought it back to, why not just AME/TSM
>>>> handle the encryption - do we need to encrypt the DB?
>>>>
>>>> So, while we are pending a response from the security/auditor folks
>>>> about
>>>> AME being sufficient, the

Re: Implementing Encryption

[Alex Paschal]

That's odd.  On page 23 it didn't mention anything about a robot being
in the AME workflow.  Might it be on another page?

In the Redbook, AME is on pages 34-37.  There is no mention of the
library itself being in the data key workflow.

I don't know what to tell you about the conflict.  All I can do is to
give you my citations.  Please let us know if you find some way to
answer the question.

On 4/10/2013 7:23 AM, Zoltan Forray wrote:

*I don't think there's anything else you need to do.  With AME, the

robot doesn't talk to TSM for the keys - it's done strictly at the tape
drive level.  *

You are the second person to make such a comment when documentation I have
found says exactly the opposite.  With AME, the TSM server managing the
robot acts as the EKM.  The drive requests the key from the robot/ATL when
since it was told is using AME passed the request to the TSM server which
in turn generates the key and passes it back to the ATL/drive.  From this
doc (yes I know it is old but a newer document sent to me says the same
thing):

http://tsm-symposium.oucs.ox.ac.uk/2007/papers/Christina%20Coutts%20-%20Tape%20Drive%20Encryption.pdf

on page 23, it states:

*TSM Application Managed Encryption (AME)*

TSM generates encrypts and stores the key in the DB with other meta data
- Provides interface to key services
- Associates correct key with file


On Tue, Apr 9, 2013 at 6:03 PM, Alex Paschal  wrote:


Oh, sorry, rest of the question.  It's easy to convert from AME to LME -
create new library partition, new devclass, set up for LME. Rename some
stgpools and recreate them using the new devclass so you don't have to
modify your daily maintenance scripts or copygroups. Then attrition,
reclamation, or move data scripts.  Pretty much the same way you'd
handle any other media refresh.

I don't think there's anything else you need to do.  With AME, the robot
doesn't talk to TSM for the keys - it's done strictly at the tape drive
level.  TSM requests a tape mount, the robot moves the tape to the
drive, the drive mounts and sends the volser to TSM, TSM looks up the
data key in the db, sends the data key to the drive, the drive uses the
data key to encrypt.  It's described pretty well in the IBM System
Storage Open Systems Tape Encryption Solutions redbook.
http://www.redbooks.ibm.com/**abstracts/sg247907.html<http://www.redbooks.ibm.com/abstracts/sg247907.html>


On 4/9/2013 9:39 AM, Zoltan Forray wrote:


Well folks, this project keeps changing.  Originally figured we would use
EKM/TKLM but then discussions bought it back to, why not just AME/TSM
handle the encryption - do we need to encrypt the DB?

So, while we are pending a response from the security/auditor folks about
AME being sufficient, the question arose asking "what if we implement AME
and then the power-that-be say it isn't good enough and they want the DB
encrypted as well, forcing us to move to LME"? How much of a pain-in-the..
would that be?  What is the impact?

On the subject of implementing AME, besides saying UPDATE DEVCLASS ..
   DRIVEE=ON and then going to the encryption controls of the 3494/TS3500
and
selecting "Encryption Method - Application Managed" and making sure all
the
TS1130 drives have encryption turned - what else do I need to do?  How
does
the robot know to talk to TSM for the keys?

On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda 
wrote:

  Zoltan, BTDTGTTS.

You first decide if you want to use TSM-managed or externally-managed
(EKM) encryption.

With TSM encryption, it really is just as simple as creating a devclass
and creating storage pools pointing to that devclass.
(Plus you have to set the encryption mode on the logical library to
application-managed.)

TSM creates its own keys, stores them in the TSM DB, passes the keys to
the drives and tells the drives to encrypt the tapes.
The encryption is still done outboard by the hardware.
Has the wonderful advantage of being simple, free, and unbreakable.
Your hands never touch the keys, it's totally transparent to everybody.
   You can't hurt it.
No implications for DR.  No reason not to use it.
TSM development doesn't get enough credit for making this easy and free.

OTOH, TSM-managed encryption will not encrypt DB backup tapes, or EXPORT
tapes, nor BACKUPSET tapes.

With externally-managed encryption, the keys are managed by the EKM.
TSM doesn't' know it's happening.
You set the encryption mode on the library to library-managed.
The EKM has to be run on a server.  It is a pay-for product.
But the cost of the software is trivial compared to the implementation
cost.
High learning curve.  Lots of testing required to make sure you can
recover.

You have to be careful about protecting the EKM; you have to recover the
EKM at a DR site before you can read your tapes.
(If you have a hot site, better to share the keys between the libraries.)
It is possi

Re: Implementing Encryption

[Zoltan Forray]

>>> *I don't think there's anything else you need to do.  With AME, the
robot doesn't talk to TSM for the keys - it's done strictly at the tape
drive level.  *

You are the second person to make such a comment when documentation I have
found says exactly the opposite.  With AME, the TSM server managing the
robot acts as the EKM.  The drive requests the key from the robot/ATL when
since it was told is using AME passed the request to the TSM server which
in turn generates the key and passes it back to the ATL/drive.  From this
doc (yes I know it is old but a newer document sent to me says the same
thing):

http://tsm-symposium.oucs.ox.ac.uk/2007/papers/Christina%20Coutts%20-%20Tape%20Drive%20Encryption.pdf

on page 23, it states:

*TSM Application Managed Encryption (AME)*

TSM generates encrypts and stores the key in the DB with other meta data
- Provides interface to key services
- Associates correct key with file


On Tue, Apr 9, 2013 at 6:03 PM, Alex Paschal  wrote:

> Oh, sorry, rest of the question.  It's easy to convert from AME to LME -
> create new library partition, new devclass, set up for LME. Rename some
> stgpools and recreate them using the new devclass so you don't have to
> modify your daily maintenance scripts or copygroups. Then attrition,
> reclamation, or move data scripts.  Pretty much the same way you'd
> handle any other media refresh.
>
> I don't think there's anything else you need to do.  With AME, the robot
> doesn't talk to TSM for the keys - it's done strictly at the tape drive
> level.  TSM requests a tape mount, the robot moves the tape to the
> drive, the drive mounts and sends the volser to TSM, TSM looks up the
> data key in the db, sends the data key to the drive, the drive uses the
> data key to encrypt.  It's described pretty well in the IBM System
> Storage Open Systems Tape Encryption Solutions redbook.
> http://www.redbooks.ibm.com/**abstracts/sg247907.html<http://www.redbooks.ibm.com/abstracts/sg247907.html>
>
>
> On 4/9/2013 9:39 AM, Zoltan Forray wrote:
>
>> Well folks, this project keeps changing.  Originally figured we would use
>> EKM/TKLM but then discussions bought it back to, why not just AME/TSM
>> handle the encryption - do we need to encrypt the DB?
>>
>> So, while we are pending a response from the security/auditor folks about
>> AME being sufficient, the question arose asking "what if we implement AME
>> and then the power-that-be say it isn't good enough and they want the DB
>> encrypted as well, forcing us to move to LME"? How much of a pain-in-the..
>> would that be?  What is the impact?
>>
>> On the subject of implementing AME, besides saying UPDATE DEVCLASS ..
>>   DRIVEE=ON and then going to the encryption controls of the 3494/TS3500
>> and
>> selecting "Encryption Method - Application Managed" and making sure all
>> the
>> TS1130 drives have encryption turned - what else do I need to do?  How
>> does
>> the robot know to talk to TSM for the keys?
>>
>> On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda > >wrote:
>>
>>  Zoltan, BTDTGTTS.
>>>
>>> You first decide if you want to use TSM-managed or externally-managed
>>> (EKM) encryption.
>>>
>>> With TSM encryption, it really is just as simple as creating a devclass
>>> and creating storage pools pointing to that devclass.
>>> (Plus you have to set the encryption mode on the logical library to
>>> application-managed.)
>>>
>>> TSM creates its own keys, stores them in the TSM DB, passes the keys to
>>> the drives and tells the drives to encrypt the tapes.
>>> The encryption is still done outboard by the hardware.
>>> Has the wonderful advantage of being simple, free, and unbreakable.
>>> Your hands never touch the keys, it's totally transparent to everybody.
>>>   You can't hurt it.
>>> No implications for DR.  No reason not to use it.
>>> TSM development doesn't get enough credit for making this easy and free.
>>>
>>> OTOH, TSM-managed encryption will not encrypt DB backup tapes, or EXPORT
>>> tapes, nor BACKUPSET tapes.
>>>
>>> With externally-managed encryption, the keys are managed by the EKM.
>>> TSM doesn't' know it's happening.
>>> You set the encryption mode on the library to library-managed.
>>> The EKM has to be run on a server.  It is a pay-for product.
>>> But the cost of the software is trivial compared to the implementation
>>> cost.
>>> High learning curve.  Lots of testing required to make sure you can
>>> recov

Re: Implementing Encryption

[Alex Paschal]

Oh, sorry, rest of the question.  It's easy to convert from AME to LME -
create new library partition, new devclass, set up for LME. Rename some
stgpools and recreate them using the new devclass so you don't have to
modify your daily maintenance scripts or copygroups. Then attrition,
reclamation, or move data scripts.  Pretty much the same way you'd
handle any other media refresh.

I don't think there's anything else you need to do.  With AME, the robot
doesn't talk to TSM for the keys - it's done strictly at the tape drive
level.  TSM requests a tape mount, the robot moves the tape to the
drive, the drive mounts and sends the volser to TSM, TSM looks up the
data key in the db, sends the data key to the drive, the drive uses the
data key to encrypt.  It's described pretty well in the IBM System
Storage Open Systems Tape Encryption Solutions redbook.
http://www.redbooks.ibm.com/abstracts/sg247907.html

On 4/9/2013 9:39 AM, Zoltan Forray wrote:

Well folks, this project keeps changing.  Originally figured we would use
EKM/TKLM but then discussions bought it back to, why not just AME/TSM
handle the encryption - do we need to encrypt the DB?

So, while we are pending a response from the security/auditor folks about
AME being sufficient, the question arose asking "what if we implement AME
and then the power-that-be say it isn't good enough and they want the DB
encrypted as well, forcing us to move to LME"? How much of a pain-in-the..
would that be?  What is the impact?

On the subject of implementing AME, besides saying UPDATE DEVCLASS ..
  DRIVEE=ON and then going to the encryption controls of the 3494/TS3500 and
selecting "Encryption Method - Application Managed" and making sure all the
TS1130 drives have encryption turned - what else do I need to do?  How does
the robot know to talk to TSM for the keys?

On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote:


Zoltan, BTDTGTTS.

You first decide if you want to use TSM-managed or externally-managed
(EKM) encryption.

With TSM encryption, it really is just as simple as creating a devclass
and creating storage pools pointing to that devclass.
(Plus you have to set the encryption mode on the logical library to
application-managed.)

TSM creates its own keys, stores them in the TSM DB, passes the keys to
the drives and tells the drives to encrypt the tapes.
The encryption is still done outboard by the hardware.
Has the wonderful advantage of being simple, free, and unbreakable.
Your hands never touch the keys, it's totally transparent to everybody.
  You can't hurt it.
No implications for DR.  No reason not to use it.
TSM development doesn't get enough credit for making this easy and free.

OTOH, TSM-managed encryption will not encrypt DB backup tapes, or EXPORT
tapes, nor BACKUPSET tapes.

With externally-managed encryption, the keys are managed by the EKM.
TSM doesn't' know it's happening.
You set the encryption mode on the library to library-managed.
The EKM has to be run on a server.  It is a pay-for product.
But the cost of the software is trivial compared to the implementation
cost.
High learning curve.  Lots of testing required to make sure you can
recover.

You have to be careful about protecting the EKM; you have to recover the
EKM at a DR site before you can read your tapes.
(If you have a hot site, better to share the keys between the libraries.)
It is possible (not likely, but possible) to get yourself in a DR
situation where NOBODY, including IBM, can read those encrypted tapes.
Test, test, CYA, test.
But with the EKM, your security group can control the key management,
certificate changing, etc.
And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted.

So if you have a requirement for encrypting backupsets, you need the EKM.
   DEVCLASS change does not apply, as TSM knows nothing about the encryption.

If all you have is a requirement that BACKUP DATA on your storage pool
tapes (which isn't included in a DB backup tape) gets encrypted so that if
a tape falls off a truck there is no exposure to PII, choose TSM encryption
and just turn it on.

W





-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of
Zoltan Forray
Sent: Thursday, April 04, 2013 9:41 AM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] Implementing Encryption

I know this sounds strange, but we need to implement encryption on our
TS1130 tapes.

Never having done this, I need some help/suggestions/war-stories/etc on
how to basically turn encryption on.  Is there a quick-and-dirty book on
the subject?

I understand the first thing would be to change the devclass for the tape
drives to "encryption=yes" for ALL of my servers (currently, 2 of 7 are
library managers).

Then I saw something about EKM to manage the keys.  Is this also
implemented on all TSM servers?

--
*Zoltan Forray*
TSM Software & Hardware Administ

Re: Implementing Encryption

[Alex Paschal]

The real question is:  are you allowed to send the unencrypted keys (in
the unencrypted dbbackup) offsite in the same truck as the encrypted
tapes?  Or will you have to ship the dbbackup tape separately?

Or if you want to dodge that "gotcha," I suppose you could simply scp
the dbbackup to some server at another site, rather than sending the
dbbackup with your tapes.  Maybe rsync, because it can do block-level
incremental.  If you don't have a lot of change in your dbbackup, that
could save on bandwidth.


On 4/9/2013 9:39 AM, Zoltan Forray wrote:

Well folks, this project keeps changing.  Originally figured we would use
EKM/TKLM but then discussions bought it back to, why not just AME/TSM
handle the encryption - do we need to encrypt the DB?

So, while we are pending a response from the security/auditor folks about
AME being sufficient, the question arose asking "what if we implement AME
and then the power-that-be say it isn't good enough and they want the DB
encrypted as well, forcing us to move to LME"? How much of a pain-in-the..
would that be?  What is the impact?

On the subject of implementing AME, besides saying UPDATE DEVCLASS ..
  DRIVEE=ON and then going to the encryption controls of the 3494/TS3500 and
selecting "Encryption Method - Application Managed" and making sure all the
TS1130 drives have encryption turned - what else do I need to do?  How does
the robot know to talk to TSM for the keys?

On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote:


Zoltan, BTDTGTTS.

You first decide if you want to use TSM-managed or externally-managed
(EKM) encryption.

With TSM encryption, it really is just as simple as creating a devclass
and creating storage pools pointing to that devclass.
(Plus you have to set the encryption mode on the logical library to
application-managed.)

TSM creates its own keys, stores them in the TSM DB, passes the keys to
the drives and tells the drives to encrypt the tapes.
The encryption is still done outboard by the hardware.
Has the wonderful advantage of being simple, free, and unbreakable.
Your hands never touch the keys, it's totally transparent to everybody.
  You can't hurt it.
No implications for DR.  No reason not to use it.
TSM development doesn't get enough credit for making this easy and free.

OTOH, TSM-managed encryption will not encrypt DB backup tapes, or EXPORT
tapes, nor BACKUPSET tapes.

With externally-managed encryption, the keys are managed by the EKM.
TSM doesn't' know it's happening.
You set the encryption mode on the library to library-managed.
The EKM has to be run on a server.  It is a pay-for product.
But the cost of the software is trivial compared to the implementation
cost.
High learning curve.  Lots of testing required to make sure you can
recover.

You have to be careful about protecting the EKM; you have to recover the
EKM at a DR site before you can read your tapes.
(If you have a hot site, better to share the keys between the libraries.)
It is possible (not likely, but possible) to get yourself in a DR
situation where NOBODY, including IBM, can read those encrypted tapes.
Test, test, CYA, test.
But with the EKM, your security group can control the key management,
certificate changing, etc.
And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted.

So if you have a requirement for encrypting backupsets, you need the EKM.
   DEVCLASS change does not apply, as TSM knows nothing about the encryption.

If all you have is a requirement that BACKUP DATA on your storage pool
tapes (which isn't included in a DB backup tape) gets encrypted so that if
a tape falls off a truck there is no exposure to PII, choose TSM encryption
and just turn it on.

W





-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of
Zoltan Forray
Sent: Thursday, April 04, 2013 9:41 AM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] Implementing Encryption

I know this sounds strange, but we need to implement encryption on our
TS1130 tapes.

Never having done this, I need some help/suggestions/war-stories/etc on
how to basically turn encryption on.  Is there a quick-and-dirty book on
the subject?

I understand the first thing would be to change the devclass for the tape
drives to "encryption=yes" for ALL of my servers (currently, 2 of 7 are
library managers).

Then I saw something about EKM to manage the keys.  Is this also
implemented on all TSM servers?

--
*Zoltan Forray*
TSM Software & Hardware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zfor...@vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html




--
*Zoltan Forray*
TSM Software & Hardware Administrator

Re: Implementing Encryption

[Zoltan Forray]

Well folks, this project keeps changing.  Originally figured we would use
EKM/TKLM but then discussions bought it back to, why not just AME/TSM
handle the encryption - do we need to encrypt the DB?

So, while we are pending a response from the security/auditor folks about
AME being sufficient, the question arose asking "what if we implement AME
and then the power-that-be say it isn't good enough and they want the DB
encrypted as well, forcing us to move to LME"? How much of a pain-in-the..
would that be?  What is the impact?

On the subject of implementing AME, besides saying UPDATE DEVCLASS ..
 DRIVEE=ON and then going to the encryption controls of the 3494/TS3500 and
selecting "Encryption Method - Application Managed" and making sure all the
TS1130 drives have encryption turned - what else do I need to do?  How does
the robot know to talk to TSM for the keys?

