TSM Encryption security gap?
We are starting to make more use of TSM Encryption. There is a combination of features that appears to leave a security gap. We have decided to use ENCRYPTKEY GENERATE, because it provides what is in effect encryption key escrow. We require key escrow whenever encryption is used for university data - it's surprising how many times encryption keys get lost. We also use PASSWORDACCESS GENERATE, in order to enable automatic scheduled backups. The gap is in restore. If I have an encrypted drive, whose contents are backed up using TSM encryption, and then I unplug that drive thinking it is secure, it is not. Anyone who can boot the machine can restore everything from the encrypted drive, without entering any key or password, due to PASSWORDACCESS GENERATE. We are thinking of instructing users to always do a complete shutdown (not sleep or hibernate), and to encrypt their boot drive if they have any sensitive data, even if that data resides somewhere other than the boot drive. However, this is herding cats. It's unlikely to be followed in all cases. A possible solution would be to require re-entry of the TSM password to restore encrypted data, if both ENCRYPTKEY GENERATE and PASSWORDACCESS GENERATE are in effect. Am I understanding this correctly? Is there something I am missing here? Roger Deschner University of Illinois at Chicago rog...@uic.edu ==I have not lost my mind -- it is backed up on tape somewhere.=
Re: Old Technote: TSM encryption compliance with FIPS 140-2
Hi Ruth, You did it the correct way. I have also reached out to the team to get your comment sent to the owner of that specific technote. Del ADSM: Dist Stor Manager ADSM-L@VM.MARIST.EDU wrote on 03/12/2015 05:56:34 PM: From: Mitchell, Ruth Slovik rmi...@illinois.edu To: ADSM-L@VM.MARIST.EDU Date: 03/12/2015 05:57 PM Subject: Old Technote: TSM encryption compliance with FIPS 140-2 Sent by: ADSM: Dist Stor Manager ADSM-L@VM.MARIST.EDU Hi All, I know we all grapple with outdated online documentation from time to time. Does anyone have a suggestion for the best way to request IBM update an out of date technote? I've already submitted feedback via the 'rate this page' link. Is it better to open a service request? To me that seems like overkill. The page in question is, http://www-01.ibm.com/support/docview.wss? uid=swg21442342, last updated in 2012. We'd like to point customers to a current IBM page for this type of information, but such out of date details aren't very helpful. Thanks in advance for recommendations. Ruth U of I, Urbana, IL
Re: Old Technote: TSM encryption compliance with FIPS 140-2
Hi Del, That's very much appreciated! Best, Ruth U of I, Urbana, IL -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Del Hoobler Sent: Monday, March 16, 2015 5:57 AM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Old Technote: TSM encryption compliance with FIPS 140-2 Hi Ruth, You did it the correct way. I have also reached out to the team to get your comment sent to the owner of that specific technote. Del ADSM: Dist Stor Manager ADSM-L@VM.MARIST.EDU wrote on 03/12/2015 05:56:34 PM: From: Mitchell, Ruth Slovik rmi...@illinois.edu To: ADSM-L@VM.MARIST.EDU Date: 03/12/2015 05:57 PM Subject: Old Technote: TSM encryption compliance with FIPS 140-2 Sent by: ADSM: Dist Stor Manager ADSM-L@VM.MARIST.EDU Hi All, I know we all grapple with outdated online documentation from time to time. Does anyone have a suggestion for the best way to request IBM update an out of date technote? I've already submitted feedback via the 'rate this page' link. Is it better to open a service request? To me that seems like overkill. The page in question is, http://www-01.ibm.com/support/docview.wss? uid=swg21442342, last updated in 2012. We'd like to point customers to a current IBM page for this type of information, but such out of date details aren't very helpful. Thanks in advance for recommendations. Ruth U of I, Urbana, IL
Old Technote: TSM encryption compliance with FIPS 140-2
Hi All, I know we all grapple with outdated online documentation from time to time. Does anyone have a suggestion for the best way to request IBM update an out of date technote? I've already submitted feedback via the 'rate this page' link. Is it better to open a service request? To me that seems like overkill. The page in question is, http://www-01.ibm.com/support/docview.wss?uid=swg21442342, last updated in 2012. We'd like to point customers to a current IBM page for this type of information, but such out of date details aren't very helpful. Thanks in advance for recommendations. Ruth U of I, Urbana, IL
Re: More tsm encryption questions
