We are starting to make more use of TSM Encryption. There is a combination of features that appears to leave a security gap.
We have decided to use ENCRYPTKEY GENERATE, because it provides what is in effect encryption key escrow. We require key escrow whenever encryption is used for university data - it's surprising how many times encryption keys get lost. We also use PASSWORDACCESS GENERATE, in order to enable automatic scheduled backups. The gap is in restore. If I have an encrypted drive, whose contents are backed up using TSM encryption, and then I unplug that drive thinking it is secure, it is not. Anyone who can boot the machine can restore everything from the encrypted drive, without entering any key or password, due to PASSWORDACCESS GENERATE. We are thinking of instructing users to always do a complete shutdown (not sleep or hibernate), and to encrypt their boot drive if they have any sensitive data, even if that data resides somewhere other than the boot drive. However, this is herding cats. It's unlikely to be followed in all cases. A possible solution would be to require re-entry of the TSM password to restore encrypted data, if both ENCRYPTKEY GENERATE and PASSWORDACCESS GENERATE are in effect. Am I understanding this correctly? Is there something I am missing here? Roger Deschner University of Illinois at Chicago rog...@uic.edu ======I have not lost my mind -- it is backed up on tape somewhere.=====