TSM has the ability to encrypt data at the client node before sending the data to the TSM server. There are two methods that are available

1. Transparent Encryption

• This is where the encryption key is managed by and stored on the TSM server
• If the client node needs to be rebuilt data can be easily restored
• Data can be restored back to any node that is allowed to impersonate the original node

2. Client Side Encryption

• This is where the encryption key is manually managed and stored on the client using an encryption password
• More secure as data can only be restored if the encryption password is known
• If the password is lost then the data cannot be restored

To enable encryption at the client there are two parameters for setting up and a couple of include and exclude statements for selecting or excluding which files are to be encrypted.

ENCRYPTKEY

The ENCRYPTKEY option is used to choose either transparent encryption or client-side encryption. For client-side encryption there are two options to choose from

ENCRYPTKEY=SAVE  ( Client-Side )

This option will prompt for an encryption password on the initial backup and then store this password in the password file. The password will be retrieved from this file for each subsequent backup.

ENCRYPTKEY=PROMPT ( Client-Side)

This option will prompt for an encryption password for each backup and restore. To be able to restore the data the same password that was using when backing the data up will be required

ENCRYPTION=GENERATE (Transparent)

This option will have TSM generate an encryption key password which is stored on the TSM server and managed by the TSM server.

 ENCRYPTIONTYPE

The ENCRYPTIONTYPE parameter selects what type of encryption is used either DES56 or AES128 with the AES128 algorithm being the stronger of the two

Next is to select which file or directories to include in the backup

use the include.encrypt statement to include files and directories to be encrypted and takes the same format as any other include statement
use the exclude.encrypt statement to exclude files and directories to be encrypted and takes the same format as any other exclude statement

example

ENCRYPTKEY=GENERATE
ENCRYPTIONTYPE=AES256
INCLUDE.ENCRYPT /home/…/
EXCLUDE.ENCRYPT /home/…/test.fil
INCLUDE.ENCRYPT  C:…*
EXCLUDE.ENCRYPT  C:windows…*

When using the client-side encryption the encryption passwords are stored in the TSM.PWD files in unix or in the registry for windows

I would recommended using transparent encryption unless you have a specific requirement not to.

I am option asked how to prove that the data is encrypted. There is no way to do this with TSM and they only way to do this is use a network packet tracing tool such as wireshark. If you are interested on how to do this just send me an email  gelliott@spiritsoftware.biz

For more information see Chapter 5 of IBM Tivoli Storage Manager: Building a Secure Environment

Posted in: TSM