Tivoli Storage Manager - Client Side Encryption

Published on
12,739 Points
1 Endorsement
Last Modified:
TSM has the ability to encrypt data at the client node before sending the data to the TSM server. There are two methods that are available

1. Transparent Encryption
This is where the encryption key is managed by and stored on the TSM server.  If the client node needs to be rebuilt data can be easily restored.  Data can be restored back to any node that is allowed to impersonate the original node

2. Client Side Encryption
This is where the encryption key is manually managed and stored on the client using an encryption password.  More secure as data can only be restored if the encryption password is known
If the password is lost then the data cannot be restored.  

To enable encryption at the client there are two parameters for setting up and a couple of include and exclude statements for selecting or excluding which files are to be encrypted.


The ENCRYPTKEY option is used to choose either transparent encryption or client-side encryption. For client-side encryption there are two options to choose from

ENCRYPTKEY=SAVE  ( Client-Side )

This option will prompt for an encryption password on the initial backup and then store this password in the password file. The password will be retrieved from this file for each subsequent backup.


This option will prompt for an encryption password for each backup and restore. To be able to restore the data the same password that was using when backing the data up will be required


This option will have TSM generate an encryption key password which is stored on the TSM server and managed by the TSM server.


The ENCRYPTIONTYPE parameter selects what type of encryption is used either DES56 or AES128 with the AES128 algorithm being the stronger of the two

Next is to select which files or directories to include in the backup

use the INCLUDE.ENCRYPT statement to include files and directories to be encrypted and takes the same format as any other include statement.  

Use the EXCLUDE.ENCRYPT statement to exclude files and directories to be encrypted and takes the same format as any other exclude statement.

EXCLUDE.ENCRYPT /home/.../test.fil
EXCLUDE.ENCRYPT  C:\windows\...\*

Open in new window

When using the client-side encryption the encryption passwords are stored in the TSM.PWD files in unix or in the registry for windows

I would recommended using transparent encryption unless you have a specific requirement not to.

I am option asked how to prove that the data is encrypted.  There is no way to do this with TSM and they only way to do this is use a network packet tracing tool such as wireshark. If you are interested on how to do this just send me an email   gelliott@spiritsoftware.biz
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free