Depends on your goal for encryption. If you need it for encrypting during transport ( or maybe use SSL ), encrypted data at rest on your storage, data is encrypted on the tapes going offsite,... Yeah the key is in the TSM DB, but your need to restore/rebuild TSM to be able to get it. Just dumping out the tape isn't going to get you any eye-readable material. Don't know if the auditors or lawyers would accept it, but it's better than nothing. I've referred to it in the past as the cheap managers' encryption scheme. If you really need to lock it down, then hardware encryption is the way to go with an external key manager, but that co$t$, is vender specific as you need TKLM if you use IBM hardware and you can't mix it if you go to a recovery site. So it depends on what you're trying to accomplish and the budget you have. -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Steven Langdale Sent: Thursday, March 22, 2012 5:10 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] More tsm encryption questions Well, there you go. you're spot on there Bill! I'm struggling to see what use generate is, What't the point of encrypting the data when the key is handed out whenever a restore is performed? That must be why I've only ever used encryptkey save in the past. On 22 March 2012 19:57, Bill Boyer bjdbo...@comcast.net wrote: With the ENCRYPTKEY GENERATE specified the client creates the key at the beginning of the backup and that key is kept with the data stream stored on the TSM server. When you restore this the key in the data stream is used. I believe they also refer to this as transparent encryption. The include.encrypt will only effect future backups, not any backups already encrypted and stored on the TSM server. Bill Boyer There are 10 kinds of people in the world. Those that understand binary and those that don't. - ?? -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Steven Langdale Sent: Thursday, March 22, 2012 2:21 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] More tsm encryption questions They restored because the client had an encryption key, delete that, or possibly the encryptiontype line and you will be prompted for it. As for testing to see if they ARE encrypted, i think the client may say with a q backup (but not sure). The test I used was to try a restore after I had removed the key file. One aside, if you are using tape technology that compresses, the compression will do down the drain. Steven On 22 March 2012 18:01, Lee, Gary g...@bsu.edu wrote: Ok. Think I have encryption working. Tried the following experiment. 1. Added these lines to dsm.opt encryptiontype aes128 encryptkey generate include.encrypt c:\Documents and Settings\glee.BSU\My Documents\crypt\...\* 2. did an incremental backup to pick up the crypt folder just created and filled. 3. deleted all files starting with phon 4. restored files starting with phon back to crypt folder, . Went well. 5. commented all encryption related lines out of dsm.opt. 6. removed phone* from crypt folder again. 7. restored phone* back to crypt folder. I thought that with encryption lines removed from dsm.opt, either the encrypted files wouldn't restore, or would be restored as garbage. Not so. Restored perfectly. What have I missed? Also, is there a way to verify that the specified files are truly encrypted? Thanks again for the assistance. Gary Lee Senior System Programmer Ball State University phone: 765-285-1310
More tsm encryption questions
Ok. Think I have encryption working. Tried the following experiment. 1. Added these lines to dsm.opt encryptiontype aes128 encryptkey generate include.encrypt c:\Documents and Settings\glee.BSU\My Documents\crypt\...\* 2. did an incremental backup to pick up the crypt folder just created and filled. 3. deleted all files starting with phon 4. restored files starting with phon back to crypt folder, . Went well. 5. commented all encryption related lines out of dsm.opt. 6. removed phone* from crypt folder again. 7. restored phone* back to crypt folder. I thought that with encryption lines removed from dsm.opt, either the encrypted files wouldn't restore, or would be restored as garbage. Not so. Restored perfectly. What have I missed? Also, is there a way to verify that the specified files are truly encrypted? Thanks again for the assistance. Gary Lee Senior System Programmer Ball State University phone: 765-285-1310
Re: More tsm encryption questions
