Sunteți pe pagina 1din 3

To ensure that data for off-site volumes is protected, IBM tape encryption technology is available.

This
technology uses a stronger level of encryption by requiring 256-bit Advanced Encryption Standard
(AES) encryption keys. Keys are passed to the drive by a key manager to encrypt and decrypt data.

IBM tape technology supports different methods of drive encryption for the following devices:

 IBM 3592 generation 2 and generation 3


 IBM linear tape open (LTO) generation 4 and generation 5

Application Encryption
Encryption keys are managed by the application, in this case. Tivoli Storage Manager generates and
stores the keys in the server database. Data is encrypted during WRITE operations, when the
encryption key is passed from the server to the drive. Data is decrypted for READ operations.

But when using application encryption, you must take extra care to secure database backups because
the encryption keys that are used to encrypt and decrypt data are stored in the server database. To
restore your data, you must have the correct database backup and corresponding encryption keys to
access your information. Ensure that you back up the database frequently and safeguard the backups
to prevent data loss or theft. Anyone who has access to both the database backup and the encryption
keys has access to your data.

Use application-managed encryption for only storage pool volumes. Other volumes such as backup-
set tapes, export volumes, and database backups are not encrypted using the application method.

Library Encryption
Encryption keys are managed by the library. Keys are stored in an encryption key manager and
provided to the drive. If you set up the hardware to use the library encryption, you can use this method
by setting the DRIVEENCRYPTION parameter in the device class definition to ALLOW. Only certain
IBM libraries support IBM LTO-4 library encryption.

System Encryption
System encryption is available on AIX. Encryption keys that are provided to the drive are managed by
the device driver or operating system and stored in an encryption key manager. If the hardware is set
up to use system encryption, you can use this method by setting the DRIVEENCRYPTION parameter
in the device class definition to ALLOW.

The methods of drive encryption that you can use with Tivoli Storage Manager are set up at the
hardware level. Tivoli Storage Manager cannot control or change which encryption method is used in
the hardware configuration. If the hardware is set up for the application encryption method, Tivoli
Storage Manager can turn encryption on or off depending on the DRIVEENCRYPTION value on the
device class. Drive encryption is supported only for Ultrium 4, Ultrium 5, and Ultrium 6 drives and
media.

update deviceclass <deviceclassname> library=<libraryname>


driveencryption=ON/ALLOW/EXTERNAL/OFF

Choosing an correct Encryption method


Deciding on which encryption method you want to use depends on how you want to manage your
data. If you only want to encrypt storage pool volumes and eliminate some encryption processing on
your system, the Application method should be enabled. This method allows Tivoli Storage Manager
to manage the encryption keys. When using Application encryption, you must take extra care to secure
database backups since the encryption keys are stored in the server database. Without access to
database backups and matching encryption keys, you will not be able to restore your data.

If you want to encrypt all of your data in a particular logical library or encrypt data on more than just
storage pool volumes, the System or Library method can be used. These methods are virtually
transparent to the server. Tivoli Storage Manager is aware of them being used and displays
informational messages when writing to an empty volume.

Library managed encryption allows you to control which volumes are encrypted through the use of
their serial numbers. You can specify a range or set of volumes to encrypt. With Application managed
encryption, you can create dedicated storage pools that only contain encrypted volumes. This way,
you can use storage pool hierarchies and policies to manage the way data is encrypted.

The Library and System methods of encryption can share the same encryption key manager, which
allows the two modes to be interchanged. However, this can only occur if the encryption key manager
is set up to share keys. Tivoli Storage Manager cannot currently verify if encryption key managers for
both methods are the same. Neither can Tivoli Storage Manager share or use encryption keys
between the application method and either library or system methods of encryption.

To determine whether or not a volume is encrypted and which method was used, you can issue the
QUERY VOLUME command with FORMAT=DETAILED.

The encryptiontype option allows you to choose the algorithm for data encryption. The
encryptiontype option allows you to use AES 128-bit data encryption, providing a stronger form of data
encryption than DES 56-bit data encryption. The encryption type only affects backup and archive
operations. Place this option in the dsm.sys file within a server stanza.

Encryptiontype AES128 (OR) DES56

There are three options for managing the key used to encrypt the files (prompt, save, and generate).
All three options can be used with either the backup-archive client or the Tivoli Storage Manager API.
Place this option in the dsm.sys file within a server stanza.

Encryptkey save (OR) prompt (OR) generate

Changing your encryption method and hardware configuration


If you want to change the encryption method for a given set of volumes, the volumes need to be
returned to scratch status. Updating the parameter value will only affect empty volumes. For example,
if you currently have Application managed encryption enabled, and you decide that you don't want
encryption enabled at all, only empty volumes will be impacted by the change. Filling volumes will
continue to be encrypted while new volumes will not. If you do not want currently filling volumes to
continue being encrypted, the volume status should be changed to READONLY. This will ensure that
Tivoli Storage Manager does not append any more encrypted data to the volumes. You can use the
MOVE DATA command to transfer the data to a new volume after the update of the
DRIVEENCRYPTION parameter. The data will then be available in an un-encrypted format.

When migrating from one hardware configuration to another, you will need to move your data from the
old volumes to new volumes with new encryption keys and key managers. You can do this by setting
up two logical libraries and storage pools (each with a different encryption method) and migrating the
data from the old volumes to the new volumes. This will eliminate volumes that were encrypted using
the original method.Assume that you have volumes that were encrypted using the Library method and
you want to migrate to the Application method. Tivoli Storage Manager will be unable to determine
which encryption keys are needed for data on these volumes because the library's encryption key
manager stores these keys and Tivoli Storage Manager does not have access to them.

S-ar putea să vă placă și