On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote:

> Zoltan, BTDTGTTS.
>
> You first decide if you want to use TSM-managed or externally-managed
> (EKM) encryption.
>
> With TSM encryption, it really is just as simple as creating a devclass
> and creating storage pools pointing to that devclass.
> (Plus you have to set the encryption mode on the logical library to
> application-managed.)
>
> TSM creates its own keys, stores them in the TSM DB, passes the keys to
> the drives and tells the drives to encrypt the tapes.
> The encryption is still done outboard by the hardware.
> Has the wonderful advantage of being simple, free, and unbreakable.
> Your hands never touch the keys, it's totally transparent to everybody.
>  You can't hurt it.
> No implications for DR.  No reason not to use it.
> TSM development doesn't get enough credit for making this easy and free.
>
> OTOH, TSM-managed encryption will not encrypt DB backup tapes, or EXPORT
> tapes, nor BACKUPSET tapes.
>
> With externally-managed encryption, the keys are managed by the EKM.
> TSM doesn't' know it's happening.
> You set the encryption mode on the library to library-managed.
> The EKM has to be run on a server.  It is a pay-for product.
> But the cost of the software is trivial compared to the implementation
> cost.
> High learning curve.  Lots of testing required to make sure you can
> recover.
>
> You have to be careful about protecting the EKM; you have to recover the
> EKM at a DR site before you can read your tapes.
> (If you have a hot site, better to share the keys between the libraries.)
> It is possible (not likely, but possible) to get yourself in a DR
> situation where NOBODY, including IBM, can read those encrypted tapes.
> Test, test, CYA, test.
> But with the EKM, your security group can control the key management,
> certificate changing, etc.
> And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted.
>
> So if you have a requirement for encrypting backupsets, you need the EKM.
>   DEVCLASS change does not apply, as TSM knows nothing about the encryption.
>
> If all you have is a requirement that BACKUP DATA on your storage pool
> tapes (which isn't included in a DB backup tape) gets encrypted so that if
> a tape falls off a truck there is no exposure to PII, choose TSM encryption
> and just turn it on.
>
> W
>
>
>
>
>
> -Original Message-
> From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of
> Zoltan Forray
> Sent: Thursday, April 04, 2013 9:41 AM
> To: ADSM-L@VM.MARIST.EDU
> Subject: [ADSM-L] Implementing Encryption
>
> I know this sounds strange, but we need to implement encryption on our
> TS1130 tapes.
>
> Never having done this, I need some help/suggestions/war-stories/etc on
> how to basically turn encryption on.  Is there a quick-and-dirty book on
> the subject?
>
> I understand the first thing would be to change the devclass for the tape
> drives to "encryption=yes" for ALL of my servers (currently, 2 of 7 are
> library managers).
>
> Then I saw something about EKM to manage the keys.  Is this also
> implemented on all TSM servers?
>
> --
> *Zoltan Forray*
> TSM Software & Hardware Administrator
> Virginia Commonwealth University
> UCC/Office of Technology Services
> zfor...@vcu.edu - 804-828-4807
> Don't be a phishing victim - VCU and other reputable organizations will
> never use email to request that you reply with your password, social
> security number or confidential personal information. For more details
> visit http://infosecurity.vcu.edu/phishing.html
>



--
*Zoltan Forray*
TSM Software & Hardware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zfor...@vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html

Re: Implementing Encryption

[Zoltan Forray]

Understood.  I do something similar right now.  Daily, my TSM servers
backup their volhist and devconfig files which are then SFTP'ed to an
offsite server (these are Linux systems).

On Fri, Apr 5, 2013 at 3:27 PM, Alex Paschal  wrote:

> Be sure to create a Windows task or crontab script that copies your EKM
> keystore periodically and remotely.  And preferably not to TSM. :-)
>
>
> On 4/5/2013 6:30 AM, Zoltan Forray wrote:
>
>> Unfortunately, after discussing the choices with management, they decided
>> to choose LME vs AME.  So they want me to setup a Linux VM running  EKM
>> (onsite), as well as the EMK function on my offsite TSM server -
>> fun...funfun  I know the 3494 config allows for a primary and
>> secondary EKM and assume the TS3500 allows for at least this minimum
>> config.
>>
>> At least they agree to wait until after the TS3500 is installed before
>> implementing.
>>
>> Time to dig into the EKM docs for setting things up.  I saw in the 3494 LM
>> setup I need TCP/IP ports 3801 (default) opened. Not sure about the other
>> values like "Key Label Entry" and "Key Label"
>>
>> On Thu, Apr 4, 2013 at 6:53 PM, Prather, Wanda > >wrote:
>>
>>  Correct.
>>> Anything that has to be readable without accessing a live TSM DB, can't
>>> be
>>> encrypted with TSM, ergo backupsets, exports, DB backups.
>>>
>>> And I don't know of any other reason not to choose TSM/App managed
>>> encryption.
>>> It's transparent, easy, free, and I've never run into any problems with
>>> it.
>>>
>>> The tape internal label isn't encrypted, so there isn't even a problem if
>>> you have encrypted tapes in one pool and they go back to scratch and get
>>> used later in an un-encrypted pool.
>>> Set it and forget it.  (But don't forget you have to turn on encryption
>>> in
>>> the TS3500 library partition first.)
>>>
>>> W
>>>
>>> -Original Message-
>>> From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of
>>> Zoltan Forray
>>> Sent: Thursday, April 04, 2013 2:08 PM
>>> To: ADSM-L@VM.MARIST.EDU
>>> Subject: Re: [ADSM-L] Implementing Encryption
>>>
>>> Thanks.
>>>
>>> Other than the factor that certain tapes/processes are not encrypted
>>> (from
>>> the book when setting DRIVEE=ON - *Other types of volumes-for example,
>>> backup sets, export volumes, and database backup volumes-will not be
>>> encrypted.*)
>>>
>>> is there any reason not to choose "Application Managed Encryption"?  As I
>>> think I understand it, with AME/TSM managing the keys, they are stored on
>>> the DB backup tape, thus the reason to not encrypt it?  Correct?
>>>
>>> On Thu, Apr 4, 2013 at 1:55 PM, Prather, Wanda >>
>>>> wrote:
>>>> Here ya go.  Buy the BIG bottle of aspirin.
>>>>
>>>> http://www.redbooks.ibm.com/**abstracts/sg247907.html?Open<http://www.redbooks.ibm.com/abstracts/sg247907.html?Open>
>>>>
>>>> And just as a follow up:
>>>>
>>>> When you use TSM-managed encryption, it IS hardware based.
>>>> Either TSM or TKLM, the encryption is done outboard by the drive itself.
>>>>
>>>> The difference is who handles the encryption keys/certificates, TSM or
>>>> the TKLM.
>>>> And the question of what TSM tapes can be encrypted as a result.
>>>>
>>>> W
>>>>
>>>>
>>>> -Original Message-
>>>> From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf
>>>> Of Prather, Wanda
>>>> Sent: Thursday, April 04, 2013 1:42 PM
>>>> To: ADSM-L@VM.MARIST.EDU
>>>> Subject: Re: [ADSM-L] Implementing Encryption
>>>>
>>>> I apologize, when I said EKM, I meant TKLM, which is the current
>>>> product replacement for the old EKM.
>>>>
>>>> The only paint-by-number is a redbook for TKLM.
>>>> Actually there are a couple, and you'll need aspirin.
>>>>
>>>> I'll look up the numbers and get back to you.
>>>>
>>>>
>>>>
>>>> -Original Message-
>>>> From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf
>>>> Of Zoltan Forray
>>>> Sent: Thursday, April 04, 2013 12:35 PM
>>>> To: ADSM-L@VM.MARIST.EDU

Re: Implementing Encryption

[Alex Paschal]

Be sure to create a Windows task or crontab script that copies your EKM
keystore periodically and remotely.  And preferably not to TSM. :-)

On 4/5/2013 6:30 AM, Zoltan Forray wrote:

Unfortunately, after discussing the choices with management, they decided
to choose LME vs AME.  So they want me to setup a Linux VM running  EKM
(onsite), as well as the EMK function on my offsite TSM server -
fun...funfun  I know the 3494 config allows for a primary and
secondary EKM and assume the TS3500 allows for at least this minimum config.

At least they agree to wait until after the TS3500 is installed before
implementing.

Time to dig into the EKM docs for setting things up.  I saw in the 3494 LM
setup I need TCP/IP ports 3801 (default) opened. Not sure about the other
values like "Key Label Entry" and "Key Label"

On Thu, Apr 4, 2013 at 6:53 PM, Prather, Wanda wrote:


Correct.
Anything that has to be readable without accessing a live TSM DB, can't be
encrypted with TSM, ergo backupsets, exports, DB backups.

And I don't know of any other reason not to choose TSM/App managed
encryption.
It's transparent, easy, free, and I've never run into any problems with it.

The tape internal label isn't encrypted, so there isn't even a problem if
you have encrypted tapes in one pool and they go back to scratch and get
used later in an un-encrypted pool.
Set it and forget it.  (But don't forget you have to turn on encryption in
the TS3500 library partition first.)

W

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of
Zoltan Forray
Sent: Thursday, April 04, 2013 2:08 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Implementing Encryption

Thanks.

Other than the factor that certain tapes/processes are not encrypted (from
the book when setting DRIVEE=ON - *Other types of volumes-for example,
backup sets, export volumes, and database backup volumes-will not be
encrypted.*)

is there any reason not to choose "Application Managed Encryption"?  As I
think I understand it, with AME/TSM managing the keys, they are stored on
the DB backup tape, thus the reason to not encrypt it?  Correct?

On Thu, Apr 4, 2013 at 1:55 PM, Prather, Wanda 
wrote:
Here ya go.  Buy the BIG bottle of aspirin.

http://www.redbooks.ibm.com/abstracts/sg247907.html?Open

And just as a follow up:

When you use TSM-managed encryption, it IS hardware based.
Either TSM or TKLM, the encryption is done outboard by the drive itself.

The difference is who handles the encryption keys/certificates, TSM or
the TKLM.
And the question of what TSM tapes can be encrypted as a result.

W


-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf
Of Prather, Wanda
Sent: Thursday, April 04, 2013 1:42 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Implementing Encryption

I apologize, when I said EKM, I meant TKLM, which is the current
product replacement for the old EKM.

The only paint-by-number is a redbook for TKLM.
Actually there are a couple, and you'll need aspirin.

I'll look up the numbers and get back to you.



-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf
Of Zoltan Forray
Sent: Thursday, April 04, 2013 12:35 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Implementing Encryption

Wanda,

As always, thanks for the detailed explanation.  However, it brings up
lots of questions.


With externally-managed encryption, the keys are managed by the EKM.

Since this would be hardware-based and encrypts everything, this is
the way we would go.


You set the encryption mode on the library to library-managed. The
EKM

has to be run on a server.  It is a pay-for product.

Huh?  I downloaded EKM from the IBM FTP sight.  It is Java based and
nobody ever said anything about paying for it?  As I understand it, in
this scenario with our 3494 (soon to be replace with a TS3500/3584),
the "EKM server" has to talk to the tape library to get the keys from
it (DRIVEE=ALLOW).  When Googling, one doc/comment we saw the person
simply installed it on the TSM server.  My question, since I am
running 7-servers, do I need multiple instance - one per TSM server or

just one and it gets

everything from the 3494?   I am confused..


High learning curve.  Lots of testing required to make sure you
can

recover.

Agreed.  We are still digging through the docs on just  installing and
implementing EKM and who connects to who and where..


You have to be careful about protecting the EKM; you have to
recover

the EKM at a DR site before you can read your tapes.
(If you have a hot site, better to share the keys between the
libraries.)

More like a "lukewarm sight" - I have an offsite vault/TSM server
where the tapes are stored and daily each production TSM server does a
DB backup to the offsite TSM server.


But with the EKM, your security group ca

Re: Implementing Encryption

[Zoltan Forray]

Unfortunately, after discussing the choices with management, they decided
to choose LME vs AME.  So they want me to setup a Linux VM running  EKM
(onsite), as well as the EMK function on my offsite TSM server -
fun...funfun  I know the 3494 config allows for a primary and
secondary EKM and assume the TS3500 allows for at least this minimum config.

At least they agree to wait until after the TS3500 is installed before
implementing.

Time to dig into the EKM docs for setting things up.  I saw in the 3494 LM
setup I need TCP/IP ports 3801 (default) opened. Not sure about the other
values like "Key Label Entry" and "Key Label"

On Thu, Apr 4, 2013 at 6:53 PM, Prather, Wanda wrote:

> Correct.
> Anything that has to be readable without accessing a live TSM DB, can't be
> encrypted with TSM, ergo backupsets, exports, DB backups.
>
> And I don't know of any other reason not to choose TSM/App managed
> encryption.
> It's transparent, easy, free, and I've never run into any problems with it.
>
> The tape internal label isn't encrypted, so there isn't even a problem if
> you have encrypted tapes in one pool and they go back to scratch and get
> used later in an un-encrypted pool.
> Set it and forget it.  (But don't forget you have to turn on encryption in
> the TS3500 library partition first.)
>
> W
>
> -Original Message-
> From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of
> Zoltan Forray
> Sent: Thursday, April 04, 2013 2:08 PM
> To: ADSM-L@VM.MARIST.EDU
> Subject: Re: [ADSM-L] Implementing Encryption
>
> Thanks.
>
> Other than the factor that certain tapes/processes are not encrypted (from
> the book when setting DRIVEE=ON - *Other types of volumes-for example,
> backup sets, export volumes, and database backup volumes-will not be
> encrypted.*)
>
> is there any reason not to choose "Application Managed Encryption"?  As I
> think I understand it, with AME/TSM managing the keys, they are stored on
> the DB backup tape, thus the reason to not encrypt it?  Correct?
>
> On Thu, Apr 4, 2013 at 1:55 PM, Prather, Wanda  >wrote:
>
> > Here ya go.  Buy the BIG bottle of aspirin.
> >
> > http://www.redbooks.ibm.com/abstracts/sg247907.html?Open
> >
> > And just as a follow up:
> >
> > When you use TSM-managed encryption, it IS hardware based.
> > Either TSM or TKLM, the encryption is done outboard by the drive itself.
> >
> > The difference is who handles the encryption keys/certificates, TSM or
> > the TKLM.
> > And the question of what TSM tapes can be encrypted as a result.
> >
> > W
> >
> >
> > -Original Message-
> > From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf
> > Of Prather, Wanda
> > Sent: Thursday, April 04, 2013 1:42 PM
> > To: ADSM-L@VM.MARIST.EDU
> > Subject: Re: [ADSM-L] Implementing Encryption
> >
> > I apologize, when I said EKM, I meant TKLM, which is the current
> > product replacement for the old EKM.
> >
> > The only paint-by-number is a redbook for TKLM.
> > Actually there are a couple, and you'll need aspirin.
> >
> > I'll look up the numbers and get back to you.
> >
> >
> >
> > -Original Message-
> > From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf
> > Of Zoltan Forray
> > Sent: Thursday, April 04, 2013 12:35 PM
> > To: ADSM-L@VM.MARIST.EDU
> > Subject: Re: [ADSM-L] Implementing Encryption
> >
> > Wanda,
> >
> > As always, thanks for the detailed explanation.  However, it brings up
> > lots of questions.
> >
> > >>> With externally-managed encryption, the keys are managed by the EKM.
> >
> > Since this would be hardware-based and encrypts everything, this is
> > the way we would go.
> >
> > >>> You set the encryption mode on the library to library-managed. The
> > >>> EKM
> > has to be run on a server.  It is a pay-for product.
> >
> > Huh?  I downloaded EKM from the IBM FTP sight.  It is Java based and
> > nobody ever said anything about paying for it?  As I understand it, in
> > this scenario with our 3494 (soon to be replace with a TS3500/3584),
> > the "EKM server" has to talk to the tape library to get the keys from
> > it (DRIVEE=ALLOW).  When Googling, one doc/comment we saw the person
> > simply installed it on the TSM server.  My question, since I am
> > running 7-servers, do I need multiple instance - one per TSM server or
> just one and it gets
> > everything from the 3494?   I am confused..
> 

Re: Implementing Encryption

[Prather, Wanda]

Correct. 
Anything that has to be readable without accessing a live TSM DB, can't be 
encrypted with TSM, ergo backupsets, exports, DB backups.

And I don't know of any other reason not to choose TSM/App managed encryption.
It's transparent, easy, free, and I've never run into any problems with it.

The tape internal label isn't encrypted, so there isn't even a problem if you 
have encrypted tapes in one pool and they go back to scratch and get used later 
in an un-encrypted pool.
Set it and forget it.  (But don't forget you have to turn on encryption in the 
TS3500 library partition first.)

W

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Zoltan 
Forray
Sent: Thursday, April 04, 2013 2:08 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Implementing Encryption

Thanks.

Other than the factor that certain tapes/processes are not encrypted (from the 
book when setting DRIVEE=ON - *Other types of volumes-for example, backup sets, 
export volumes, and database backup volumes-will not be
encrypted.*)

is there any reason not to choose "Application Managed Encryption"?  As I think 
I understand it, with AME/TSM managing the keys, they are stored on the DB 
backup tape, thus the reason to not encrypt it?  Correct?

On Thu, Apr 4, 2013 at 1:55 PM, Prather, Wanda wrote:

> Here ya go.  Buy the BIG bottle of aspirin.
>
> http://www.redbooks.ibm.com/abstracts/sg247907.html?Open
>
> And just as a follow up:
>
> When you use TSM-managed encryption, it IS hardware based.
> Either TSM or TKLM, the encryption is done outboard by the drive itself.
>
> The difference is who handles the encryption keys/certificates, TSM or 
> the TKLM.
> And the question of what TSM tapes can be encrypted as a result.
>
> W
>
>
> -Original Message-
> From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf 
> Of Prather, Wanda
> Sent: Thursday, April 04, 2013 1:42 PM
> To: ADSM-L@VM.MARIST.EDU
> Subject: Re: [ADSM-L] Implementing Encryption
>
> I apologize, when I said EKM, I meant TKLM, which is the current 
> product replacement for the old EKM.
>
> The only paint-by-number is a redbook for TKLM.
> Actually there are a couple, and you'll need aspirin.
>
> I'll look up the numbers and get back to you.
>
>
>
> -Original Message-
> From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf 
> Of Zoltan Forray
> Sent: Thursday, April 04, 2013 12:35 PM
> To: ADSM-L@VM.MARIST.EDU
> Subject: Re: [ADSM-L] Implementing Encryption
>
> Wanda,
>
> As always, thanks for the detailed explanation.  However, it brings up 
> lots of questions.
>
> >>> With externally-managed encryption, the keys are managed by the EKM.
>
> Since this would be hardware-based and encrypts everything, this is 
> the way we would go.
>
> >>> You set the encryption mode on the library to library-managed. The 
> >>> EKM
> has to be run on a server.  It is a pay-for product.
>
> Huh?  I downloaded EKM from the IBM FTP sight.  It is Java based and 
> nobody ever said anything about paying for it?  As I understand it, in 
> this scenario with our 3494 (soon to be replace with a TS3500/3584), 
> the "EKM server" has to talk to the tape library to get the keys from 
> it (DRIVEE=ALLOW).  When Googling, one doc/comment we saw the person 
> simply installed it on the TSM server.  My question, since I am 
> running 7-servers, do I need multiple instance - one per TSM server or just 
> one and it gets
> everything from the 3494?   I am confused..
>
> >>> High learning curve.  Lots of testing required to make sure you 
> >>> can
> recover.
>
> Agreed.  We are still digging through the docs on just  installing and 
> implementing EKM and who connects to who and where..
>
> >>> You have to be careful about protecting the EKM; you have to 
> >>> recover
> the EKM at a DR site before you can read your tapes.
> (If you have a hot site, better to share the keys between the 
> libraries.)
>
> More like a "lukewarm sight" - I have an offsite vault/TSM server 
> where the tapes are stored and daily each production TSM server does a 
> DB backup to the offsite TSM server.
>
> >>> But with the EKM, your security group can control the key 
> >>> management,
> certificate changing, etc. And then DB backup tapes, EXPORT, and 
> BACKUPSET tapes can be encrypted.
>
> This totally throws me off - I really need a "paint by numbers" 
> diagram on how all the pieces connect - I have never dealt with 
> encryption.
>
>
> On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wand

Re: Implementing Encryption

[Zoltan Forray]

Thanks.