They restored because the client had an encryption key, delete that, or possibly the encryptiontype line and you will be prompted for it. As for testing to see if they ARE encrypted, i think the client may say with a q backup (but not sure). The test I used was to try a restore after I had removed the key file. One aside, if you are using tape technology that compresses, the compression will do down the drain. Steven On 22 March 2012 18:01, Lee, Gary g...@bsu.edu wrote: Ok. Think I have encryption working. Tried the following experiment. 1. Added these lines to dsm.opt encryptiontype aes128 encryptkey generate include.encrypt c:\Documents and Settings\glee.BSU\My Documents\crypt\...\* 2. did an incremental backup to pick up the crypt folder just created and filled. 3. deleted all files starting with phon 4. restored files starting with phon back to crypt folder, . Went well. 5. commented all encryption related lines out of dsm.opt. 6. removed phone* from crypt folder again. 7. restored phone* back to crypt folder. I thought that with encryption lines removed from dsm.opt, either the encrypted files wouldn't restore, or would be restored as garbage. Not so. Restored perfectly. What have I missed? Also, is there a way to verify that the specified files are truly encrypted? Thanks again for the assistance. Gary Lee Senior System Programmer Ball State University phone: 765-285-1310
Re: More tsm encryption questions
With the ENCRYPTKEY GENERATE specified the client creates the key at the beginning of the backup and that key is kept with the data stream stored on the TSM server. When you restore this the key in the data stream is used. I believe they also refer to this as transparent encryption. The include.encrypt will only effect future backups, not any backups already encrypted and stored on the TSM server. Bill Boyer There are 10 kinds of people in the world. Those that understand binary and those that don't. - ?? -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Steven Langdale Sent: Thursday, March 22, 2012 2:21 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] More tsm encryption questions They restored because the client had an encryption key, delete that, or possibly the encryptiontype line and you will be prompted for it. As for testing to see if they ARE encrypted, i think the client may say with a q backup (but not sure). The test I used was to try a restore after I had removed the key file. One aside, if you are using tape technology that compresses, the compression will do down the drain. Steven On 22 March 2012 18:01, Lee, Gary g...@bsu.edu wrote: Ok. Think I have encryption working. Tried the following experiment. 1. Added these lines to dsm.opt encryptiontype aes128 encryptkey generate include.encrypt c:\Documents and Settings\glee.BSU\My Documents\crypt\...\* 2. did an incremental backup to pick up the crypt folder just created and filled. 3. deleted all files starting with phon 4. restored files starting with phon back to crypt folder, . Went well. 5. commented all encryption related lines out of dsm.opt. 6. removed phone* from crypt folder again. 7. restored phone* back to crypt folder. I thought that with encryption lines removed from dsm.opt, either the encrypted files wouldn't restore, or would be restored as garbage. Not so. Restored perfectly. What have I missed? Also, is there a way to verify that the specified files are truly encrypted? Thanks again for the assistance. Gary Lee Senior System Programmer Ball State University phone: 765-285-1310
Re: More tsm encryption questions
Well, there you go. you're spot on there Bill! I'm struggling to see what use generate is, What't the point of encrypting the data when the key is handed out whenever a restore is performed? That must be why I've only ever used encryptkey save in the past. On 22 March 2012 19:57, Bill Boyer bjdbo...@comcast.net wrote: With the ENCRYPTKEY GENERATE specified the client creates the key at the beginning of the backup and that key is kept with the data stream stored on the TSM server. When you restore this the key in the data stream is used. I believe they also refer to this as transparent encryption. The include.encrypt will only effect future backups, not any backups already encrypted and stored on the TSM server. Bill Boyer There are 10 kinds of people in the world. Those that understand binary and those that don't. - ?? -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Steven Langdale Sent: Thursday, March 22, 2012 2:21 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] More tsm encryption questions They restored because the client had an encryption key, delete that, or possibly the encryptiontype line and you will be prompted for it. As for testing to see if they ARE encrypted, i think the client may say with a q backup (but not sure). The test I used was to try a restore after I had removed the key file. One aside, if you are using tape technology that compresses, the compression will do down the drain. Steven On 22 March 2012 18:01, Lee, Gary g...@bsu.edu wrote: Ok. Think I have encryption working. Tried the following experiment. 