Spirit Software Solutions - TSM Administration and Reporting made easy
Spirit Software Solutions
  • DownloadDownload Products
  • PurchasePurchase Products
  • ProductsOur Products
    • SP Studio
    • TSM Studio Server
  • SupportProduct Support
    • Open a case
    • Helpful TSM SQL Commands
    • Knowledge Base
    • Known Issues
    • Pre Release
    • TSM Studio Documentation
  • ResellersResell TSM Studio
  • Contact UsGet in Touch With Us
Client Side Encryption

TSM has the ability to encrypt data at the client node before sending the data to the TSM server. There are two methods that are available

1. Transparent Encryption

  • This is where the encryption key is managed by and stored on the TSM server
  • If the client node needs to be rebuilt data can be easily restored
  • Data can be restored back to any node that is allowed to impersonate the original node

2. Client Side Encryption

  • This is where the encryption key is manually managed and stored on the client using an encryption password
  • More secure as data can only be restored if the encryption password is known
  • If the password is lost then the data cannot be restored

To enable encryption at the client there are two parameters for setting up and a couple of include and exclude statements for selecting or excluding which files are to be encrypted.

ENCRYPTKEY

The ENCRYPTKEY option is used to choose either transparent encryption or client-side encryption. For client-side encryption there are two options to choose from

ENCRYPTKEY=SAVE  ( Client-Side )

This option will prompt for an encryption password on the initial backup and then store this password in the password file. The password will be retrieved from this file for each subsequent backup.

ENCRYPTKEY=PROMPT ( Client-Side)

This option will prompt for an encryption password for each backup and restore. To be able to restore the data the same password that was using when backing the data up will be required

ENCRYPTION=GENERATE (Transparent)

This option will have TSM generate an encryption key password which is stored on the TSM server and managed by the TSM server.

 ENCRYPTIONTYPE

The ENCRYPTIONTYPE parameter selects what type of encryption is used either DES56 or AES128 with the AES128 algorithm being the stronger of the two

 

Next is to select which file or directories to include in the backup

use the include.encrypt statement to include files and directories to be encrypted and takes the same format as any other include statement
use the exclude.encrypt statement to exclude files and directories to be encrypted and takes the same format as any other exclude statement

example

ENCRYPTKEY=GENERATE
ENCRYPTIONTYPE=AES256
INCLUDE.ENCRYPT /home/…/
EXCLUDE.ENCRYPT /home/…/test.fil

INCLUDE.ENCRYPT  C:…*
EXCLUDE.ENCRYPT  C:windows…*

 

When using the client-side encryption the encryption passwords are stored in the TSM.PWD files in unix or in the registry for windows

I would recommended using transparent encryption unless you have a specific requirement not to.

I am option asked how to prove that the data is encrypted. There is no way to do this with TSM and they only way to do this is use a network packet tracing tool such as wireshark. If you are interested on how to do this just send me an email  gelliott@spiritsoftware.biz

 

For more information see Chapter 5 of IBM Tivoli Storage Manager: Building a Secure Environment

 

 

 


 

Posted in: TSM

  • Twitter

    • #WCF If you are looking for an easy authentication method that you can use in WCF with multiple service contracts - http://t.co/ZjGu8UNJvF 25 April from Twitter Web Client
    • See the new blog on #TSMStudio posted on the tsmblog website - http://t.co/WHhd2oWRXa. 25 April from Twitter Web Client
    • Just finished the Microsoft WCF learning stream at http://t.co/oy2RmpnBqy absolutely fantastic way to understand WCF in-depth. 16 April from Twitter Web Client
    @spirit_software
  • Recent Comments

    • Operational Reporting Viewer - Spirit Software Solutions on How to uninstall6 years ago[…] Supported on Windows XP SP3, Vista. ...
    • TSM Studio Alerting - Spirit Software Solutions on How to uninstall6 years ago[…] TSM Studio Alerting Client Supported on ...
    • TSM Studio Operational Reporting - Spirit Software Solutions on How to uninstall6 years ago[…] TSM Studio Operational Reporting Client Supported ...
  • RSS IBM TSM Notifications

    • An error has occurred, which probably means the feed is down. Try again later.
© 2014 Spirit Software Solutions
  • Download
  • Purchase
  • Products
  • Support
  • Resellers
  • Contact Us