Other than the factor that certain tapes/processes are not encrypted (from
the book when setting DRIVEE=ON - *Other types of volumes—for example,
backup sets, export volumes, and database backup volumes—will not be
encrypted.*)

is there any reason not to choose "Application Managed Encryption"?  As I
think I understand it, with AME/TSM managing the keys, they are stored on
the DB backup tape, thus the reason to not encrypt it?  Correct?

On Thu, Apr 4, 2013 at 1:55 PM, Prather, Wanda wrote:

> Here ya go.  Buy the BIG bottle of aspirin.
>
> http://www.redbooks.ibm.com/abstracts/sg247907.html?Open
>
> And just as a follow up:
>
> When you use TSM-managed encryption, it IS hardware based.
> Either TSM or TKLM, the encryption is done outboard by the drive itself.
>
> The difference is who handles the encryption keys/certificates, TSM or the
> TKLM.
> And the question of what TSM tapes can be encrypted as a result.
>
> W
>
>
> -Original Message-
> From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of
> Prather, Wanda
> Sent: Thursday, April 04, 2013 1:42 PM
> To: ADSM-L@VM.MARIST.EDU
> Subject: Re: [ADSM-L] Implementing Encryption
>
> I apologize, when I said EKM, I meant TKLM, which is the current product
> replacement for the old EKM.
>
> The only paint-by-number is a redbook for TKLM.
> Actually there are a couple, and you'll need aspirin.
>
> I'll look up the numbers and get back to you.
>
>
>
> -Original Message-
> From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of
> Zoltan Forray
> Sent: Thursday, April 04, 2013 12:35 PM
> To: ADSM-L@VM.MARIST.EDU
> Subject: Re: [ADSM-L] Implementing Encryption
>
> Wanda,
>
> As always, thanks for the detailed explanation.  However, it brings up
> lots of questions.
>
> >>> With externally-managed encryption, the keys are managed by the EKM.
>
> Since this would be hardware-based and encrypts everything, this is the
> way we would go.
>
> >>> You set the encryption mode on the library to library-managed. The
> >>> EKM
> has to be run on a server.  It is a pay-for product.
>
> Huh?  I downloaded EKM from the IBM FTP sight.  It is Java based and
> nobody ever said anything about paying for it?  As I understand it, in this
> scenario with our 3494 (soon to be replace with a TS3500/3584), the "EKM
> server" has to talk to the tape library to get the keys from it
> (DRIVEE=ALLOW).  When Googling, one doc/comment we saw the person simply
> installed it on the TSM server.  My question, since I am running 7-servers,
> do I need multiple instance - one per TSM server or just one and it gets
> everything from the 3494?   I am confused..
>
> >>> High learning curve.  Lots of testing required to make sure you can
> recover.
>
> Agreed.  We are still digging through the docs on just  installing and
> implementing EKM and who connects to who and where..
>
> >>> You have to be careful about protecting the EKM; you have to recover
> the EKM at a DR site before you can read your tapes.
> (If you have a hot site, better to share the keys between the libraries.)
>
> More like a "lukewarm sight" - I have an offsite vault/TSM server where
> the tapes are stored and daily each production TSM server does a DB backup
> to the offsite TSM server.
>
> >>> But with the EKM, your security group can control the key
> >>> management,
> certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET
> tapes can be encrypted.
>
> This totally throws me off - I really need a "paint by numbers" diagram on
> how all the pieces connect - I have never dealt with encryption.
>
>
> On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda  >wrote:
>
> > With externally-managed encryption, the keys are managed by the EKM.
> > TSM doesn't' know it's happening.
> > You set the encryption mode on the library to library-managed.
> > The EKM has to be run on a server.  It is a pay-for product.
> > But the cost of the software is trivial compared to the implementation
> > cost.
> > High learning curve.  Lots of testing required to make sure you can
> > recover.
> >
> > You have to be careful about protecting the EKM; you have to recover
> > the EKM at a DR site before you can read your tapes.
> > (If you have a hot site, better to share the keys between the
> > libraries.) It is possible (not likely, but possible) to get yourself
> > in a DR situation where NOBODY, including IBM, can read those encrypted
> tapes.
> > Test, test, CYA, test.
> > But wi

Re: Implementing Encryption

[Zoltan Forray]

Thanks - that clears things up - a little bit - My question is, will the
older EKM work with the TS3500?  What what I have read in the TS3500
Planning Guide, it seems to imply it will.

On Thu, Apr 4, 2013 at 1:01 PM, Mike De Gasperis  wrote:

> Forgot to include this link from IBM regarding their EKM support.
>
> http://www-01.ibm.com/support/docview.wss?uid=ssg1S4000504
>
>
> - Original Message -
> Wanda,
>
> As always, thanks for the detailed explanation. However, it brings up lots
> of questions.
>
> >>> With externally-managed encryption, the keys are managed by the EKM.
>
> Since this would be hardware-based and encrypts everything, this is the way
> we would go.
>
> >>> You set the encryption mode on the library to library-managed. The EKM
> has to be run on a server. It is a pay-for product.
>
> Huh? I downloaded EKM from the IBM FTP sight. It is Java based and nobody
> ever said anything about paying for it? As I understand it, in this
> scenario with our 3494 (soon to be replace with a TS3500/3584), the "EKM
> server" has to talk to the tape library to get the keys from it
> (DRIVEE=ALLOW). When Googling, one doc/comment we saw the person simply
> installed it on the TSM server. My question, since I am running 7-servers,
> do I need multiple instance - one per TSM server or just one and it gets
> everything from the 3494? I am confused..
>
> >>> High learning curve. Lots of testing required to make sure you can
> recover.
>
> Agreed. We are still digging through the docs on just installing and
> implementing EKM and who connects to who and where..
>
> >>> You have to be careful about protecting the EKM; you have to recover
> the EKM at a DR site before you can read your tapes.
> (If you have a hot site, better to share the keys between the libraries.)
>
> More like a "lukewarm sight" - I have an offsite vault/TSM server where the
> tapes are stored and daily each production TSM server does a DB backup to
> the offsite TSM server.
>
> >>> But with the EKM, your security group can control the key management,
> certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET
> tapes can be encrypted.
>
> This totally throws me off - I really need a "paint by numbers" diagram on
> how all the pieces connect - I have never dealt with encryption.
>
>
> On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda  >wrote:
>
> > With externally-managed encryption, the keys are managed by the EKM.
> > TSM doesn't' know it's happening.
> > You set the encryption mode on the library to library-managed.
> > The EKM has to be run on a server. It is a pay-for product.
> > But the cost of the software is trivial compared to the implementation
> > cost.
> > High learning curve. Lots of testing required to make sure you can
> > recover.
> >
> > You have to be careful about protecting the EKM; you have to recover the
> > EKM at a DR site before you can read your tapes.
> > (If you have a hot site, better to share the keys between the libraries.)
> > It is possible (not likely, but possible) to get yourself in a DR
> > situation where NOBODY, including IBM, can read those encrypted tapes.
> > Test, test, CYA, test.
> > But with the EKM, your security group can control the key management,
> > certificate changing, etc.
> > And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted.
> >
>
>
>
>
> --
> *Zoltan Forray*
> TSM Software & Hardware Administrator
> Virginia Commonwealth University
> UCC/Office of Technology Services
> zfor...@vcu.edu - 804-828-4807
> Don't be a phishing victim - VCU and other reputable organizations will
> never use email to request that you reply with your password, social
> security number or confidential personal information. For more details
> visit http://infosecurity.vcu.edu/phishing.html
>



--
*Zoltan Forray*
TSM Software & Hardware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zfor...@vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html

Re: Implementing Encryption

[Prather, Wanda]

Here ya go.  Buy the BIG bottle of aspirin.

http://www.redbooks.ibm.com/abstracts/sg247907.html?Open

And just as a follow up:

When you use TSM-managed encryption, it IS hardware based.
Either TSM or TKLM, the encryption is done outboard by the drive itself.

The difference is who handles the encryption keys/certificates, TSM or the TKLM.
And the question of what TSM tapes can be encrypted as a result.

W


-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
Prather, Wanda
Sent: Thursday, April 04, 2013 1:42 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Implementing Encryption

I apologize, when I said EKM, I meant TKLM, which is the current product 
replacement for the old EKM.

The only paint-by-number is a redbook for TKLM.
Actually there are a couple, and you'll need aspirin.

I'll look up the numbers and get back to you.



-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Zoltan 
Forray
Sent: Thursday, April 04, 2013 12:35 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Implementing Encryption

Wanda,

As always, thanks for the detailed explanation.  However, it brings up lots of 
questions.

>>> With externally-managed encryption, the keys are managed by the EKM.

Since this would be hardware-based and encrypts everything, this is the way we 
would go.

>>> You set the encryption mode on the library to library-managed. The 
>>> EKM
has to be run on a server.  It is a pay-for product.

Huh?  I downloaded EKM from the IBM FTP sight.  It is Java based and nobody 
ever said anything about paying for it?  As I understand it, in this scenario 
with our 3494 (soon to be replace with a TS3500/3584), the "EKM server" has to 
talk to the tape library to get the keys from it (DRIVEE=ALLOW).  When 
Googling, one doc/comment we saw the person simply installed it on the TSM 
server.  My question, since I am running 7-servers, do I need multiple instance 
- one per TSM server or just one and it gets
everything from the 3494?   I am confused..

>>> High learning curve.  Lots of testing required to make sure you can
recover.

Agreed.  We are still digging through the docs on just  installing and 
implementing EKM and who connects to who and where..

>>> You have to be careful about protecting the EKM; you have to recover
the EKM at a DR site before you can read your tapes.
(If you have a hot site, better to share the keys between the libraries.)

More like a "lukewarm sight" - I have an offsite vault/TSM server where the 
tapes are stored and daily each production TSM server does a DB backup to the 
offsite TSM server.

>>> But with the EKM, your security group can control the key 
>>> management,
certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET 
tapes can be encrypted.

This totally throws me off - I really need a "paint by numbers" diagram on how 
all the pieces connect - I have never dealt with encryption.


On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote:

> With externally-managed encryption, the keys are managed by the EKM.
> TSM doesn't' know it's happening.
> You set the encryption mode on the library to library-managed.
> The EKM has to be run on a server.  It is a pay-for product.
> But the cost of the software is trivial compared to the implementation 
> cost.
> High learning curve.  Lots of testing required to make sure you can 
> recover.
>
> You have to be careful about protecting the EKM; you have to recover 
> the EKM at a DR site before you can read your tapes.
> (If you have a hot site, better to share the keys between the
> libraries.) It is possible (not likely, but possible) to get yourself 
> in a DR situation where NOBODY, including IBM, can read those encrypted tapes.
> Test, test, CYA, test.
> But with the EKM, your security group can control the key management, 
> certificate changing, etc.
> And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted.
>




--
*Zoltan Forray*
TSM Software & Hardware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zfor...@vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will never 
use email to request that you reply with your password, social security number 
or confidential personal information. For more details visit 
http://infosecurity.vcu.edu/phishing.html

Re: Implementing Encryption

[Prather, Wanda]

I apologize, when I said EKM, I meant TKLM, which is the current product 
replacement for the old EKM.

The only paint-by-number is a redbook for TKLM.
Actually there are a couple, and you'll need aspirin.

I'll look up the numbers and get back to you.



-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Zoltan 
Forray
Sent: Thursday, April 04, 2013 12:35 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Implementing Encryption

Wanda,

As always, thanks for the detailed explanation.  However, it brings up lots of 
questions.

>>> With externally-managed encryption, the keys are managed by the EKM.

Since this would be hardware-based and encrypts everything, this is the way we 
would go.

>>> You set the encryption mode on the library to library-managed. The 
>>> EKM
has to be run on a server.  It is a pay-for product.

Huh?  I downloaded EKM from the IBM FTP sight.  It is Java based and nobody 
ever said anything about paying for it?  As I understand it, in this scenario 
with our 3494 (soon to be replace with a TS3500/3584), the "EKM server" has to 
talk to the tape library to get the keys from it (DRIVEE=ALLOW).  When 
Googling, one doc/comment we saw the person simply installed it on the TSM 
server.  My question, since I am running 7-servers, do I need multiple instance 
- one per TSM server or just one and it gets
everything from the 3494?   I am confused..

>>> High learning curve.  Lots of testing required to make sure you can
recover.

Agreed.  We are still digging through the docs on just  installing and 
implementing EKM and who connects to who and where..

>>> You have to be careful about protecting the EKM; you have to recover
the EKM at a DR site before you can read your tapes.
(If you have a hot site, better to share the keys between the libraries.)

More like a "lukewarm sight" - I have an offsite vault/TSM server where the 
tapes are stored and daily each production TSM server does a DB backup to the 
offsite TSM server.

>>> But with the EKM, your security group can control the key 
>>> management,
certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET 
tapes can be encrypted.

This totally throws me off - I really need a "paint by numbers" diagram on how 
all the pieces connect - I have never dealt with encryption.


On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote:

> With externally-managed encryption, the keys are managed by the EKM.
> TSM doesn't' know it's happening.
> You set the encryption mode on the library to library-managed.
> The EKM has to be run on a server.  It is a pay-for product.
> But the cost of the software is trivial compared to the implementation 
> cost.
> High learning curve.  Lots of testing required to make sure you can 
> recover.
>
> You have to be careful about protecting the EKM; you have to recover 
> the EKM at a DR site before you can read your tapes.
> (If you have a hot site, better to share the keys between the 
> libraries.) It is possible (not likely, but possible) to get yourself 
> in a DR situation where NOBODY, including IBM, can read those encrypted tapes.
> Test, test, CYA, test.
> But with the EKM, your security group can control the key management, 
> certificate changing, etc.
> And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted.
>




--
*Zoltan Forray*
TSM Software & Hardware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zfor...@vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will never 
use email to request that you reply with your password, social security number 
or confidential personal information. For more details visit 
http://infosecurity.vcu.edu/phishing.html

Re: Implementing Encryption

[Mike De Gasperis]

Forgot to include this link from IBM regarding their EKM support.

http://www-01.ibm.com/support/docview.wss?uid=ssg1S4000504


- Original Message -
Wanda,

As always, thanks for the detailed explanation. However, it brings up lots
of questions.

>>> With externally-managed encryption, the keys are managed by the EKM.

Since this would be hardware-based and encrypts everything, this is the way
we would go.

>>> You set the encryption mode on the library to library-managed. The EKM
has to be run on a server. It is a pay-for product.

Huh? I downloaded EKM from the IBM FTP sight. It is Java based and nobody
ever said anything about paying for it? As I understand it, in this
scenario with our 3494 (soon to be replace with a TS3500/3584), the "EKM
server" has to talk to the tape library to get the keys from it
(DRIVEE=ALLOW). When Googling, one doc/comment we saw the person simply
installed it on the TSM server. My question, since I am running 7-servers,
do I need multiple instance - one per TSM server or just one and it gets
everything from the 3494? I am confused..

>>> High learning curve. Lots of testing required to make sure you can
recover.

Agreed. We are still digging through the docs on just installing and
implementing EKM and who connects to who and where..

>>> You have to be careful about protecting the EKM; you have to recover
the EKM at a DR site before you can read your tapes.
(If you have a hot site, better to share the keys between the libraries.)

More like a "lukewarm sight" - I have an offsite vault/TSM server where the
tapes are stored and daily each production TSM server does a DB backup to
the offsite TSM server.

>>> But with the EKM, your security group can control the key management,
certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET
tapes can be encrypted.

This totally throws me off - I really need a "paint by numbers" diagram on
how all the pieces connect - I have never dealt with encryption.


On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote:

> With externally-managed encryption, the keys are managed by the EKM.
> TSM doesn't' know it's happening.
> You set the encryption mode on the library to library-managed.
> The EKM has to be run on a server. It is a pay-for product.
> But the cost of the software is trivial compared to the implementation
> cost.
> High learning curve. Lots of testing required to make sure you can
> recover.
>
> You have to be careful about protecting the EKM; you have to recover the
> EKM at a DR site before you can read your tapes.
> (If you have a hot site, better to share the keys between the libraries.)
> It is possible (not likely, but possible) to get yourself in a DR
> situation where NOBODY, including IBM, can read those encrypted tapes.
> Test, test, CYA, test.
> But with the EKM, your security group can control the key management,
> certificate changing, etc.
> And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted.
>




--
*Zoltan Forray*
TSM Software & Hardware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zfor...@vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html

Re: Implementing Encryption

[Mike De Gasperis]

I've never dealt with the EKM but it looks to be a legacy product that will be 
phased out by IBM.

You'll want to look at the TKLM product which does require licensing for the 
drives that will be encrypting as well as for the actual TKLM servers 
themselves. We ended up setting up four TKLM servers in our environment. Two at 
our prod site and two at DR to protect against failure.

- Original Message -
Wanda,

As always, thanks for the detailed explanation. However, it brings up lots
of questions.

>>> With externally-managed encryption, the keys are managed by the EKM.

Since this would be hardware-based and encrypts everything, this is the way
we would go.

>>> You set the encryption mode on the library to library-managed. The EKM
has to be run on a server. It is a pay-for product.

Huh? I downloaded EKM from the IBM FTP sight. It is Java based and nobody
ever said anything about paying for it? As I understand it, in this
scenario with our 3494 (soon to be replace with a TS3500/3584), the "EKM
server" has to talk to the tape library to get the keys from it
(DRIVEE=ALLOW). When Googling, one doc/comment we saw the person simply
installed it on the TSM server. My question, since I am running 7-servers,
do I need multiple instance - one per TSM server or just one and it gets
everything from the 3494? I am confused..

>>> High learning curve. Lots of testing required to make sure you can
recover.

Agreed. We are still digging through the docs on just installing and
implementing EKM and who connects to who and where..

>>> You have to be careful about protecting the EKM; you have to recover
the EKM at a DR site before you can read your tapes.
(If you have a hot site, better to share the keys between the libraries.)