1. Added these lines to dsm.opt encryptiontype aes128 encryptkey generate include.encrypt c:\Documents and Settings\glee.BSU\My Documents\crypt\...\* 2. did an incremental backup to pick up the crypt folder just created and filled. 3. deleted all files starting with phon 4. restored files starting with phon back to crypt folder, . Went well. 5. commented all encryption related lines out of dsm.opt. 6. removed phone* from crypt folder again. 7. restored phone* back to crypt folder. I thought that with encryption lines removed from dsm.opt, either the encrypted files wouldn't restore, or would be restored as garbage. Not so. Restored perfectly. What have I missed? Also, is there a way to verify that the specified files are truly encrypted? Thanks again for the assistance. Gary Lee Senior System Programmer Ball State University phone: 765-285-1310
Re: More tsm encryption questions
I'm struggling to see what use generate is, What't the point of encrypting the data when the key is handed out whenever a restore is performed? Well, it prevents anybody who doesn't have access to the console of that machine from restoring the data, esp. to a different machine. If you don't use generate, then the backup can't be run by the scheduler because there is no one there to answer the prompt for the key. If you want to do a manual backup and supply the ken, specify encryptkey prompt. Here is info you can use to verify whether the data is encrypted: http://adsm.org/lists/html/ADSM-L/2009-03/msg00425.html That must be why I've only ever used encryptkey save in the past. On 22 March 2012 19:57, Bill Boyer bjdbo...@comcast.net wrote: With the ENCRYPTKEY GENERATE specified the client creates the key at the beginning of the backup and that key is kept with the data stream stored on the TSM server. When you restore this the key in the data stream is used. I believe they also refer to this as transparent encryption. The include.encrypt will only effect future backups, not any backups already encrypted and stored on the TSM server. Bill Boyer There are 10 kinds of people in the world. Those that understand binary and those that don't. - ?? -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Steven Langdale Sent: Thursday, March 22, 2012 2:21 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] More tsm encryption questions They restored because the client had an encryption key, delete that, or possibly the encryptiontype line and you will be prompted for it. As for testing to see if they ARE encrypted, i think the client may say with a q backup (but not sure). The test I used was to try a restore after I had removed the key file. One aside, if you are using tape technology that compresses, the compression will do down the drain. Steven On 22 March 2012 18:01, Lee, Gary g...@bsu.edu wrote: Ok. Think I have encryption working. Tried the following experiment. 1. Added these lines to dsm.opt encryptiontype aes128 encryptkey generate include.encrypt c:\Documents and Settings\glee.BSU\My Documents\crypt\...\* 2. did an incremental backup to pick up the crypt folder just created and filled. 3. deleted all files starting with phon 4. restored files starting with phon back to crypt folder, . Went well. 5. commented all encryption related lines out of dsm.opt. 6. removed phone* from crypt folder again. 7. restored phone* back to crypt folder. I thought that with encryption lines removed from dsm.opt, either the encrypted files wouldn't restore, or would be restored as garbage. Not so. Restored perfectly. What have I missed? Also, is there a way to verify that the specified files are truly encrypted? Thanks again for the assistance. Gary Lee Senior System Programmer Ball State University phone: 765-285-1310
Re: Verifying IBM TSM Encryption types
On Aug 1, 2011, at 10:59 PM, terrance wrote: So What you mean is TSM server don't has its own encryption instead help by the driver or client side encryption? ... The Administrator's Guide for your given TSM release will describe encryption opportunities available from the standpoint of the TSM server. The server developers don't waste time creating functionality which is provided by other means, such as tape drives (let the hardware do the work) or the client (where data must be secure in network conveyance and disk storage pool residency). Certainly, it's possible to encrypt data twice, just as it can be subjected to multiple phases of processing performing compression in passing data. Richard Sims
Verifying IBM TSM Encryption types
1)Any prerequisite or condition require before the data been encrypted such as according to my understanding, TSM is a storage manager server, so any driver or software need to install or configure to enable the encryption method either by client side or driver side? 2) According to the information I found that EKM must be installed before configure the TSM with LME and SME. So in this stage how can i verify or justify the EKM is installed in TSM server? +-- |This was sent by terrancey...@yahoo.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +--
