<

Tivoli Storage Manager - Client Side Encryption

Published on
12,433 Points
6,333 Views
1 Endorsement
Last Modified:
Approved
TSM has the ability to encrypt data at the client node before sending the data to the TSM server. There are two methods that are available

1. Transparent Encryption
This is where the encryption key is managed by and stored on the TSM server.  If the client node needs to be rebuilt data can be easily restored.  Data can be restored back to any node that is allowed to impersonate the original node

2. Client Side Encryption
This is where the encryption key is manually managed and stored on the client using an encryption password.  More secure as data can only be restored if the encryption password is known
If the password is lost then the data cannot be restored.  

To enable encryption at the client there are two parameters for setting up and a couple of include and exclude statements for selecting or excluding which files are to be encrypted.

ENCRYPTKEY

The ENCRYPTKEY option is used to choose either transparent encryption or client-side encryption. For client-side encryption there are two options to choose from

ENCRYPTKEY=SAVE  ( Client-Side )

This option will prompt for an encryption password on the initial backup and then store this password in the password file. The password will be retrieved from this file for each subsequent backup.

ENCRYPTKEY=PROMPT ( Client-Side )

This option will prompt for an encryption password for each backup and restore. To be able to restore the data the same password that was using when backing the data up will be required

ENCRYPTION=GENERATE (Transparent)

This option will have TSM generate an encryption key password which is stored on the TSM server and managed by the TSM server.

 ENCRYPTIONTYPE

The ENCRYPTIONTYPE parameter selects what type of encryption is used either DES56 or AES128 with the AES128 algorithm being the stronger of the two
 

Next is to select which files or directories to include in the backup

use the INCLUDE.ENCRYPT statement to include files and directories to be encrypted and takes the same format as any other include statement.  

Use the EXCLUDE.ENCRYPT statement to exclude files and directories to be encrypted and takes the same format as any other exclude statement.

Example
ENCRYPTKEY=GENERATE
ENCRYPTIONTYPE=AES256
INCLUDE.ENCRYPT /home/.../
EXCLUDE.ENCRYPT /home/.../test.fil
INCLUDE.ENCRYPT  C:\...\*
EXCLUDE.ENCRYPT  C:\windows\...\*

Open in new window


When using the client-side encryption the encryption passwords are stored in the TSM.PWD files in unix or in the registry for windows

I would recommended using transparent encryption unless you have a specific requirement not to.

I am option asked how to prove that the data is encrypted.  There is no way to do this with TSM and they only way to do this is use a network packet tracing tool such as wireshark. If you are interested on how to do this just send me an email   gelliott@spiritsoftware.biz
1
Comment
Author:gkelliott
0 Comments

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Join & Write a Comment

This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month