More like a "lukewarm sight" - I have an offsite vault/TSM server where the
tapes are stored and daily each production TSM server does a DB backup to
the offsite TSM server.

>>> But with the EKM, your security group can control the key management,
certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET
tapes can be encrypted.

This totally throws me off - I really need a "paint by numbers" diagram on
how all the pieces connect - I have never dealt with encryption.


On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote:

> With externally-managed encryption, the keys are managed by the EKM.
> TSM doesn't' know it's happening.
> You set the encryption mode on the library to library-managed.
> The EKM has to be run on a server. It is a pay-for product.
> But the cost of the software is trivial compared to the implementation
> cost.
> High learning curve. Lots of testing required to make sure you can
> recover.
>
> You have to be careful about protecting the EKM; you have to recover the
> EKM at a DR site before you can read your tapes.
> (If you have a hot site, better to share the keys between the libraries.)
> It is possible (not likely, but possible) to get yourself in a DR
> situation where NOBODY, including IBM, can read those encrypted tapes.
> Test, test, CYA, test.
> But with the EKM, your security group can control the key management,
> certificate changing, etc.
> And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted.
>




--
*Zoltan Forray*
TSM Software & Hardware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zfor...@vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html

Re: Implementing Encryption

[Zoltan Forray]

Wanda,

As always, thanks for the detailed explanation.  However, it brings up lots
of questions.

>>> With externally-managed encryption, the keys are managed by the EKM.

Since this would be hardware-based and encrypts everything, this is the way
we would go.

>>> You set the encryption mode on the library to library-managed. The EKM
has to be run on a server.  It is a pay-for product.

Huh?  I downloaded EKM from the IBM FTP sight.  It is Java based and nobody
ever said anything about paying for it?  As I understand it, in this
scenario with our 3494 (soon to be replace with a TS3500/3584), the "EKM
server" has to talk to the tape library to get the keys from it
(DRIVEE=ALLOW).  When Googling, one doc/comment we saw the person simply
installed it on the TSM server.  My question, since I am running 7-servers,
do I need multiple instance - one per TSM server or just one and it gets
everything from the 3494?   I am confused..

>>> High learning curve.  Lots of testing required to make sure you can
recover.

Agreed.  We are still digging through the docs on just  installing and
implementing EKM and who connects to who and where..

>>> You have to be careful about protecting the EKM; you have to recover
the EKM at a DR site before you can read your tapes.
(If you have a hot site, better to share the keys between the libraries.)

More like a "lukewarm sight" - I have an offsite vault/TSM server where the
tapes are stored and daily each production TSM server does a DB backup to
the offsite TSM server.

>>> But with the EKM, your security group can control the key management,
certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET
tapes can be encrypted.

This totally throws me off - I really need a "paint by numbers" diagram on
how all the pieces connect - I have never dealt with encryption.


On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda wrote:

> With externally-managed encryption, the keys are managed by the EKM.
> TSM doesn't' know it's happening.
> You set the encryption mode on the library to library-managed.
> The EKM has to be run on a server.  It is a pay-for product.
> But the cost of the software is trivial compared to the implementation
> cost.
> High learning curve.  Lots of testing required to make sure you can
> recover.
>
> You have to be careful about protecting the EKM; you have to recover the
> EKM at a DR site before you can read your tapes.
> (If you have a hot site, better to share the keys between the libraries.)
> It is possible (not likely, but possible) to get yourself in a DR
> situation where NOBODY, including IBM, can read those encrypted tapes.
> Test, test, CYA, test.
> But with the EKM, your security group can control the key management,
> certificate changing, etc.
> And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted.
>




--
*Zoltan Forray*
TSM Software & Hardware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zfor...@vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html

Re: Implementing Encryption

[Prather, Wanda]

Zoltan, BTDTGTTS.

You first decide if you want to use TSM-managed or externally-managed (EKM) 
encryption.

With TSM encryption, it really is just as simple as creating a devclass and 
creating storage pools pointing to that devclass.
(Plus you have to set the encryption mode on the logical library to 
application-managed.)

TSM creates its own keys, stores them in the TSM DB, passes the keys to the 
drives and tells the drives to encrypt the tapes. 
The encryption is still done outboard by the hardware.  
Has the wonderful advantage of being simple, free, and unbreakable.  
Your hands never touch the keys, it's totally transparent to everybody.  You 
can't hurt it.  
No implications for DR.  No reason not to use it.
TSM development doesn't get enough credit for making this easy and free.

OTOH, TSM-managed encryption will not encrypt DB backup tapes, or EXPORT tapes, 
nor BACKUPSET tapes.

With externally-managed encryption, the keys are managed by the EKM.
TSM doesn't' know it's happening.
You set the encryption mode on the library to library-managed.
The EKM has to be run on a server.  It is a pay-for product.
But the cost of the software is trivial compared to the implementation cost.
High learning curve.  Lots of testing required to make sure you can recover.

You have to be careful about protecting the EKM; you have to recover the EKM at 
a DR site before you can read your tapes.
(If you have a hot site, better to share the keys between the libraries.)
It is possible (not likely, but possible) to get yourself in a DR situation 
where NOBODY, including IBM, can read those encrypted tapes.
Test, test, CYA, test.
But with the EKM, your security group can control the key management, 
certificate changing, etc.
And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted.

So if you have a requirement for encrypting backupsets, you need the EKM.   
DEVCLASS change does not apply, as TSM knows nothing about the encryption.

If all you have is a requirement that BACKUP DATA on your storage pool tapes 
(which isn't included in a DB backup tape) gets encrypted so that if a tape 
falls off a truck there is no exposure to PII, choose TSM encryption and just 
turn it on.

W


   


-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Zoltan 
Forray
Sent: Thursday, April 04, 2013 9:41 AM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] Implementing Encryption

I know this sounds strange, but we need to implement encryption on our
TS1130 tapes.

Never having done this, I need some help/suggestions/war-stories/etc on how to 
basically turn encryption on.  Is there a quick-and-dirty book on the subject?

I understand the first thing would be to change the devclass for the tape 
drives to "encryption=yes" for ALL of my servers (currently, 2 of 7 are library 
managers).

Then I saw something about EKM to manage the keys.  Is this also implemented on 
all TSM servers?

--
*Zoltan Forray*
TSM Software & Hardware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zfor...@vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will never 
use email to request that you reply with your password, social security number 
or confidential personal information. For more details visit 
http://infosecurity.vcu.edu/phishing.html

Re: Implementing Encryption

[Billaudeau, Pierre]

Hi Zoltan,
We used TSM encryption (Application base on AIX TSM servers) and here 
are the steps we had to implement:

1. On  TSM server :
 Update DEVCLASS 3592CLASS2 drivee=on

2. On  AIX :
chdev  -l 'rmt6' -a wrt_encryption='on'
chdev  -l 'rmt13' -a wrt_encryption='on'
chdev  -l 'rmt14' -a wrt_encryption='on'

('on' replaces the value 'custom')

3. Change at the  hardware level  :
Enable "Application" at the drive level :

CE Drv Options
Drive encryption
Method config
Application

Pierre Billaudeau

-Message d'origine-
De : ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] De la part de Zoltan 
Forray
Envoyé : 4 avril 2013 09:41
À : ADSM-L@VM.MARIST.EDU
Objet : [ADSM-L] Implementing Encryption

I know this sounds strange, but we need to implement encryption on our
TS1130 tapes.

Never having done this, I need some help/suggestions/war-stories/etc on how to 
basically turn encryption on.  Is there a quick-and-dirty book on the subject?

I understand the first thing would be to change the devclass for the tape 
drives to "encryption=yes" for ALL of my servers (currently, 2 of 7 are library 
managers).

Then I saw something about EKM to manage the keys.  Is this also implemented on 
all TSM servers?

--
*Zoltan Forray*
TSM Software & Hardware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zfor...@vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will never 
use email to request that you reply with your password, social security number 
or confidential personal information. For more details visit 
http://infosecurity.vcu.edu/phishing.html

--


Information confidentielle : Le présent message, ainsi que tout fichier qui y 
est joint, est envoyé à l'intention exclusive de son ou de ses destinataires; 
il est de nature confidentielle et peut constituer une information privilégiée. 
Nous avertissons toute personne autre que le destinataire prévu que tout 
examen, réacheminement, impression, copie, distribution ou autre utilisation de 
ce message et de tout fichier qui y est joint est strictement interdit. Si vous 
n'êtes pas le destinataire prévu, veuillez en aviser immédiatement l'expéditeur 
par retour de courriel et supprimer ce message et tout document joint de votre 
système. Merci.

Implementing Encryption

[Zoltan Forray]

I know this sounds strange, but we need to implement encryption on our
TS1130 tapes.

Never having done this, I need some help/suggestions/war-stories/etc on how
to basically turn encryption on.  Is there a quick-and-dirty book on the
subject?

I understand the first thing would be to change the devclass for the tape
drives to "encryption=yes" for ALL of my servers (currently, 2 of 7 are
library managers).

Then I saw something about EKM to manage the keys.  Is this also
implemented on all TSM servers?

--
*Zoltan Forray*
TSM Software & Hardware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zfor...@vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html

Tape drive encryption solutions - slightly OT

[Grant Street]

Hello

Just wanted to get some feedback from anyone with experience in doing
tape drive encryption.

We normally run TSM using IBM tape drives in a quantum library. But we
have a contractual requirement to deliver encrypted tapes in a standard
tar format.

Because this is a last minute once off thing we are looking for an easy
and cheap way to setup tape drive encryption from the system level.

We are using IBM drivers, and I can see there is a ekm config file that
points to an EKM server. But it's not clear what protocols/standard are
used/required by the EKM server and which ones work etc.

Any help would be appreciated

--
Grant Street
Senior Systems Engineer

T: +61 2 9383 4800 (main)
T: +61 2 938 34882 (direct)
F: +61 2 9383 4801 (fax)

Animal Logic Logo

*See our latest work at http://www.animallogic.com/work*

Re: TSM Image backup encryption

[Dmitry]

I had same problems.
I'm  returned to v6.2.


On 08.01.2013 19:36, Yudi Darmadi wrote:

Hi,

Please help, does TSM Image backup (on AIX B/A Client V6.3) can use encryption?
Existing File level backups on that client works fine with encryption, but the 
image backups seems can't be encrypted.

Regards,

Yudi

TSM Image backup encryption

[Yudi Darmadi]

Hi,

Please help, does TSM Image backup (on AIX B/A Client V6.3) can use encryption?
Existing File level backups on that client works fine with encryption, but the 
image backups seems can't be encrypted.

Regards,

Yudi

Re: Who is performing Client Based Encryption and Compression

[Paul Zarnowski]

I am not aware of any way to detect client based encryption via a server-based 
query.  However, you can see this from a client-side CLI query (DSMC Q BACKUP), 
so there must be information somewhere that reflects this.

For anyone considering SUR pricing (capacity-based), you might consider looking 
at TSM-based deduplication instead of VTL-based deduplication, as your TB 
license requirements will be lower.  Or at least, that's what I was told by an 
IBMer describing the SUR pricing model to me.  Granted, you would need a more 
powerful TSM server, but you could offset that cost by purchasing disk less 
expensively than a VTL vendor would charge.

..Paul

At 04:13 PM 11/28/2012, Harris, Chad wrote:
>Thank you all for your sage advice.
>
>I am able to find the servers that are using compression, unfortunately 
>though, some of my client Admins have let it slip that they are not always 
>using compression when they are setting up encryption, despite our best 
>efforts to guide them that way.
>
>Anyone else know a way to find nodes only performing client encryption?
>
>Thanks again,
>Chad
>
>-Original Message-
>From: ADSM: Dist Stor Manager [mailto:ADSM-L@vm.marist.edu] On Behalf Of Bill 
>Boyer
>Sent: Wednesday, November 28, 2012 12:01 PM
>To: ADSM-L@vm.marist.edu
>Subject: Re: [ADSM-L] Who is performing Client Based Encryption and Compression
>
>You could start by getting a list of nodes that are set to either 
>COMPRESSION=CLIENT or YES and those with DEDUPLICATION=CLIENTORSERVER. The 
>default is SERVERONLY. Those would be good candidates to start with. You can't 
>do client-side dedup without setting the node attribute.
>
>Bill
>"When the pin is pulled, Mr. Grenade is NOT your friend!" - USMC
>
>-Original Message-
>From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
>Ehresman,David E.
>Sent: Wednesday, November 28, 2012 9:53 AM
>To: ADSM-L@VM.MARIST.EDU
>Subject: Re: [ADSM-L] Who is performing Client Based Encryption and Compression
>
>I think "q actlog begindate=today-ndays msgno=4968" is more efficient.
>
>-Original Message-
>From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
>Prather, Wanda
>Sent: Tuesday, November 27, 2012 5:18 PM
>To: ADSM-L@VM.MARIST.EDU
>Subject: Re: [ADSM-L] Who is performing Client Based Encryption and Compression
>
>For compression:
>
>q actlog begindate=today-ndays search=ane4968
>
>Non-zero values mean the client is compressing.
>
>
>
>
>-Original Message-
>From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
>Harris, Chad
>Sent: Tuesday, November 27, 2012 5:04 PM
>To: ADSM-L@VM.MARIST.EDU
>Subject: [ADSM-L] Who is performing Client Based Encryption and Compression
>
>Fellow TSM Admins,
>
>We are in the process of bringing VTLs into our TSM Environment.  In order to 
>take full advantage of deduplication features on the VTL we need to go after 
>the clients that are performing client based encryption and compression.  With 
>that in mind, does anyone know an easy way to tell which clients are using 
>these features?
>
>Thanks,
>Chad Harris


--
Paul ZarnowskiPh: 607-255-4757
CIT Infrastructure / Storage Services Fx: 607-255-8521
719 Rhodes Hall, Ithaca, NY 14853-3801Em: p...@cornell.edu

Re: Who is performing Client Based Encryption and Compression

[Harris, Chad]

Thank you all for your sage advice.

I am able to find the servers that are using compression, unfortunately though, 
some of my client Admins have let it slip that they are not always using 
compression when they are setting up encryption, despite our best efforts to 
guide them that way.

Anyone else know a way to find nodes only performing client encryption?

Thanks again,
Chad 

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@vm.marist.edu] On Behalf Of Bill 
Boyer
Sent: Wednesday, November 28, 2012 12:01 PM
To: ADSM-L@vm.marist.edu
Subject: Re: [ADSM-L] Who is performing Client Based Encryption and Compression

You could start by getting a list of nodes that are set to either 
COMPRESSION=CLIENT or YES and those with DEDUPLICATION=CLIENTORSERVER. The 
default is SERVERONLY. Those would be good candidates to start with. You can't 
do client-side dedup without setting the node attribute.

Bill
"When the pin is pulled, Mr. Grenade is NOT your friend!" - USMC

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
Ehresman,David E.
Sent: Wednesday, November 28, 2012 9:53 AM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Who is performing Client Based Encryption and Compression

I think "q actlog begindate=today-ndays msgno=4968" is more efficient.

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
Prather, Wanda
Sent: Tuesday, November 27, 2012 5:18 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Who is performing Client Based Encryption and Compression

For compression:

q actlog begindate=today-ndays search=ane4968

Non-zero values mean the client is compressing.




-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
Harris, Chad
Sent: Tuesday, November 27, 2012 5:04 PM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] Who is performing Client Based Encryption and Compression

Fellow TSM Admins,

We are in the process of bringing VTLs into our TSM Environment.  In order to 
take full advantage of deduplication features on the VTL we need to go after 
the clients that are performing client based encryption and compression.  With 
that in mind, does anyone know an easy way to tell which clients are using 
these features?

Thanks,
Chad Harris

Re: Who is performing Client Based Encryption and Compression

[Bill Boyer]

You could start by getting a list of nodes that are set to either
COMPRESSION=CLIENT or YES and those with DEDUPLICATION=CLIENTORSERVER. The
default is SERVERONLY. Those would be good candidates to start with. You
can't do client-side dedup without setting the node attribute.

Bill
"When the pin is pulled, Mr. Grenade is NOT your friend!" - USMC

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of
Ehresman,David E.
Sent: Wednesday, November 28, 2012 9:53 AM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Who is performing Client Based Encryption and
Compression

I think "q actlog begindate=today-ndays msgno=4968" is more efficient.

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of
Prather, Wanda
Sent: Tuesday, November 27, 2012 5:18 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Who is performing Client Based Encryption and
Compression

For compression:

q actlog begindate=today-ndays search=ane4968

Non-zero values mean the client is compressing.




-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of
Harris, Chad
Sent: Tuesday, November 27, 2012 5:04 PM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] Who is performing Client Based Encryption and Compression

Fellow TSM Admins,

We are in the process of bringing VTLs into our TSM Environment.  In order
to take full advantage of deduplication features on the VTL we need to go
after the clients that are performing client based encryption and
compression.  With that in mind, does anyone know an easy way to tell which
clients are using these features?

Thanks,
Chad Harris

Re: Who is performing Client Based Encryption and Compression

[Ehresman,David E.]

I think "q actlog begindate=today-ndays msgno=4968" is more efficient.

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
Prather, Wanda
Sent: Tuesday, November 27, 2012 5:18 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Who is performing Client Based Encryption and Compression

For compression:

q actlog begindate=today-ndays search=ane4968

Non-zero values mean the client is compressing.




-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
Harris, Chad
Sent: Tuesday, November 27, 2012 5:04 PM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] Who is performing Client Based Encryption and Compression

Fellow TSM Admins,

We are in the process of bringing VTLs into our TSM Environment.  In order to 
take full advantage of deduplication features on the VTL we need to go after 
the clients that are performing client based encryption and compression.  With 
that in mind, does anyone know an easy way to tell which clients are using 
these features?

Thanks,
Chad Harris 

Who is performing Client Based Encryption and Compression

[Harris, Chad]

Fellow TSM Admins,

We are in the process of bringing VTLs into our TSM Environment.  In order to 
take full advantage of deduplication features on the VTL we need to go after 
the clients that are performing client based encryption and compression.  With 
that in mind, does anyone know an easy way to tell which clients are using 
these features?

Thanks,
Chad Harris 

Re: Who is performing Client Based Encryption and Compression

[Prather, Wanda]

For compression:

q actlog begindate=today-ndays search=ane4968

Non-zero values mean the client is compressing.




-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
Harris, Chad
Sent: Tuesday, November 27, 2012 5:04 PM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] Who is performing Client Based Encryption and Compression

Fellow TSM Admins,

We are in the process of bringing VTLs into our TSM Environment.  In order to 
take full advantage of deduplication features on the VTL we need to go after 
the clients that are performing client based encryption and compression.  With 
that in mind, does anyone know an easy way to tell which clients are using 
these features?