Verifying IBM TSM Encryption types
I checked my TSM server with this command q devclass Device name f=d and it shows the Driver Encryption is set ON. So I know that my TSM server is using AME method to encrypt the data But any prerequisite and configure steps to achieve it? +-- |This was sent by terrancey...@yahoo.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +--
Verifying IBM TSM Encryption types
How can I retrieve all the information about the what kind of encryption method or type is using on my TSM server? What I mean is how to check the backup data and store into a tape whether encrypted or not? Isn't it related to the default encrypted method AES 128 or alternative encrypted method DES56? Or else it is related to the AME, LME or SME? Please proivde me the method or command even the file's path to verify or justify the information above. Thank you. +-- |This was sent by terrancey...@yahoo.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +--
Re: Verifying IBM TSM Encryption types
TSM client encryption can be verified per IBM Technote 1303197. Tape drive encryption is a hardware topic addressed by the documentation for the particular drive model, as in recent 3592 model variants. Richard Sims
Re: Verifying IBM TSM Encryption types
In addition - in case of using TDP for Oracle you can inspect TSM Server logs for TDP nodes. I think for other TDPs it is the same. Be careful with encryption for TDP backups - some additional configuration efforts are required . From: ADSM: Dist Stor Manager [ADSM-L@VM.MARIST.EDU] On Behalf Of Richard Sims [r...@bu.edu] Sent: Monday, August 01, 2011 8:10 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Verifying IBM TSM Encryption types TSM client encryption can be verified per IBM Technote 1303197. Tape drive encryption is a hardware topic addressed by the documentation for the particular drive model, as in recent 3592 model variants. Richard Sims Please consider the environment before printing this Email. CONFIDENTIALITY AND WAIVER: The information contained in this electronic mail message and any attachments hereto may be legally privileged and confidential. The information is intended only for the recipient(s) named in this message. If you are not the intended recipient you are notified that any use, disclosure, copying or distribution is prohibited. If you have received this in error please contact the sender and delete this message and any attachments from your computer system. We do not guarantee that this message or any attachment to it is secure or free from errors, computer viruses or other conditions that may damage or interfere with data, hardware or software.
Verifying IBM TSM Encryption types
So What you mean is TSM server don't has its own encryption instead help by the driver or client side encryption? 1) What i mean is that when data store inside the storage, any encryption step will run in this stage before it backup into a tape? 2) Will it possible a TSM server using both encryption such as driver encryption (AME, LME or SME) and client side encryption? For example, when a client submit a data or info to the storage, the data was encrypted and stored in the storage. After that when backup is start, the data will encrypted second time and stored into a tape by the driver. so does it make sense? +-- |This was sent by terrancey...@yahoo.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +--
Anyone doing TSM Encryption on TS1120's in a 3494 tape library??
Looking for help...TSM 5.4.1.1 on WIndows2003 running the latest IBM tape driver. The library and drives are at the latest firmware as of about 2-weeks ago. The drives have application encryption enabled. This was done through the CE interface on the back of the drives. A query of the drive VPD data from the library console shows application encryption is enabled. When we enable encryption in TSM UPD DEVC 3592 DRIVEENCRYPTION=ON, we get ANR8985E message when mounting scratch tapes. Using the NTUTIL command and specifying that you want 59: Get encryption State it shows: Encryption capable: True Encryption method: None (0) Encryption state: Off (0) We rebooted the TSM server after making the encryption changes to the drives. Could really use some help on thiscalling IBM and trying to figure out where to start is it a TSM issue...driverhardware configuraiton..??? Bill Boyer Select * from USERS where CLUE0 0 rows returned
Re: Anyone doing TSM Encryption on TS1120's in a 3494 tape library??