Thanks,
Chad Harris 

Re: More tsm encryption questions

[Bill Boyer]

Depends on your goal for encryption. If you need it for encrypting during
transport ( or maybe use SSL ), encrypted data at rest on your storage, data
is encrypted on the tapes going offsite,... Yeah the key is in the TSM DB,
but your need to restore/rebuild TSM to be able to get it. Just dumping out
the tape isn't going to get you any eye-readable material. Don't know if the
auditors or lawyers would accept it, but it's better than nothing. I've
referred to it in the past as the cheap managers' encryption scheme. If you
really need to lock it down, then hardware encryption is the way to go with
an external key manager, but that co$t$, is vender specific as you need TKLM
if you use IBM hardware and you can't mix it if you go to a recovery site.

So it depends on what you're trying to accomplish  and the budget you have.

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of
Steven Langdale
Sent: Thursday, March 22, 2012 5:10 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] More tsm encryption questions

Well, there you go. you're spot on there Bill!

I'm struggling to see what use generate is,  What't the point of encrypting
the data when the key is handed out whenever a restore is performed?

That must be why I've only ever used "encryptkey save" in the past.


On 22 March 2012 19:57, Bill Boyer  wrote:

> With the ENCRYPTKEY GENERATE specified the client creates the key at
> the beginning of the backup and that key is kept with the data stream
> stored on the TSM server. When you restore this the key in the data
> stream is used. I believe they also refer to this as transparent
encryption.
>
> The include.encrypt will only effect future backups, not any backups
> already encrypted and stored on the TSM server.
>
>
> Bill Boyer
> "There are 10 kinds of people in the world. Those that understand
> binary and those that don't." - ??
>
>
>
>
> -Original Message-
> From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf
> Of Steven Langdale
> Sent: Thursday, March 22, 2012 2:21 PM
> To: ADSM-L@VM.MARIST.EDU
> Subject: Re: [ADSM-L] More tsm encryption questions
>
> They restored because the client had an encryption key, delete that,
> or possibly the encryptiontype line and you will be prompted for it.
>
> As for testing to see if they ARE encrypted, i think the client may
> say with a q backup (but not sure).  The test I used was to try a
> restore after I had removed the key file.
>
> One aside, if you are using tape technology that compresses, the
> compression will do down the drain.
>
> Steven
>
>
>
> On 22 March 2012 18:01, Lee, Gary  wrote:
>
> > Ok.  Think I have encryption working.
> >
> > Tried the following experiment.
> >
> > 1. Added these lines to dsm.opt
> >
> > encryptiontype aes128
> > encryptkey generate
> > include.encrypt "c:\Documents and Settings\glee.BSU\My
> > Documents\crypt\...\*"
> >
> > 2. did an incremental backup to pick up the crypt folder just
> > created and filled.
> >
> > 3. deleted all files starting with "phon"
> >
> > 4.  restored files starting with phon back to crypt folder, .  Went
well.
> >
> > 5. commented all encryption related lines out of dsm.opt.
> >
> > 6. removed phone* from crypt folder again.
> >
> > 7. restored phone* back to crypt folder.
> >
> > I thought that with encryption lines removed from dsm.opt, either
> > the encrypted files wouldn't restore, or would be restored as garbage.
> > Not so. Restored perfectly.
> >
> > What have I missed?
> > Also, is there a way to verify that the specified files are truly
> > encrypted?
> >
> > Thanks again for the assistance.
> >
> >
> >
> >
> > Gary Lee
> > Senior System Programmer
> > Ball State University
> > phone: 765-285-1310
> >
> >
>

Re: More tsm encryption questions

[Prather, Wanda]

>>I'm struggling to see what use generate is,  What't the point of encrypting 
>>the data when the key is handed out whenever a restore is performed?
Well, it prevents anybody who doesn't have access to the console of that 
machine from restoring the data, esp. to a different machine.
If you don't use generate, then the backup can't be run by the scheduler 
because there is no one there to answer the prompt for the key.

If you want to do a manual backup and supply the ken, specify encryptkey prompt.

Here is info you can use to verify whether the data is encrypted:
http://adsm.org/lists/html/ADSM-L/2009-03/msg00425.html


That must be why I've only ever used "encryptkey save" in the past.


On 22 March 2012 19:57, Bill Boyer  wrote:

> With the ENCRYPTKEY GENERATE specified the client creates the key at 
> the beginning of the backup and that key is kept with the data stream 
> stored on the TSM server. When you restore this the key in the data 
> stream is used. I believe they also refer to this as transparent encryption.
>
> The include.encrypt will only effect future backups, not any backups 
> already encrypted and stored on the TSM server.
>
>
> Bill Boyer
> "There are 10 kinds of people in the world. Those that understand 
> binary and those that don't." - ??
>
>
>
>
> -Original Message-
> From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf 
> Of Steven Langdale
> Sent: Thursday, March 22, 2012 2:21 PM
> To: ADSM-L@VM.MARIST.EDU
> Subject: Re: [ADSM-L] More tsm encryption questions
>
> They restored because the client had an encryption key, delete that, 
> or possibly the encryptiontype line and you will be prompted for it.
>
> As for testing to see if they ARE encrypted, i think the client may 
> say with a q backup (but not sure).  The test I used was to try a 
> restore after I had removed the key file.
>
> One aside, if you are using tape technology that compresses, the 
> compression will do down the drain.
>
> Steven
>
>
>
> On 22 March 2012 18:01, Lee, Gary  wrote:
>
> > Ok.  Think I have encryption working.
> >
> > Tried the following experiment.
> >
> > 1. Added these lines to dsm.opt
> >
> > encryptiontype aes128
> > encryptkey generate
> > include.encrypt "c:\Documents and Settings\glee.BSU\My 
> > Documents\crypt\...\*"
> >
> > 2. did an incremental backup to pick up the crypt folder just 
> > created and filled.
> >
> > 3. deleted all files starting with "phon"
> >
> > 4.  restored files starting with phon back to crypt folder, .  Went well.
> >
> > 5. commented all encryption related lines out of dsm.opt.
> >
> > 6. removed phone* from crypt folder again.
> >
> > 7. restored phone* back to crypt folder.
> >
> > I thought that with encryption lines removed from dsm.opt, either 
> > the encrypted files wouldn't restore, or would be restored as garbage.
> > Not so. Restored perfectly.
> >
> > What have I missed?
> > Also, is there a way to verify that the specified files are truly 
> > encrypted?
> >
> > Thanks again for the assistance.
> >
> >
> >
> >
> > Gary Lee
> > Senior System Programmer
> > Ball State University
> > phone: 765-285-1310
> >
> >
>

Re: More tsm encryption questions

[Steven Langdale]

Well, there you go. you're spot on there Bill!

I'm struggling to see what use generate is,  What't the point of encrypting
the data when the key is handed out whenever a restore is performed?

That must be why I've only ever used "encryptkey save" in the past.


On 22 March 2012 19:57, Bill Boyer  wrote:

> With the ENCRYPTKEY GENERATE specified the client creates the key at the
> beginning of the backup and that key is kept with the data stream stored on
> the TSM server. When you restore this the key in the data stream is used. I
> believe they also refer to this as transparent encryption.
>
> The include.encrypt will only effect future backups, not any backups
> already
> encrypted and stored on the TSM server.
>
>
> Bill Boyer
> "There are 10 kinds of people in the world. Those that understand binary
> and
> those that don't." - ??
>
>
>
>
> -Original Message-
> From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of
> Steven Langdale
> Sent: Thursday, March 22, 2012 2:21 PM
> To: ADSM-L@VM.MARIST.EDU
> Subject: Re: [ADSM-L] More tsm encryption questions
>
> They restored because the client had an encryption key, delete that, or
> possibly the encryptiontype line and you will be prompted for it.
>
> As for testing to see if they ARE encrypted, i think the client may say
> with
> a q backup (but not sure).  The test I used was to try a restore after I
> had
> removed the key file.
>
> One aside, if you are using tape technology that compresses, the
> compression
> will do down the drain.
>
> Steven
>
>
>
> On 22 March 2012 18:01, Lee, Gary  wrote:
>
> > Ok.  Think I have encryption working.
> >
> > Tried the following experiment.
> >
> > 1. Added these lines to dsm.opt
> >
> > encryptiontype aes128
> > encryptkey generate
> > include.encrypt "c:\Documents and Settings\glee.BSU\My
> > Documents\crypt\...\*"
> >
> > 2. did an incremental backup to pick up the crypt folder just created
> > and filled.
> >
> > 3. deleted all files starting with "phon"
> >
> > 4.  restored files starting with phon back to crypt folder, .  Went well.
> >
> > 5. commented all encryption related lines out of dsm.opt.
> >
> > 6. removed phone* from crypt folder again.
> >
> > 7. restored phone* back to crypt folder.
> >
> > I thought that with encryption lines removed from dsm.opt, either the
> > encrypted files wouldn't restore, or would be restored as garbage.
> > Not so. Restored perfectly.
> >
> > What have I missed?
> > Also, is there a way to verify that the specified files are truly
> > encrypted?
> >
> > Thanks again for the assistance.
> >
> >
> >
> >
> > Gary Lee
> > Senior System Programmer
> > Ball State University
> > phone: 765-285-1310
> >
> >
>

Re: More tsm encryption questions

[Bill Boyer]

With the ENCRYPTKEY GENERATE specified the client creates the key at the
beginning of the backup and that key is kept with the data stream stored on
the TSM server. When you restore this the key in the data stream is used. I
believe they also refer to this as transparent encryption.

The include.encrypt will only effect future backups, not any backups already
encrypted and stored on the TSM server.


Bill Boyer
"There are 10 kinds of people in the world. Those that understand binary and
those that don't." - ??




-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of
Steven Langdale
Sent: Thursday, March 22, 2012 2:21 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] More tsm encryption questions

They restored because the client had an encryption key, delete that, or
possibly the encryptiontype line and you will be prompted for it.

As for testing to see if they ARE encrypted, i think the client may say with
a q backup (but not sure).  The test I used was to try a restore after I had
removed the key file.

One aside, if you are using tape technology that compresses, the compression
will do down the drain.

Steven



On 22 March 2012 18:01, Lee, Gary  wrote:

> Ok.  Think I have encryption working.
>
> Tried the following experiment.
>
> 1. Added these lines to dsm.opt
>
> encryptiontype aes128
> encryptkey generate
> include.encrypt "c:\Documents and Settings\glee.BSU\My
> Documents\crypt\...\*"
>
> 2. did an incremental backup to pick up the crypt folder just created
> and filled.
>
> 3. deleted all files starting with "phon"
>
> 4.  restored files starting with phon back to crypt folder, .  Went well.
>
> 5. commented all encryption related lines out of dsm.opt.
>
> 6. removed phone* from crypt folder again.
>
> 7. restored phone* back to crypt folder.
>
> I thought that with encryption lines removed from dsm.opt, either the
> encrypted files wouldn't restore, or would be restored as garbage.
> Not so. Restored perfectly.
>
> What have I missed?
> Also, is there a way to verify that the specified files are truly
> encrypted?
>
> Thanks again for the assistance.
>
>
>
>
> Gary Lee
> Senior System Programmer
> Ball State University
> phone: 765-285-1310
>
>

Re: More tsm encryption questions

[Steven Langdale]

They restored because the client had an encryption key, delete that, or
possibly the encryptiontype line and you will be prompted for it.

As for testing to see if they ARE encrypted, i think the client may say
with a q backup (but not sure).  The test I used was to try a restore after
I had removed the key file.

One aside, if you are using tape technology that compresses, the
compression will do down the drain.

Steven



On 22 March 2012 18:01, Lee, Gary  wrote:

> Ok.  Think I have encryption working.
>
> Tried the following experiment.
>
> 1. Added these lines to dsm.opt
>
> encryptiontype aes128
> encryptkey generate
> include.encrypt "c:\Documents and Settings\glee.BSU\My
> Documents\crypt\...\*"
>
> 2. did an incremental backup to pick up the crypt folder just created and
> filled.
>
> 3. deleted all files starting with "phon"
>
> 4.  restored files starting with phon back to crypt folder, .  Went well.
>
> 5. commented all encryption related lines out of dsm.opt.
>
> 6. removed phone* from crypt folder again.
>
> 7. restored phone* back to crypt folder.
>
> I thought that with encryption lines removed from dsm.opt, either the
>  encrypted files wouldn't restore, or would be restored as garbage.  Not
> so. Restored perfectly.
>
> What have I missed?
> Also, is there a way to verify that the specified files are truly
> encrypted?
>
> Thanks again for the assistance.
>
>
>
>
> Gary Lee
> Senior System Programmer
> Ball State University
> phone: 765-285-1310
>
>

More tsm encryption questions

[Lee, Gary]

Ok.  Think I have encryption working.

Tried the following experiment.

1. Added these lines to dsm.opt

encryptiontype aes128
encryptkey generate
include.encrypt "c:\Documents and Settings\glee.BSU\My Documents\crypt\...\*"

2. did an incremental backup to pick up the crypt folder just created and 
filled.

3. deleted all files starting with "phon"

4.  restored files starting with phon back to crypt folder, .  Went well.

5. commented all encryption related lines out of dsm.opt.

6. removed phone* from crypt folder again.

7. restored phone* back to crypt folder.

I thought that with encryption lines removed from dsm.opt, either the  
encrypted files wouldn't restore, or would be restored as garbage.  Not so. 
Restored perfectly.

What have I missed?
Also, is there a way to verify that the specified files are truly encrypted?

Thanks again for the assistance.




Gary Lee
Senior System Programmer
Ball State University
phone: 765-285-1310

 

Re: Encryption include clarification

[Prather, Wanda]

Yep in filenames, not in directory names.

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Lee, 
Gary
Sent: Thursday, March 22, 2012 11:07 AM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Encryption include clarification

Thanks to Wanda for the solution.  I forgot about ...

So finally, "*" matches everything, as always in unix linux, etc.


 


Gary Lee
Senior System Programmer
Ball State University
phone: 765-285-1310

 
-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
Prather, Wanda
Sent: Thursday, March 22, 2012 11:01 AM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Encryption include clarification

... is a wildcard for subdirectories
Do not use the notation *.*, as that pattern will only match files with a . in 
the name. (There is a lot of old incorrect doc out there with that notation 
left over from pre-long file name windows, but don't use it.)

What you want is:
Include.encrypt "c:\crypt\...\*"

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Lee, 
Gary
Sent: Thursday, March 22, 2012 10:55 AM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] Encryption include clarification

I wish to encrypt all files in c:\crypt and all its subdirectories.
If I read the client manual correctly, this will take two include.encrypt 
statements as follows:
Include.encrypt "c:\crypt\*.*"
Include.encrypt "c:\crypt\"

Is this correct, if not where have I gone wrong?

Thanks for the help.



Gary Lee
Senior System Programmer
Ball State University
phone: 765-285-1310

 

Re: Encryption include clarification

[Lee, Gary]

Thanks to Wanda for the solution.  I forgot about ...

So finally, "*" matches everything, as always in unix linux, etc.


 


Gary Lee
Senior System Programmer
Ball State University
phone: 765-285-1310

 
-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
Prather, Wanda
Sent: Thursday, March 22, 2012 11:01 AM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Encryption include clarification

... is a wildcard for subdirectories
Do not use the notation *.*, as that pattern will only match files with a . in 
the name. (There is a lot of old incorrect doc out there with that notation 
left over from pre-long file name windows, but don't use it.)

What you want is:
Include.encrypt "c:\crypt\...\*"

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Lee, 
Gary
Sent: Thursday, March 22, 2012 10:55 AM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] Encryption include clarification

I wish to encrypt all files in c:\crypt and all its subdirectories.
If I read the client manual correctly, this will take two include.encrypt 
statements as follows:
Include.encrypt "c:\crypt\*.*"
Include.encrypt "c:\crypt\"

Is this correct, if not where have I gone wrong?

Thanks for the help.



Gary Lee
Senior System Programmer
Ball State University
phone: 765-285-1310

 

Re: Encryption include clarification

[Prather, Wanda]

... is a wildcard for subdirectories
Do not use the notation *.*, as that pattern will only match files with a . in 
the name. (There is a lot of old incorrect doc out there with that notation 
left over from pre-long file name windows, but don't use it.)

What you want is:
Include.encrypt "c:\crypt\...\*"

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Lee, 
Gary
Sent: Thursday, March 22, 2012 10:55 AM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] Encryption include clarification

I wish to encrypt all files in c:\crypt and all its subdirectories.
If I read the client manual correctly, this will take two include.encrypt 
statements as follows:
Include.encrypt "c:\crypt\*.*"
Include.encrypt "c:\crypt\"

Is this correct, if not where have I gone wrong?

Thanks for the help.



Gary Lee
Senior System Programmer
Ball State University
phone: 765-285-1310

 

Encryption include clarification

[Lee, Gary]

I wish to encrypt all files in c:\crypt and all its subdirectories.
If I read the client manual correctly, this will take two include.encrypt 
statements as follows:
Include.encrypt "c:\crypt\*.*"
Include.encrypt "c:\crypt\"

Is this correct, if not where have I gone wrong?

Thanks for the help.



Gary Lee
Senior System Programmer
Ball State University
phone: 765-285-1310

 

Re: Detect client-level encryption from the TSM server?

[Grigori Solonovitch]

For TSM 5.5.6:
- encryption for files only from client:
dsmc query backup "/" -detail 
-traceflags=query
- for TDP for Oracle on TSM Server:
Q ACTLOG OR=CLIENT NODE= and check end of "backup/restore details 
...." lines for "Encryption: AES_128BIT"
Good luck!

Grigori G. Solonovitch
Senior Technical Architect  Ahli United Bank Kuwait  www.ahliunited.com.kw

Please consider the environment before printing this E-mail


-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Keith 
Arbogast
Sent: 08 02 2012 11:52 PM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] Detect client-level encryption from the TSM server?

Can one detect from the TSM server whether client-level encryption is set on or 
off for each backup node? Inquiring security admins want to know.

With my thanks and best wishes,
Keith Arbogast
Indiana University

Please consider the environment before printing this Email.

CONFIDENTIALITY AND WAIVER: The information contained in this electronic mail 
message and any attachments hereto may be legally privileged and confidential. 
The information is intended only for the recipient(s) named in this message. If 
you are not the intended recipient you are notified that any use, disclosure, 
copying or distribution is prohibited. If you have received this in error 
please contact the sender and delete this message and any attachments from your 
computer system. We do not guarantee that this message or any attachment to it 
is secure or free from errors, computer viruses or other conditions that may 
damage or interfere with data, hardware or software.

Re: Detect client-level encryption from the TSM server?

[Paul Zarnowski]

Keith,

This is not something that the TSM admin controls, and it is not enabled by 
node.  The only way I know of to detect encrypted files is from the client-side 
DSMC CLI.  E.g., dsmc query backup  -detail, should show you which files 
are encrypted and using what encryption algorithm.  I do not think this will 
show you how the encryption keys are managed, however.

Note that if a file is backed up unencrypted, adding an "include.encrypt" rule 
to encrypt it does not automatically cause that file to be backed up again 
using encryption.  The addition of the encryption include is not recognized by 
TSM as a reason to backup the file.  We have had more than one user surprised 
by this.

Paul Zarnowski
Cornell University

At 03:52 PM 2/8/2012, Keith Arbogast wrote:
>Can one detect from the TSM server whether client-level encryption is set on 
>or off for each backup node? Inquiring security admins want to know.
>
>With my thanks and best wishes,
>Keith Arbogast
>Indiana University


--
Paul ZarnowskiPh: 607-255-4757
Manager, Storage Services Fx: 607-255-8521
719 Rhodes Hall, Ithaca, NY 14853-3801Em: p...@cornell.edu

Detect client-level encryption from the TSM server?

[Keith Arbogast]

Can one detect from the TSM server whether client-level encryption is set on or 
off for each backup node? Inquiring security admins want to know.

With my thanks and best wishes,
Keith Arbogast
Indiana University

Backupset encryption - quick question

[Steven Langdale]

Hi all

I need to transport a backup set and need at least some basic encryption.

Before I do a load of testing, I thought I'd ask the group

Does anyone know if client side encryption "include.encrypt" works with
backup sets, or rather, can you restore the stuff!

I'll be restoring via a locally attach drive.

Thanks

Steven

Re: Any default encryption for TSM server??

[Shawn Drew]

I would say there are 4 types of encryption.  (Chapter 14 in the 5.5 Admin 
Guide covers alot of this)

- TSM Client level encryption (using the include.encrypt and various 
client options)  Data is encrypted before sending to the TSM server. 
(software based)
- TSM Server level encryption (using the devclass DRIVEEncryption option) 
This is done at the devclass/stgpool level  (I.E. DB Backups are not 
encrypted) (hardware based)
- AIX System level.  Encryption is handled at the Atape level (hardware 
based)
- Library managed (completely transparent to TSM) (hardware based)


1- no default encryption
2- Each method will have its own way to check.   The way we proved to our 
auditors involved documentating an attempt to restore without the keys 
(which failed)
3- These have nothing to do with encryption.  These are basic client 
files.  Refer to the TSM Client manual. 



Regards, 
Shawn

Shawn Drew





Internet
tsm-fo...@backupcentral.com

Sent by: ADSM-L@VM.MARIST.EDU
08/09/2011 09:22 PM
Please respond to
ADSM-L@VM.MARIST.EDU


To
ADSM-L
cc

Subject
[ADSM-L] Any default encryption for TSM server??






Conclude that the TSM encryption can categories by two types: 1) 
Software/application layer encryption 2) Hardware layer encryption (Tape 
drive).

Question:
1) Does TSM has any data protection other than this two? Does TSM has 
default encryption if we never configure any setting to enable the 
software/application and there are no license key bought for hardware 
layer to do encryption?

2)If a software/application was configured or installed on the server, how 
can we check it? (e.g Maybe there are some files or command able to show 
it and please show me the way to check whether is the encryption enable or 
not to protect the data)

3) Can you tell me where are these files and what are their content about:
- TSM.PWD
- Dsm.sys
- Dsm.opt

And What do INCLUDE.ENCRYPT and EXCLUDE.ENCRYPT statements mean? Where are 
them?
And last question is which file content the encryptkey and 
encryptiontype parameter?

+--
|This was sent by terrancey...@yahoo.com via Backup Central.
|Forward SPAM to ab...@backupcentral.com.
+--



This message and any attachments (the "message") is intended solely for 
the addressees and is confidential. If you receive this message in error, 
please delete it and immediately notify the sender. Any use not in accord 
with its purpose, any dissemination or disclosure, either whole or partial, 
is prohibited except formal approval. The internet can not guarantee the 
integrity of this message. BNP PARIBAS (and its subsidiaries) shall (will) 
not therefore be liable for the message if modified. Please note that certain 
functions and services for BNP Paribas may be performed by BNP Paribas RCC, Inc.

Re: Any default encryption for TSM server??

[Grigori Solonovitch]

There is no default encryption on TSM Server.
For hardware encryption you need to look into drive configuration.
Software encryption is supported by TSM Client and TDP (API).
For example, we need to encrypt all information related to Oracle databases on 
AIX logical partition (database dumps and database backups via TDPO).
Configuration steps are (encryption keys are kept in TSM database):

1) to enable possibility of encryption for AIX file systems add next lines into 
/usr/tivoli/tm/ba/bin64/dsm.sys:
   Nodename   LPAR05
   Encryptiontype AES128
   Encryptkey generate
   InclExcl   /backup/tsm/ba/InclExcl.list
2) to enable possibility of encryption  for TDP for Oracle backups add next 
lines into /usr/tivoli/tsm/api/bin64/dsm.sys:
   NODENAME LPAR05_ORA
   Encryptiontype   AES128
   Encryptkey   generate
   Inclexcl /backup/tsm/ba/InclExcl.list

3) set encryption for database dumps and TDPO backups in include/exclude list 
/backup/tsm/ba/InclExcl.list:
include * AIX
include /.../* FSLPAR05
include /ifns_ifns/.../* DBLPAR05
include /patm_patm/.../* DBLPAR05
include /ptel_ptel/.../* DBLPAR05
include.encrypt /ifns_ifns/.../*
include.encrypt /patm_patm/.../*
include.encrypt /ptel_ptel/.../*
include.encrypt *.dmp.Z

Note, there are 3 databases with file space names ifns_ifns, patm_patm and 
ptel_ptel (names are defined in TDPO configuration file). In addition, all 
databases dumps are kept in compressed files *.dmp.Z. List of encrypted files 
can be expanded by adding INCLUDE.ENCRYPT lines into include/exclude list.

To check encryption for databases:

q act  or=client node=LPAR05_ORA begind=08/09/2011
.
Date/Time: 08/09/2011 15:44:51
  Message: ANE4991I (Session: 42231, Node: LPAR05_ORA)  TDP Oracle AIX ANU0599  
TDP for Oracle: (9216226): =>(LPAR05_ORA) ANU2526I Backup details for backup 
piece /ifns_ifns///LPAR05/ifns.09.1.58075.1.758734242 (database "IFNSDB"). 
Total bytes sent: 9756213248. Total processing time: 00:14:06. Throughput rate: 
11261.88Kb/Sec. Compressed: Yes , 61%. Encryption: AES_128BIT. LAN-Free: 
No.(SESSION: 42231)
..
Date/Time: 08/09/2011 16:05:32
  Message: ANE4991I (Session: 44685, Node: LPAR05_ORA)  TDP Oracle AIX ANU0599  
TDP for Oracle: (10055750): =>(LPAR05_ORA) ANU2526I Backup details for backup 
piece /patm_patm///LPAR05/Archive_patm.09.50832.1.758736133 (database 
"PATMDB"). Total bytes sent: 3064201216. Total processing time: 00:03:17. 
Throughput rate: 15189.77Kb/Sec. Compressed: Yes , 54%. Encryption: AES_128BIT. 
LAN-Free: No.(SESSION: 44685)



To check encryption for database dumps:
dsmc query backup "/home/users05/fnsonli/backup/*.dmp.Z" -detail 
-traceflags=query
dsmc query backup "/backup05/exp/patm/*.dmp.Z" -detail -traceflags=query
dsmc query backup "/backup05/exp/ptel/*.dmp.Z" -detail -traceflags=query
dsmc query backup "/backup05/exp/ptel/*.log" -detail -traceflags=query

For example, prove_encryption.sh gives:

IBM Tivoli Storage Manager
Command Line Backup-Archive Client Interface
  Client Version 6, Release 2, Level 2.0
  Client date/time: 08/10/11   13:20:20
(c) Copyright by IBM Corporation and other(s) 1990, 2010. All Rights Reserved.

Node Name: LPAR05
Session established with server BKME: AIX-RS/6000
  Server Version 5, Release 5, Level 5.2
  Data compression forced on by the server
  Server date/time: 08/10/11   13:20:20  Last access: 08/09/11   16:49:09

   SizeBackup DateMgmt Class   A/I File
   -----   --- 
13,012,947,599  B  08/09/11   16:30:00 FSLPAR05 A  
/home/users05/fnsonli/backup/expfns1.dmp.Z
Modified: 08/09/11   01:25:29   Accessed: 08/08/11   16:42:19
 Compressed:  NOEncryption Type: 128-bit AES
Client-deduplicated: NO
...

I hope this will answer all your questions.

Grigori G. Solonovitch


-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
terrance
Sent: Wednesday, August 10, 2011 4:22 AM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] Any default encryption for TSM server??

Conclude that the TSM encryption can categories by two types: 1) 
Software/application layer encryption 2) Hardware layer encryption (Tape drive).

Question:
1) Does TSM has any data protection other than this two? Does TSM has default 
encryption if we never configure any setting to enable the software/application 
and there are no license key bought for hardware layer to do encryption?

2)If a software/application was configured or installed on the server, how can 
we check it? (e.g Maybe there are some files or command able to show it and 
please show me the way to check whether is the encryption enable or not to 
protect the data)

3) Can you tell me where are these f

Any default encryption for TSM server??

[terrance]

can anyone tell me what is the step to restore the data from tape?
Let say that if the tape lost, even the catalog tape also lost together with it.
so any possible the outsider able to retrieve the data using both of the tape?

(as i know that the encryption key will store inside the catalog and backup to 
a tape)<<(correct?)

is it the catalog only can retrieve by particular account inside a same TSM 
server? so different TSM server different account and password. so do it make 
sense that the outsider unable to retrieve data which different from the 
original server?

+--
|This was sent by terrancey...@yahoo.com via Backup Central.
|Forward SPAM to ab...@backupcentral.com.
+--

Any default encryption for TSM server??

[terrance]

Conclude that the TSM encryption can categories by two types: 1) 
Software/application layer encryption 2) Hardware layer encryption (Tape drive).

Question:
1) Does TSM has any data protection other than this two? Does TSM has default 
encryption if we never configure any setting to enable the software/application 
and there are no license key bought for hardware layer to do encryption?

2)If a software/application was configured or installed on the server, how can 
we check it? (e.g Maybe there are some files or command able to show it and 
please show me the way to check whether is the encryption enable or not to 
protect the data)

3) Can you tell me where are these files and what are their content about:
- TSM.PWD
- Dsm.sys
- Dsm.opt

And What do INCLUDE.ENCRYPT and EXCLUDE.ENCRYPT statements mean? Where are them?
And last question is which file content the encryptkey and encryptiontype 
parameter?

+--
|This was sent by terrancey...@yahoo.com via Backup Central.
|Forward SPAM to ab...@backupcentral.com.
+--

Verifying IBM TSM Encryption types

[terrance]

I checked my TSM server with this command
"q devclass  f=d"
and it shows the Driver Encryption is set ON.
So I know that my TSM server is using AME method to encrypt the data
But any prerequisite and configure steps to achieve it?

+--
|This was sent by terrancey...@yahoo.com via Backup Central.
|Forward SPAM to ab...@backupcentral.com.
+--

Verifying IBM TSM Encryption types

[terrance]

1)Any prerequisite or condition require before the data been encrypted such as 
according to my understanding, TSM is a storage manager server, so any driver 
or software need to install or configure to enable the encryption method either 
by client side or driver side?

2) According to the information I found that EKM must be installed before 
configure the TSM with LME and SME. So in this stage how can i verify or 
justify the EKM is installed in TSM server?

+--
|This was sent by terrancey...@yahoo.com via Backup Central.
|Forward SPAM to ab...@backupcentral.com.
+--

Re: Verifying IBM TSM Encryption types

[Richard Sims]

On Aug 1, 2011, at 10:59 PM, terrance wrote:

> So What you mean is TSM server don't has its own encryption instead help by 
> the driver or client side encryption?
> ...

The Administrator's Guide for your given TSM release will describe encryption 
opportunities available from the standpoint of the TSM server.  The server 
developers don't waste time creating functionality which is provided by other 
means, such as tape drives (let the hardware do the work) or the client (where 
data must be secure in network conveyance and disk storage pool residency).  
Certainly, it's possible to encrypt data twice, just as it can be subjected to 
multiple phases of processing performing compression in passing data.

   Richard Sims

Verifying IBM TSM Encryption types

[terrance]

So What you mean is TSM server don't has its own encryption instead help by the 
driver or client side encryption?
1) What i mean is that when data store inside the storage, any encryption step 
will run in this stage before it backup into a tape?

2) Will it possible a TSM server using both encryption such as driver 
encryption (AME, LME or SME) and client side encryption?

For example, when a client submit a data or info to the storage, the data was 
encrypted and stored in the storage. After that when backup is start, the data 
will encrypted second time and stored into a tape by the driver.
so does it make sense?

+--
|This was sent by terrancey...@yahoo.com via Backup Central.
|Forward SPAM to ab...@backupcentral.com.
+--

Re: Verifying IBM TSM Encryption types

[Grigori Solonovitch]

In addition - in case of using TDP for Oracle you can inspect TSM Server logs 
for TDP nodes. I think for other TDPs it is the same.
Be careful with encryption for TDP backups - some additional configuration 
efforts are required .


From: ADSM: Dist Stor Manager [ADSM-L@VM.MARIST.EDU] On Behalf Of Richard Sims 
[r...@bu.edu]
Sent: Monday, August 01, 2011 8:10 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Verifying IBM TSM Encryption types

TSM client encryption can be verified per IBM Technote 1303197.
Tape drive encryption is a hardware topic addressed by the documentation for 
the particular drive model, as in recent 3592 model variants.

Richard Sims


Please consider the environment before printing this Email.

CONFIDENTIALITY AND WAIVER: The information contained in this electronic mail 
message and any attachments hereto may be legally privileged and confidential. 
The information is intended only for the recipient(s) named in this message. If 
you are not the intended recipient you are notified that any use, disclosure, 
copying or distribution is prohibited. If you have received this in error 
please contact the sender and delete this message and any attachments from your 
computer system. We do not guarantee that this message or any attachment to it 
is secure or free from errors, computer viruses or other conditions that may 
damage or interfere with data, hardware or software.

Re: Verifying IBM TSM Encryption types

[Richard Sims]

TSM client encryption can be verified per IBM Technote 1303197.
Tape drive encryption is a hardware topic addressed by the documentation for 
the particular drive model, as in recent 3592 model variants.

Richard Sims

Verifying IBM TSM Encryption types

[terrance]

How can I retrieve all the information about the what kind of encryption method 
or type is using on my TSM server?
What I mean is how to check the backup data and store into a tape whether 
encrypted or not?
Isn't it related to the default encrypted method AES 128 or alternative 
encrypted method DES56?
Or else it is related to the AME, LME or SME?
Please proivde me the method or command even the file's path to verify or 
justify the information above.
Thank you.

+--
|This was sent by terrancey...@yahoo.com via Backup Central.
|Forward SPAM to ab...@backupcentral.com.
+--

Re: tape encryption in TSM environment

[Remco Post]

On 13 jun 2011, at 21:53, Keith Arbogast wrote:

> Someone here is not willing to bet his career on the reliability of a TSM 
> server managed encryption key. He reasons that if a key is lost on the TSM 
> server side of backups, the data could not be recovered, and we would be 
> accountable. If a client admin loses an encryption key, he is accountable. So 
> we do not use drive-based encryption, and tell our customers to use 
> client-based encryption, specifying 'encryptkey save'.  
> 
> I cannot guarantee that TSM will never lose an application managed encryption 
> key.  Am I missing something?  
> 
> With my thanks,
> Keith Arbogast


if your devclass has drive encryption set to on, the database backups are still 
unencrypted, so the changes of recovering your database are still as good as 
they were without encryption. 

-- 
Met vriendelijke groeten/Kind Regards,

Remco Post
r.p...@plcs.nl
+31 6 248 21 622

Re: tape encryption in TSM environment

[Shawn Drew]

With TSM, you are already assuming the database will be consistent to be
able to restore anything,  encryption or not.
TSM isn't more or less likely to lose an application managed encryption
key than it will lose an inventory reference to any particular file.

WIth Application managed encryption, you are storing the keys in the TSM
DB along with all the other metadata,  so you aren't adding any points of
failure.
You will need to protect your database using different storage since it
won't be encrypted.  (I.E. on disk/vtl with offsite replication or
something like that)

with encryptkey=save, the key is stored on the filesystem, and as a
result, the normal TSM backups, One could argue that this has more points
of failure.  (The TSM database reference and the storage media that the
key is actually stored on) as opposed to only in the TSM DB.

Even if your goal is only to offload responsibility to the customer, when
their keyfile gets corrupted, the'll come to TSM to restore the key
anyway.  And if it is windows, who wants to restore a registry?!

random encryption ramblings...


Regards,
Shawn

Shawn Drew




Internet
warbo...@indiana.edu

Sent by: ADSM-L@VM.MARIST.EDU
06/13/2011 03:53 PM
Please respond to
ADSM-L@VM.MARIST.EDU


To
ADSM-L
cc

Subject
Re: [ADSM-L] tape encryption in TSM environment






Someone here is not willing to bet his career on the reliability of a TSM
server managed encryption key. He reasons that if a key is lost on the TSM
server side of backups, the data could not be recovered, and we would be
accountable. If a client admin loses an encryption key, he is accountable.
So we do not use drive-based encryption, and tell our customers to use
client-based encryption, specifying 'encryptkey save'.

I cannot guarantee that TSM will never lose an application managed
encryption key.  Am I missing something?

With my thanks,
Keith Arbogast



This message and any attachments (the "message") is intended solely for
the addressees and is confidential. If you receive this message in error,
please delete it and immediately notify the sender. Any use not in accord
with its purpose, any dissemination or disclosure, either whole or partial,
is prohibited except formal approval. The internet can not guarantee the
integrity of this message. BNP PARIBAS (and its subsidiaries) shall (will)
not therefore be liable for the message if modified. Please note that certain
functions and services for BNP Paribas may be performed by BNP Paribas RCC, Inc.

Re: tape encryption in TSM environment

[Keith Arbogast]

Someone here is not willing to bet his career on the reliability of a TSM 
server managed encryption key. He reasons that if a key is lost on the TSM 
server side of backups, the data could not be recovered, and we would be 
accountable. If a client admin loses an encryption key, he is accountable. So 
we do not use drive-based encryption, and tell our customers to use 
client-based encryption, specifying 'encryptkey save'.  