I have the EKM set up doing library managed encryption. It works well once it is set up and takes any TSM dependencies out of the picture. It also allows me to push off most of the encryption maintenance to our security group. IBM's encryption expertise for open systems has been underwhelming. I am using EKM on AIX. It should work on Windows if you get the correct java and configurations. Neil Strand Storage Engineer - Legg Mason Baltimore, MD. (410) 580-7491 Whatever you can do or believe you can, begin it. Boldness has genius, power and magic. -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED] On Behalf Of William Boyer Sent: Wednesday, December 05, 2007 9:56 AM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Anyone doing TSM Encryption on TS1120's in a 3494 tape library?? Looking for help...TSM 5.4.1.1 on WIndows2003 running the latest IBM tape driver. The library and drives are at the latest firmware as of about 2-weeks ago. The drives have application encryption enabled. This was done through the CE interface on the back of the drives. A query of the drive VPD data from the library console shows application encryption is enabled. When we enable encryption in TSM UPD DEVC 3592 DRIVEENCRYPTION=ON, we get ANR8985E message when mounting scratch tapes. Using the NTUTIL command and specifying that you want 59: Get encryption State it shows: Encryption capable: True Encryption method: None (0) Encryption state: Off (0) We rebooted the TSM server after making the encryption changes to the drives. Could really use some help on thiscalling IBM and trying to figure out where to start is it a TSM issue...driverhardware configuraiton..??? Bill Boyer Select * from USERS where CLUE0 0 rows returned IMPORTANT: E-mail sent through the Internet is not secure. Legg Mason therefore recommends that you do not send any confidential or sensitive information to us via electronic mail, including social security numbers, account numbers, or personal identification numbers. Delivery, and or timely delivery of Internet mail is not guaranteed. Legg Mason therefore recommends that you do not send time sensitive or action-oriented messages to us via electronic mail. This message is intended for the addressee only and may contain privileged or confidential information. Unless you are the intended recipient, you may not use, copy or disclose to anyone any information contained in this message. If you have received this message in error, please notify the author by replying to this message and then kindly delete the message. Thank you.
Re: LTO4 and TSM Encryption of Storage Pool Volumes and DB Backup Tapes
Kelly, I'm using TS1120 drives and wrestled with the same issues. I ended up using system encryption with the EKM because: 1. It provides the greatest level of granularity - Individual tape drives and volumes may be designated for encryption 2. TSM is oblivious to this type of encryption thus limiting any incompatabilities and avoiding the situatiion you describe. 3. Management of the encryption keys can be performed by our security group with minimal interaction with TSM 4. Other applications can use the encrypted tape drives (with appropriate library partitioning). 5. It simplifies any data sharing with partners - we can create a tape with a unique key for that business partner or read a tape from a business partner with their key. All without regard to TSM. I currently have one library manager with two library clients at a single site with a 700TB TS3500 library. I am expanding to two sites each with a TSM library manager, 8 TSM library clients, a couple of LAN-Free clients and NDMP backups with a 1.2PB TS3500 library at each site. I need to be able to recover one site to the other. Using System level encryption, I have synchronized keys at both sites, thus greatly simplyfying recovery efforts. The synchronized keys also provide a means of failover protection in that the encryption key may be provided from any of four key managers - two located at each site to either library. TSM database backup will be done direct to tape for offsite and a second copy to another server for onsite recovery. The encryption keys are stored on alternate media which is refreshed whenever there is a key change. Cheers, Neil Strand Legg Mason Storage Engineer (410) 580-7491 -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED] On Behalf Of Kelly Lipp Sent: Monday, August 13, 2007 4:20 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] LTO4 and TSM Encryption of Storage Pool Volumes and DB Backup Tapes Folks, I'm trying to plug the hole in the system here. With TSM V5.3.5.2 and 5.4.0.2 LTO4 drives and their encryption functionality can finally be exploited at the application level. Within TSM, we use device classes to enable this. So I'm thinking one could have one device class supporting encryption and another not (both in the same library) and have pools associated with these device classes, blah, blah, blah. You get the idea. Cool, cool. OK, so now all the encryption keys are stored in the TSM database. The problem is I now create an un-encrypted db backup tape to send offsite with my encrypted volumes and I've a whee bit of a problem. How are others rectifying this: use System level or library level instead of or in addition to Application Managed with TSM? Keep the backup tape and the storage pool volumes separate (that's gotta be a bad idea from the get go)? Other ideas? Unless I'm missing something, this just can't work well at all. Perhaps a switch on the backup db command... (but then who would manage that key?) The genesis of this is my attempt to get my hands around AME, SME and LME. Whew: you want a headache just start reading about all of that. And if that's not enough, IBM's Encryption Key Management Java application is real fun. The more I read the more I like client side encryption. But everyone is screaming to encrypt everything. Share your thoughts. I intend to write a short white paper on all of this once I get my head around it all. Kelly J. Lipp VP Manufacturing CTO STORServer, Inc. 485-B Elkton Drive Colorado Springs, CO 80907 719-266-8777 [EMAIL PROTECTED] IMPORTANT: E-mail sent through the Internet is not secure. Legg Mason therefore recommends that you do not send any confidential or sensitive information to us via electronic mail, including social security numbers, account numbers, or personal identification numbers. Delivery, and or timely delivery of Internet mail is not guaranteed. Legg Mason therefore recommends that you do not send time sensitive or action-oriented messages to us via electronic mail. This message is intended for the addressee only and may contain privileged or confidential information. Unless you are the intended recipient, you may not use, copy or disclose to anyone any information contained in this message. If you have received this message in error, please notify the author by replying to this message and then kindly delete the message. Thank you.