I cannot guarantee that TSM will never lose an application managed encryption 
key.  Am I missing something?  

With my thanks,
Keith Arbogast

Re: tape encryption in TSM environment

[David Longo]

Just a reminder also, that "Encryption" on a 3584/3500 library is 
another Feature Code for the library - to be purchased.

David Longo

>>> Howard Coles  6/13/2011 2:51 PM >>>
Using a TKLM server you can point your Library to the IP address of the
server, and it will handle the keys, so that even your TSM DB backup
tape is encrypted.  
(as some have asked this as well):
You do have to tell the Library where the Encryption Key servers are,
and then modify the Logical library's Encryption policy.  We've had one
instance where we had to reconfigure the logical library after a
firmware update (to support LTO4s).

>From all I've seen the performance hit isn't noticeable, I think the
compression affects it more, and that's very minimal if any.

As far as whether its needed or not, the answer is yes, as Wanda said,
if you are in our case and have regulatory requirements.  Even without
them it's a good idea.  Gives the execs a warm and fuzzy about trade
secrets, customer data, etc. etc.  We now have it running at three
sites, and so far so good.  You just have to have hardware drives that
support that kind of encryption.


See Ya'
Howard Coles Jr., RHCE, CNE, CDE
John 3:16!

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of
Mehdi Salehi
Sent: Sunday, June 12, 2011 11:13 PM
To: ADSM-L@VM.MARIST.EDU 
Subject: Re: [ADSM-L] tape encryption in TSM environment

How much performance degradation would there if encryption is on?
Although
it is the duty of drive itself (I suppose), it might have negative
influence
on backup and even restore performance?



#
This message is for the named person's use only.  It may 
contain private, proprietary, or legally privileged information.  
No privilege is waived or lost by any mistransmission.  If you 
receive this message in error, please immediately delete it and 
all copies of it from your system, destroy any hard copies of it, 
and notify the sender.  You must not, directly or indirectly, use, 
disclose, distribute, print, or copy any part of this message if you 
are not the intended recipient.  Health First reserves the right to 
monitor all e-mail communications through its networks.  Any views 
or opinions expressed in this message are solely those of the 
individual sender, except (1) where the message states such views 
or opinions are on behalf of a particular entity;  and (2) the sender 
is authorized by the entity to give such views or opinions.
#

Re: tape encryption in TSM environment

[Nast, Jeff P.]

We are using TKLM (Tickle 'em) also.

Compression first, then encryption. I was told our 3592-E06 (TS1130)
drives would experience <1% degradation (Negligable) in performance
while encrypting. Your tape drive model/manufacturer experience may
vary, but probably not much.

I agree with Howard on the "warm fuzzy"... All tape handling
inside/outside our facilities is done by us. But still if someone were
to lose one... Being a health organization, losing PHI (Patient Health
Information) would be a  bit embarrasing. I found that management was
quite cooperative when asking for funding to encrypt.

-Jeff



-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@vm.marist.edu] On Behalf Of
Howard Coles
Sent: Monday, June 13, 2011 1:52 PM
To: ADSM-L@vm.marist.edu
Subject: Re: [ADSM-L] tape encryption in TSM environment

Using a TKLM server you can point your Library to the IP address of the
server, and it will handle the keys, so that even your TSM DB backup
tape is encrypted.  
(as some have asked this as well):
You do have to tell the Library where the Encryption Key servers are,
and then modify the Logical library's Encryption policy.  We've had one
instance where we had to reconfigure the logical library after a
firmware update (to support LTO4s).

>From all I've seen the performance hit isn't noticeable, I think the
compression affects it more, and that's very minimal if any.

As far as whether its needed or not, the answer is yes, as Wanda said,
if you are in our case and have regulatory requirements.  Even without
them it's a good idea.  Gives the execs a warm and fuzzy about trade
secrets, customer data, etc. etc.  We now have it running at three
sites, and so far so good.  You just have to have hardware drives that
support that kind of encryption.


See Ya'
Howard Coles Jr., RHCE, CNE, CDE
John 3:16!

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of
Mehdi Salehi
Sent: Sunday, June 12, 2011 11:13 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] tape encryption in TSM environment

How much performance degradation would there if encryption is on?
Although
it is the duty of drive itself (I suppose), it might have negative
influence
on backup and even restore performance?

Re: tape encryption in TSM environment

[Howard Coles]

Using a TKLM server you can point your Library to the IP address of the
server, and it will handle the keys, so that even your TSM DB backup
tape is encrypted.  
(as some have asked this as well):
You do have to tell the Library where the Encryption Key servers are,
and then modify the Logical library's Encryption policy.  We've had one
instance where we had to reconfigure the logical library after a
firmware update (to support LTO4s).

>From all I've seen the performance hit isn't noticeable, I think the
compression affects it more, and that's very minimal if any.

As far as whether its needed or not, the answer is yes, as Wanda said,
if you are in our case and have regulatory requirements.  Even without
them it's a good idea.  Gives the execs a warm and fuzzy about trade
secrets, customer data, etc. etc.  We now have it running at three
sites, and so far so good.  You just have to have hardware drives that
support that kind of encryption.


See Ya'
Howard Coles Jr., RHCE, CNE, CDE
John 3:16!

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of
Mehdi Salehi
Sent: Sunday, June 12, 2011 11:13 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] tape encryption in TSM environment

How much performance degradation would there if encryption is on?
Although
it is the duty of drive itself (I suppose), it might have negative
influence
on backup and even restore performance?

Re: tape encryption in TSM environment

[Prather, Wanda]

Yes.

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Keith 
Arbogast
Sent: Monday, June 13, 2011 8:20 AM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] tape encryption in TSM environment

I thought a setup step was required on the 3584 to:  [+] Library / Logical 
Libraries / Modify Encryption Method / Application-Managed  

Yes/No?

Keith

Re: tape encryption in TSM environment

[Prather, Wanda]

Encryption is done outboard in the drive, just like drive compression is done 
outboard in the drive.
No impact on backup or restore performance.


-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Mehdi 
Salehi
Sent: Monday, June 13, 2011 12:13 AM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] tape encryption in TSM environment

How much performance degradation would there if encryption is on? Although it 
is the duty of drive itself (I suppose), it might have negative influence on 
backup and even restore performance?

Re: tape encryption in TSM environment

[Keith Arbogast]

I thought a setup step was required on the 3584 to:  [+] Library / Logical 
Libraries / Modify Encryption Method / Application-Managed  

Yes/No?

Keith

Re: tape encryption in TSM environment

[Robert J Molerio]

ekm encryption is negligible. not sure about tklm. any takers on that?

On Mon, Jun 13, 2011 at 12:13 AM, Mehdi Salehi  wrote:

> How much performance degradation would there if encryption is on? Although
> it is the duty of drive itself (I suppose), it might have negative
> influence
> on backup and even restore performance?
>

Re: tape encryption in TSM environment

[Mehdi Salehi]

How much performance degradation would there if encryption is on? Although
it is the duty of drive itself (I suppose), it might have negative influence
on backup and even restore performance?

Re: tape encryption in TSM environment

[Prather, Wanda]

In the US, encryption also covers a regulatory issue.  Many states now have 
laws that spell out the responsibilities of sites to protect "personally 
identifiable information" (information about persons including their financial 
info, medical info, etc.)

The short version is that if a tape goes missing and is not encrypted, the 
company is legally liable.
If the tape goes missing but is encrypted, no problem.

You can turn on encryption for 3592 and LTO tape drives just by adding the 
appropriate parms to the device class in TSM.  Very, very easy way to eliminate 
the legal issue.  

As a result, most of my customers who send tapes offsite use TSM encryption.  
The ones with the most sensitive data (financial and medical companies) use 
encryption for tapes that stay onsite, as well.   


-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Remco 
Post
Sent: Sunday, June 12, 2011 3:39 AM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] tape encryption in TSM environment

Hi,

On 12 jun 2011, at 05:53, Mehdi Salehi wrote:

> Hi,
> Tape volumes canned be accessed if there is no TSM database. If 
> happens,

this is not exactly true. The tapes can be accessed. IBM just claims that it's 
hard/impossible to make sense of the data. That may or may not be true. There 
are some open source tools that do exactly that..

> restoring the database and gaining access to data seem to be very 
> difficult (at least for me ;) ). Do you think encryption feature of 
> tape drives has any value in TSM environments?
> 

Depending on your level op paranoia, and wether or not your shipping tapes 
off-site frequently yes.

> Thank you,
> Mehdi

--
Met vriendelijke groeten/Kind Regards,

Remco Post
r.p...@plcs.nl
+31 6 248 21 622

Re: tape encryption in TSM environment

[Robert J Molerio]

Yes but you need to use TKLM or its MF equiv to be of value unless you
use an appliiance.

On 6/11/11, Mehdi Salehi  wrote:
> Hi,
> Tape volumes canned be accessed if there is no TSM database. If happens,
> restoring the database and gaining access to data seem to be very difficult
> (at least for me ;) ). Do you think encryption feature of tape drives has
> any value in TSM environments?
>
> Thank you,
> Mehdi
>

--
Sent from my mobile device

Thank you,

Bob Molerio
Systems Administrator
New York University
ITS Computer Facilities Services/Infrastructure
Level C-2
75 Third Avenue
New York NY 10003-5527
email:robert.mole...@nyu.edu 

Re: tape encryption in TSM environment

[Remco Post]

Hi,

On 12 jun 2011, at 05:53, Mehdi Salehi wrote:

> Hi,
> Tape volumes canned be accessed if there is no TSM database. If happens,

this is not exactly true. The tapes can be accessed. IBM just claims that it's 
hard/impossible to make sense of the data. That may or may not be true. There 
are some open source tools that do exactly that..

> restoring the database and gaining access to data seem to be very difficult
> (at least for me ;) ). Do you think encryption feature of tape drives has
> any value in TSM environments?
> 

Depending on your level op paranoia, and wether or not your shipping tapes 
off-site frequently yes.

> Thank you,
> Mehdi

-- 
Met vriendelijke groeten/Kind Regards,

Remco Post
r.p...@plcs.nl
+31 6 248 21 622

tape encryption in TSM environment

[Mehdi Salehi]

Hi,
Tape volumes canned be accessed if there is no TSM database. If happens,
restoring the database and gaining access to data seem to be very difficult
(at least for me ;) ). Do you think encryption feature of tape drives has
any value in TSM environments?

Thank you,
Mehdi

Re: ORACLE Encryption

[Grigori Solonovitch]

I am using InclExcl list for include.encrypt. For example:

include * AIX
include /.../* FSLPAR05
include /ifns_ifns/.../* DBLPAR05
include /patm_patm/.../* DBLPAR05
include /ptel_ptel/.../* DBLPAR05
exclude.dir /home/oracle/admin/ifns/adump
exclude.dir /home/oracle/admin/patm/adump
exclude.dir /home/oracle/admin/ptel/adump
exclude.dir /home/oracle/product
exclude.compression *.Z
exclude.compression /backup05/ias/FS.*
include.encrypt /ifns_ifns/.../*
include.encrypt /patm_patm/.../*
include.encrypt /ptel_ptel/.../*
include.encrypt *.dmp.Z

It means I have include.encrypt in include/exclude list for the both file 
systems and databases.

Grigori G. Solonovitch

Senior Technical Architect

Information Technology  Bank of Kuwait and Middle East  http://www.bkme.com

Phone: (+965) 2231-2274  Mobile: (+965) 99798073  E-Mail: g.solonovi...@bkme.com

Please consider the environment before printing this Email

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of Fred 
Johanson
Sent: Monday, February 01, 2010 5:41 PM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] ORACLE Encryption

We register the TDPO as a distinct client.  Most are on various flavors of 
UNIX.  So where do we put the "include.encrypt".  Does it go in the dsmi_opt 
file or an incleexcl file referenced in that file?  The manual isn't very clear.



Fred Johanson
TSM Administrator
University of Chicago

773-702-8464

Please consider the environment before printing this Email.

"This email message and any attachments transmitted with it may contain 
confidential and proprietary information, intended only for the named 
recipient(s). If you have received this message in error, or if you are not the 
named recipient(s), please delete this email after notifying the sender 
immediately. BKME cannot guarantee the integrity of this communication and 
accepts no liability for any damage caused by this email or its attachments due 
to viruses, any other defects, interception or unauthorized modification. The 
information, views, opinions and comments of this message are those of the 
individual and not necessarily endorsed by BKME."

Re: ORACLE Encryption

[Mark Yakushev]

Hi Fred,

To encrypt all files, add the following options to dsm.sys

ENABLECLIENTENCRYPTKEY YES
include.encrypt /.../*

Regards,

Mark


From: Fred Johanson 
To:   ADSM-L@vm.marist.edu
Date: 02/01/2010 06:42 AM
Subject:[ADSM-L] ORACLE Encryption



We register the TDPO as a distinct client.  Most are on various flavors of
UNIX.  So where do we put the "include.encrypt".  Does it go in the
dsmi_opt file or an incleexcl file referenced in that file?  The manual
isn't very clear.



Fred Johanson
TSM Administrator
University of Chicago

773-702-8464

ORACLE Encryption

[Fred Johanson]

We register the TDPO as a distinct client.  Most are on various flavors of 
UNIX.  So where do we put the "include.encrypt".  Does it go in the dsmi_opt 
file or an incleexcl file referenced in that file?  The manual isn't very clear.



Fred Johanson
TSM Administrator
University of Chicago

773-702-8464

Re: Encryption

[Len Boyle]

We are working on setting up encryption with LTO4's and we are using multiple 
backup products so there are several different methods to control encryption. 

Several emails in the recent past talk about how to encrypt or not using the 
tools within TSM. 
If you are not using tsm's application encryption support you can control 
encryption with bar code rules if using a 3584 tape library. 
If you are using netbackup or networker you can use the volume pool id data 
written in the tape label for this control. 

For TS3310 tape libraries there is no bar code support that I have found. 

Len

PS The last time I checked hardware encryption in lto4's is at no extra cost. 
If going by the rule of a new lto tape drive every two years the lto5 tape 
drive should have been release in 2009. Rumor has it that they should be 
released in 2010. 

See the url www.lto.org for a little bit more info.

len

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of Howard 
Coles
Sent: Wednesday, January 20, 2010 12:59 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Encryption

Good question, I was about to ask that same thing.  

We're about to put in LTO4's at our main DC (wanted to go VTL or Disk,
but . . . ).  My boss has already spec'd and priced out getting the
Hardware encryption, but I'd like to know if that's the best route.  The
question is if we did that how would we create an unencrypted backupset
(for example if it had to be produced for a legal proceeding)?  I'm
thinking the encryption options would depend on TSM application
encryption, or did I miss some of that previous thread?

See Ya'
Howard Coles Jr.
John 3:16!


-Original Message-
From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of
Scott Bellew
Sent: Wednesday, January 20, 2010 11:34 AM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Encryption

Hi Joni,
We use Application Managed Encryption, with IBM 3584 library and LTO4
drives. This only works for a storage pool with DRIVEENCRYPTION=ON. It
does not encrypt the db backup tape. TSM handles the keys. We use this
for off-site archive tapes.  Currently in the process of recalling all
LTO2 archive tapes and moving them to LTO4 tapes in this Encrypted
storage pool.
Not hard to set up.  Checkout this link:
http://www-01.ibm.com/support/docview.wss?rs=663&uid=swg27009625

---
Scott Bellew
Systems Programmer
Informatin Systems
Regional Health



-Original Message-
From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of
Moyer, Joni M
Sent: Tuesday, January 12, 2010 6:51 AM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] Encryption

Hello everyone,

I am beginning the process of deciding upon a method of encryption.  I
was just wondering if anyone utilizes TSM to encrypt data?  It seems to
be quite a cumbersome method of encryption...

I was also wondering if anyone was using hardware encryption in their
environments?  And what type of set up do you have?

Thanks in advance

Joni Moyer
Storage Administrator III
(717)302-9966
joni.mo...@highmark.com



This e-mail and any attachments to it are confidential and are intended
solely for use of the individual or entity to whom they are addressed.
If you have received this e-mail in error, please notify the sender
immediately and then delete it. If you are not the intended recipient,
you must not keep, use, disclose, copy or distribute this e-mail without
the author's prior permission. The views expressed in this e-mail
message do not necessarily represent the views of Highmark Inc., its
subsidiaries, or affiliates.

Re: Encryption

[Howard Coles]

Good question, I was about to ask that same thing.  

We're about to put in LTO4's at our main DC (wanted to go VTL or Disk,
but . . . ).  My boss has already spec'd and priced out getting the
Hardware encryption, but I'd like to know if that's the best route.  The
question is if we did that how would we create an unencrypted backupset
(for example if it had to be produced for a legal proceeding)?  I'm
thinking the encryption options would depend on TSM application
encryption, or did I miss some of that previous thread?

See Ya'
Howard Coles Jr.
John 3:16!


-Original Message-
From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of
Scott Bellew
Sent: Wednesday, January 20, 2010 11:34 AM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Encryption

Hi Joni,
We use Application Managed Encryption, with IBM 3584 library and LTO4
drives. This only works for a storage pool with DRIVEENCRYPTION=ON. It
does not encrypt the db backup tape. TSM handles the keys. We use this
for off-site archive tapes.  Currently in the process of recalling all
LTO2 archive tapes and moving them to LTO4 tapes in this Encrypted
storage pool.
Not hard to set up.  Checkout this link:
http://www-01.ibm.com/support/docview.wss?rs=663&uid=swg27009625

---
Scott Bellew
Systems Programmer
Informatin Systems
Regional Health



-Original Message-
From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of
Moyer, Joni M
Sent: Tuesday, January 12, 2010 6:51 AM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] Encryption

Hello everyone,

I am beginning the process of deciding upon a method of encryption.  I
was just wondering if anyone utilizes TSM to encrypt data?  It seems to
be quite a cumbersome method of encryption...

I was also wondering if anyone was using hardware encryption in their
environments?  And what type of set up do you have?

Thanks in advance

Joni Moyer
Storage Administrator III
(717)302-9966
joni.mo...@highmark.com



This e-mail and any attachments to it are confidential and are intended
solely for use of the individual or entity to whom they are addressed.
If you have received this e-mail in error, please notify the sender
immediately and then delete it. If you are not the intended recipient,
you must not keep, use, disclose, copy or distribute this e-mail without
the author's prior permission. The views expressed in this e-mail
message do not necessarily represent the views of Highmark Inc., its
subsidiaries, or affiliates.