LTO4 and TSM Encryption of Storage Pool Volumes and DB Backup Tapes
Folks, I'm trying to plug the hole in the system here. With TSM V5.3.5.2 and 5.4.0.2 LTO4 drives and their encryption functionality can finally be exploited at the application level. Within TSM, we use device classes to enable this. So I'm thinking one could have one device class supporting encryption and another not (both in the same library) and have pools associated with these device classes, blah, blah, blah. You get the idea. Cool, cool. OK, so now all the encryption keys are stored in the TSM database. The problem is I now create an un-encrypted db backup tape to send offsite with my encrypted volumes and I've a whee bit of a problem. How are others rectifying this: use System level or library level instead of or in addition to Application Managed with TSM? Keep the backup tape and the storage pool volumes separate (that's gotta be a bad idea from the get go)? Other ideas? Unless I'm missing something, this just can't work well at all. Perhaps a switch on the backup db command... (but then who would manage that key?) The genesis of this is my attempt to get my hands around AME, SME and LME. Whew: you want a headache just start reading about all of that. And if that's not enough, IBM's Encryption Key Management Java application is real fun. The more I read the more I like client side encryption. But everyone is screaming to encrypt everything. Share your thoughts. I intend to write a short white paper on all of this once I get my head around it all. Kelly J. Lipp VP Manufacturing CTO STORServer, Inc. 485-B Elkton Drive Colorado Springs, CO 80907 719-266-8777 [EMAIL PROTECTED]
Re: Using tsm-encryption and want to change the hostname at the Client
and want to revert. Alexei --- Dear TSmers, we have tsmserver 5.3.3.2 /solaris and tsm-Client 5.3.4.0 /linux. On the Client we use tsm-encryption : The 'nodename' Option is set in the dsm.sys and also the 'encryptkey save' OPtion is set and 'encryptiontype AES128' is also set. The inclexc-File contains a line like 'include.encrypt *' So far anything runs fine :-) Problem: Next week we have to change the 'hostname' of that linux-server. The Question now is : - if any - what steps are to be done at the tsm-Client ? ... and even at the tsm-server ? The (tsm)nodename won't be changed. Do I need the TSM-Client in a manual way give once again the encryption-key password to let the encryption-key be generated ? Or is there nothing to be done at the Client ? I have looked throgh the lists and docs and havent't found any 'procedures' for that scenario - just pointers to dependancies on the system's hostname. Thanks in advance for any hints , recipe or links ... ! Rainer
Re: Using tsm-encryption and want to change the hostname at the Client
Alexei, thanks a lot for your detailled explanation ! It's clearer to me now :-) ... just only two more questions ? What about the windows-Clients - do I then (when changing the windows system-name) also have to manually remove the equivalent 'TSM.PWD' entry in the registry or elsewhere ? if so: Is that something to be done with the windows registry-editor or is there a tsm-windows-client function that can do for me the renaming/refresh of the locally stored tsm-pwds on windows so I can reenter the (same) encryption key passord once again ? About the 'using some garbage encryption key' : Isn't that something where the tsm-client really should say 'NO' stop backup and generate an error message ? ... preventing the user to have something unrecoverable - is there an existing apar ? Best regards Rainer Alexei Kojenov schrieb: Rainer, Your data is always encrypted with the key generated from the password that you enter, regardless of the hostname. The hostname is only used to store the password locally. For example, 1) Let's say the hostname is 'mercury' 2) You run your first backup and are prompted for encryption key password. Let's say you enter 'secret' 3) The string 'secret' is encrypted with 'mercury' and is stored in TSM.PWD 4) The data are encrypted with 'secret'. 5) On the next backup, the stored password is retrieved from TSM.PWD and decrypted with 'mercury', and 'secret' is used for data backup. 6) Let's say you change the hostname to 'venus' and delete/rename existing TSM.PWD 7) TSM prompts you for encryption key password and you enter 'secret' again. 8) 'secret' is encrypted with 'venus' and is stored in TSM.PWD (note, TSM.PWD will binary differ from the one from step 3, because the key, which is dependent on hostname, is different) 9) The data are encrypted with 'secret' (the same as in step 4, regardless of hostname). 