Re: Encryption

[Scott Bellew]

Hi Joni,
We use Application Managed Encryption, with IBM 3584 library and LTO4 drives. 
This only works for a storage pool with DRIVEENCRYPTION=ON. It does not encrypt 
the db backup tape. TSM handles the keys. We use this for off-site archive 
tapes.  Currently in the process of recalling all LTO2 archive tapes and moving 
them to LTO4 tapes in this Encrypted storage pool.
Not hard to set up.  Checkout this link:  
http://www-01.ibm.com/support/docview.wss?rs=663&uid=swg27009625

---
Scott Bellew
Systems Programmer
Informatin Systems
Regional Health



-Original Message-
From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of Moyer, 
Joni M
Sent: Tuesday, January 12, 2010 6:51 AM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] Encryption

Hello everyone,

I am beginning the process of deciding upon a method of encryption.  I was just 
wondering if anyone utilizes TSM to encrypt data?  It seems to be quite a 
cumbersome method of encryption...

I was also wondering if anyone was using hardware encryption in their 
environments?  And what type of set up do you have?

Thanks in advance

Joni Moyer
Storage Administrator III
(717)302-9966
joni.mo...@highmark.com



This e-mail and any attachments to it are confidential and are intended solely 
for use of the individual or entity to whom they are addressed. If you have 
received this e-mail in error, please notify the sender immediately and then 
delete it. If you are not the intended recipient, you must not keep, use, 
disclose, copy or distribute this e-mail without the author's prior permission. 
The views expressed in this e-mail message do not necessarily represent the 
views of Highmark Inc., its subsidiaries, or affiliates.

Re: Turning Encryption Off/On

[adsm mailing list]

I configured dedicated Device classes and storage pools because of the 
following note in the Admin guide.


When  using  encryption-capable  drives  with  a  supported  encryption  
method,  a  new 
format  will  be  used  to  write  encrypted  data  to  tapes.  If  data  is  
written  to  volumes 
using  the  new  format  and  if  the  volumes  are  then  returned  to  
scratch,  they  will 
contain  labels  that  are  only  readable  by  encryption-enabled  drives.  To 
 use  these 
scratch  volumes  in  a  drive  that  is  not  enabled  for  encryption,  
either  because  the 
hardware  is  not  capable  of  encryption  or  because  the  encryption  
method  is  set  to 
NONE,  you  must  relabel  the  volumes. 



From: ADSM: Dist Stor Manager [ads...@vm.marist.edu] on behalf of Wanda Prather 
[wanda.prat...@jasi.com]
Sent: 13 January 2010 14:09
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Turning Encryption Off/On

This is for TSM-managed encryption (the library is set to
application-managed).
You only need 1 set of scratch tapes.

One library, two storage pools, two devclasses, one encrypted, one not.
Same pool of scratch tapes.

When an encrypted tape goes scratch and comes back from the vault, it can be
reused non-encrypted.
(I think that is because the label isn't encrypted, just the data.)
TSM DB backups are never encrypted, either.

Works fine.  Beauty of TSM-managed encryption; easy peasy.  Set it and
forget it.






On Wed, Jan 13, 2010 at 6:06 AM, Stefan Folkerts wrote:

> I don't think you can have two devices classes (one with and one without
> encryption) sharing the same pool of scratch volumes (one logical library)
> using LTO hardware encryption.
> This is because the volume label on the tape is either written encrypted or
> it is not, I don't think the none encrypted deviceclass is able to write to
> a scratch tape labeled within an encrypted deviceclass configuration because
> the first thing it does is check the label, that's encrypted so label
> doesn't match eject -> set to private, next volume please...etc etc.
>
>
>
>
> -Oorspronkelijk bericht-
> Van: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] Namens
> Druckenmiller, David
> Verzonden: dinsdag 12 januari 2010 18:07
> Aan: ADSM-L@VM.MARIST.EDU
> Onderwerp: Re: [ADSM-L] Turning Encryption Off/On
>
> Using hardware encryption, managed by TSM.
>
> Are you saying I can have two device classes sharing the same devices?  For
> some reason, I was always under the impression that you couldn't.  But after
> scanning the help, I don't know where I came up with that notion.  That
> would definitely make things simple for me.
>
> Thanks.
>
> -Original Message-
> From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of
> Wanda Prather
> Sent: Tuesday, January 12, 2010 10:20 AM
> To: ADSM-L@VM.MARIST.EDU
> Subject: Re: [ADSM-L] Turning Encryption Off/On
>
> Is your encryption application-managed (controlled by TSM) or
> library-managed (controlled by EKM/TKLM)?
>
> If application managed, IBM is correct, you just need a different devclass
> that specifies drive encryption OFF, pointing to the same library, and a
> new
> storage pool that specifies the non-encrypted devclass.  .
>
> I've got 4 LTO drives, onsite pool is NOT encrypted (long story there),
> COPY
> pool IS encrypted.  No biggie.
>
> W
>
>
> On Tue, Jan 12, 2010 at 9:10 AM, Druckenmiller, David
> wrote:
>
> > We currently encrypt all our offsite tapes.  Mgmt wants to me create a
> > single unencrypted archive tape to be stored offsite long term for
> > litigation reasons.
> >
> > My question is:  If I turn off encryption long enough to get some data
> > written to this one tape, then turn encryption back on, could I then
> > continue to write uncrypted data to this one tape while all other tapes
> > would be encrypted?
> >
> > IBM is being non-committal saying we should really use new device class,
> > but I'd then have to move one tape drive over to new class each time I
> want
> > to write unencrypted.
> >
> > TSM 5.5.3
> > AIX 6.1
> > Tapes are LTO4
> >
> > Thanks
> > Dave
> >
> > -
> > CONFIDENTIALITY NOTICE: This email and any attachments may contain
> > confidential information that is protected by law and is for the
> > sole use of the individuals or entities to which it is addressed.
> > If you are not the intended recipient, please notify the sender by
> > replying to this email and destroying all copies of the
> > communication and attachments. Further use, disclosure, copying,
> > distribution of, or reliance upon the contents of this email and
> > attachments is strictly prohibited. To contact Albany Medical
> > Center, or for a copy of our privacy practices, please visit us on
> > the Internet at www.amc.edu.
> >
>

Re: [adsm] Re: Encryption

[Lloyd Dieter]

Actually, the encryption isn't bad from a performance perspective.  In our 
testing, enabling encryption only incurred a 5-10% perfromance penalty.

The real issues come from the fact that encrypted data doesn't compress, so if 
you encrypt on the client without using client compression, your tape useage 
will likely increase.  And if you encrypt AND compress on the client, then you 
get hit with a significant client performance penalty...but it's the 
compression that kills you, not the encryption.

But you're right...doing it on the drive is usually a much better way to go.

-Lloyd


On Tue, 12 Jan 2010 10:13:39 -0500
Wanda Prather  wrote:

> Encryption with the client is very CPU intensive, both on backup and on
> restore.
>
> If you have LTO4 or 3592 tape, or STK tape drives that encrypt, it is far,
> far better to do it in the hardware.
>
> W
>
> On Tue, Jan 12, 2010 at 8:50 AM, Moyer, Joni M wrote:
>
> > Hello everyone,
> >
> > I am beginning the process of deciding upon a method of encryption.  I was
> > just wondering if anyone utilizes TSM to encrypt data?  It seems to be quite
> > a cumbersome method of encryption...
> >
> > I was also wondering if anyone was using hardware encryption in their
> > environments?  And what type of set up do you have?
> >
> > Thanks in advance
> >
> > Joni Moyer
> > Storage Administrator III
> > (717)302-9966
> > joni.mo...@highmark.com
> >
> >
> > 
> > This e-mail and any attachments to it are confidential and are intended
> > solely for use of the individual or entity to whom they are addressed. If
> > you have received this e-mail in error, please notify the sender immediately
> > and then delete it. If you are not the intended recipient, you must not
> > keep, use, disclose, copy or distribute this e-mail without the author's
> > prior permission. The views expressed in this e-mail message do not
> > necessarily represent the views of Highmark Inc., its subsidiaries, or
> > affiliates.
> >

Re: Turning Encryption Off/On

[Wanda Prather]

This is for TSM-managed encryption (the library is set to
application-managed).
You only need 1 set of scratch tapes.

One library, two storage pools, two devclasses, one encrypted, one not.
Same pool of scratch tapes.

When an encrypted tape goes scratch and comes back from the vault, it can be
reused non-encrypted.
(I think that is because the label isn't encrypted, just the data.)
TSM DB backups are never encrypted, either.

Works fine.  Beauty of TSM-managed encryption; easy peasy.  Set it and
forget it.






On Wed, Jan 13, 2010 at 6:06 AM, Stefan Folkerts wrote:

> I don't think you can have two devices classes (one with and one without
> encryption) sharing the same pool of scratch volumes (one logical library)
> using LTO hardware encryption.
> This is because the volume label on the tape is either written encrypted or
> it is not, I don't think the none encrypted deviceclass is able to write to
> a scratch tape labeled within an encrypted deviceclass configuration because
> the first thing it does is check the label, that's encrypted so label
> doesn't match eject -> set to private, next volume please...etc etc.
>
>
>
>
> -Oorspronkelijk bericht-
> Van: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] Namens
> Druckenmiller, David
> Verzonden: dinsdag 12 januari 2010 18:07
> Aan: ADSM-L@VM.MARIST.EDU
> Onderwerp: Re: [ADSM-L] Turning Encryption Off/On
>
> Using hardware encryption, managed by TSM.
>
> Are you saying I can have two device classes sharing the same devices?  For
> some reason, I was always under the impression that you couldn't.  But after
> scanning the help, I don't know where I came up with that notion.  That
> would definitely make things simple for me.
>
> Thanks.
>
> -Original Message-
> From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of
> Wanda Prather
> Sent: Tuesday, January 12, 2010 10:20 AM
> To: ADSM-L@VM.MARIST.EDU
> Subject: Re: [ADSM-L] Turning Encryption Off/On
>
> Is your encryption application-managed (controlled by TSM) or
> library-managed (controlled by EKM/TKLM)?
>
> If application managed, IBM is correct, you just need a different devclass
> that specifies drive encryption OFF, pointing to the same library, and a
> new
> storage pool that specifies the non-encrypted devclass.  .
>
> I've got 4 LTO drives, onsite pool is NOT encrypted (long story there),
> COPY
> pool IS encrypted.  No biggie.
>
> W
>
>
> On Tue, Jan 12, 2010 at 9:10 AM, Druckenmiller, David
> wrote:
>
> > We currently encrypt all our offsite tapes.  Mgmt wants to me create a
> > single unencrypted archive tape to be stored offsite long term for
> > litigation reasons.
> >
> > My question is:  If I turn off encryption long enough to get some data
> > written to this one tape, then turn encryption back on, could I then
> > continue to write uncrypted data to this one tape while all other tapes
> > would be encrypted?
> >
> > IBM is being non-committal saying we should really use new device class,
> > but I'd then have to move one tape drive over to new class each time I
> want
> > to write unencrypted.
> >
> > TSM 5.5.3
> > AIX 6.1
> > Tapes are LTO4
> >
> > Thanks
> > Dave
> >
> > -
> > CONFIDENTIALITY NOTICE: This email and any attachments may contain
> > confidential information that is protected by law and is for the
> > sole use of the individuals or entities to which it is addressed.
> > If you are not the intended recipient, please notify the sender by
> > replying to this email and destroying all copies of the
> > communication and attachments. Further use, disclosure, copying,
> > distribution of, or reliance upon the contents of this email and
> > attachments is strictly prohibited. To contact Albany Medical
> > Center, or for a copy of our privacy practices, please visit us on
> > the Internet at www.amc.edu.
> >
>

Re: Turning Encryption Off/On

[Stefan Folkerts]

I don't think you can have two devices classes (one with and one without 
encryption) sharing the same pool of scratch volumes (one logical library) 
using LTO hardware encryption.
This is because the volume label on the tape is either written encrypted or it 
is not, I don't think the none encrypted deviceclass is able to write to a 
scratch tape labeled within an encrypted deviceclass configuration because the 
first thing it does is check the label, that's encrypted so label doesn't match 
eject -> set to private, next volume please...etc etc.




-Oorspronkelijk bericht-
Van: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] Namens 
Druckenmiller, David
Verzonden: dinsdag 12 januari 2010 18:07
Aan: ADSM-L@VM.MARIST.EDU
Onderwerp: Re: [ADSM-L] Turning Encryption Off/On

Using hardware encryption, managed by TSM.

Are you saying I can have two device classes sharing the same devices?  For 
some reason, I was always under the impression that you couldn't.  But after 
scanning the help, I don't know where I came up with that notion.  That would 
definitely make things simple for me.

Thanks.

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of Wanda 
Prather
Sent: Tuesday, January 12, 2010 10:20 AM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Turning Encryption Off/On

Is your encryption application-managed (controlled by TSM) or
library-managed (controlled by EKM/TKLM)?

If application managed, IBM is correct, you just need a different devclass
that specifies drive encryption OFF, pointing to the same library, and a new
storage pool that specifies the non-encrypted devclass.  .

I've got 4 LTO drives, onsite pool is NOT encrypted (long story there), COPY
pool IS encrypted.  No biggie.

W


On Tue, Jan 12, 2010 at 9:10 AM, Druckenmiller, David
wrote:

> We currently encrypt all our offsite tapes.  Mgmt wants to me create a
> single unencrypted archive tape to be stored offsite long term for
> litigation reasons.
>
> My question is:  If I turn off encryption long enough to get some data
> written to this one tape, then turn encryption back on, could I then
> continue to write uncrypted data to this one tape while all other tapes
> would be encrypted?
>
> IBM is being non-committal saying we should really use new device class,
> but I'd then have to move one tape drive over to new class each time I want
> to write unencrypted.
>
> TSM 5.5.3
> AIX 6.1
> Tapes are LTO4
>
> Thanks
> Dave
>
> -
> CONFIDENTIALITY NOTICE: This email and any attachments may contain
> confidential information that is protected by law and is for the
> sole use of the individuals or entities to which it is addressed.
> If you are not the intended recipient, please notify the sender by
> replying to this email and destroying all copies of the
> communication and attachments. Further use, disclosure, copying,
> distribution of, or reliance upon the contents of this email and
> attachments is strictly prohibited. To contact Albany Medical
> Center, or for a copy of our privacy practices, please visit us on
> the Internet at www.amc.edu.
>

Re: Turning Encryption Off/On

[Wanda Prather]

Yes.

Storage pool => Device class=> Library => drives

Anything you create in the storage pool, is encrypted or not based on the
devclass settings.

If you need a sample of definitions, will be happy to send them.

On Tue, Jan 12, 2010 at 12:06 PM, Druckenmiller, David  wrote:

> Using hardware encryption, managed by TSM.
>
> Are you saying I can have two device classes sharing the same devices?  For
> some reason, I was always under the impression that you couldn't.  But after
> scanning the help, I don't know where I came up with that notion.  That
> would definitely make things simple for me.
>
> Thanks.
>
> -Original Message-
> From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of
> Wanda Prather
> Sent: Tuesday, January 12, 2010 10:20 AM
> To: ADSM-L@VM.MARIST.EDU
> Subject: Re: [ADSM-L] Turning Encryption Off/On
>
> Is your encryption application-managed (controlled by TSM) or
> library-managed (controlled by EKM/TKLM)?
>
> If application managed, IBM is correct, you just need a different devclass
> that specifies drive encryption OFF, pointing to the same library, and a
> new
> storage pool that specifies the non-encrypted devclass.  .
>
> I've got 4 LTO drives, onsite pool is NOT encrypted (long story there),
> COPY
> pool IS encrypted.  No biggie.
>
> W
>
>
> On Tue, Jan 12, 2010 at 9:10 AM, Druckenmiller, David
> wrote:
>
> > We currently encrypt all our offsite tapes.  Mgmt wants to me create a
> > single unencrypted archive tape to be stored offsite long term for
> > litigation reasons.
> >
> > My question is:  If I turn off encryption long enough to get some data
> > written to this one tape, then turn encryption back on, could I then
> > continue to write uncrypted data to this one tape while all other tapes
> > would be encrypted?
> >
> > IBM is being non-committal saying we should really use new device class,
> > but I'd then have to move one tape drive over to new class each time I
> want
> > to write unencrypted.
> >
> > TSM 5.5.3
> > AIX 6.1
> > Tapes are LTO4
> >
> > Thanks
> > Dave
> >
> > -
> > CONFIDENTIALITY NOTICE: This email and any attachments may contain
> > confidential information that is protected by law and is for the
> > sole use of the individuals or entities to which it is addressed.
> > If you are not the intended recipient, please notify the sender by
> > replying to this email and destroying all copies of the
> > communication and attachments. Further use, disclosure, copying,
> > distribution of, or reliance upon the contents of this email and
> > attachments is strictly prohibited. To contact Albany Medical
> > Center, or for a copy of our privacy practices, please visit us on
> > the Internet at www.amc.edu.
> >
>

Re: Turning Encryption Off/On

[Druckenmiller, David]

Using hardware encryption, managed by TSM.

Are you saying I can have two device classes sharing the same devices?  For 
some reason, I was always under the impression that you couldn't.  But after 
scanning the help, I don't know where I came up with that notion.  That would 
definitely make things simple for me.

Thanks.

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of Wanda 
Prather
Sent: Tuesday, January 12, 2010 10:20 AM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Turning Encryption Off/On

Is your encryption application-managed (controlled by TSM) or
library-managed (controlled by EKM/TKLM)?

If application managed, IBM is correct, you just need a different devclass
that specifies drive encryption OFF, pointing to the same library, and a new
storage pool that specifies the non-encrypted devclass.  .

I've got 4 LTO drives, onsite pool is NOT encrypted (long story there), COPY
pool IS encrypted.  No biggie.

W


On Tue, Jan 12, 2010 at 9:10 AM, Druckenmiller, David
wrote:

> We currently encrypt all our offsite tapes.  Mgmt wants to me create a
> single unencrypted archive tape to be stored offsite long term for
> litigation reasons.
>
> My question is:  If I turn off encryption long enough to get some data
> written to this one tape, then turn encryption back on, could I then
> continue to write uncrypted data to this one tape while all other tapes
> would be encrypted?
>
> IBM is being non-committal saying we should really use new device class,
> but I'd then have to move one tape drive over to new class each time I want
> to write unencrypted.
>
> TSM 5.5.3
> AIX 6.1
> Tapes are LTO4
>
> Thanks
> Dave
>
> -
> CONFIDENTIALITY NOTICE: This email and any attachments may contain
> confidential information that is protected by law and is for the
> sole use of the individuals or entities to which it is addressed.
> If you are not the intended recipient, please notify the sender by
> replying to this email and destroying all copies of the
> communication and attachments. Further use, disclosure, copying,
> distribution of, or reliance upon the contents of this email and
> attachments is strictly prohibited. To contact Albany Medical
> Center, or for a copy of our privacy practices, please visit us on
> the Internet at www.amc.edu.
>