10) On the next backup, stored password is decrypted with 'venus', and the same password 'secret' is used for backup. So you shouldn't worry about validity of your old backups as long as you use the same encryption password and you deleted/renamed TSM.PWD when changing the hostname. The problems come when someone changes the hostname bud does not delete TSM.PWD. In the example above, a backup following the hostname change will try to decrypt stored password with 'venus' and will get an incorrect result (because 'secret' was originally encrypted with 'mercury'!), so the new backups will be using some garbage encryption key, and it would be really hard to restore the new data correctly if TSM.PWD is lost or if the restore happens on a different machine. Alexei ADSM: Dist Stor Manager ADSM-L@VM.MARIST.EDU wrote on 07/27/2006 06:31:17 AM: Hi Alexei, thanks for your hint - now i come with a new question concerning the 'restore' : Because nothing changes other than the 'hostname' of that linux system ... ... what about the data that has been backed up prior to the time I rename the hostname and reenter the 'encryption key password' ? Because I stay with 'encryptkey save' what happens when (some time) I may do a full restore of the '/home/' -Filespace ? Because this Filespace '/home/' has data backed up that is encrypted with both encryption-key-usage of the old and the new 'hostname' ( but always the same 'tsm-Nodename' ) ... will I am able to restore(and decrypt) all of it ? ... i fear to go into problems - Or do I have to start backup again from 'zero' - for example : by renaming the filespace on the server at the time changing the hostname ? Thanks again for any hints ! -- that is something really confusing to me :-| Rainer Alexei Kojenov schrieb: Rainer, You need to make TSM client prompt you for encryption key password on the next backup after you changed the hostname. The only way to do this is to rename/remove the existing TSM.PWD file (this is the file where TSM client stores its passwords). You should rename this file rather than delete it, in case you have problems and want to revert. Alexei --- Dear TSmers, we have tsmserver 5.3.3.2 /solaris and tsm-Client 5.3.4.0 /linux. On the Client we use tsm-encryption : The 'nodename' Option is set in the dsm.sys and also the 'encryptkey save' OPtion is set and 'encryptiontype AES128' is also set. The inclexc-File contains a line like 'include.encrypt *' So far anything runs fine :-) Problem: Next week we have to change the 'hostname' of that linux-server. The Question now is : - if any - what steps are to be done at the tsm-Client ? ... and even at the tsm-server ? The (tsm)nodename won't be changed. Do I need the TSM-Client in a manual way give once again the encryption-key password to let the encryption-key be generated ? Or is there nothing to be done at the Client ? I have looked throgh the lists and docs and havent't found any 'procedures' for that scenario - just pointers to dependancies on the system's hostname. Thanks in advance for any
Re: Using tsm-encryption and want to change the hostname at the Client
Rainer, Your data is always encrypted with the key generated from the password that you enter, regardless of the hostname. The hostname is only used to store the password locally. For example, 1) Let's say the hostname is 'mercury' 2) You run your first backup and are prompted for encryption key password. Let's say you enter 'secret' 3) The string 'secret' is encrypted with 'mercury' and is stored in TSM.PWD 4) The data are encrypted with 'secret'. 5) On the next backup, the stored password is retrieved from TSM.PWD and decrypted with 'mercury', and 'secret' is used for data backup. 6) Let's say you change the hostname to 'venus' and delete/rename existing TSM.PWD 7) TSM prompts you for encryption key password and you enter 'secret' again. 8) 'secret' is encrypted with 'venus' and is stored in TSM.PWD (note, TSM.PWD will binary differ from the one from step 3, because the key, which is dependent on hostname, is different) 9) The data are encrypted with 'secret' (the same as in step 4, regardless of hostname). 10) On the next backup, stored password is decrypted with 'venus', and the same password 'secret' is used for backup. So you shouldn't worry about validity of your old backups as long as you use the same encryption password and you deleted/renamed TSM.PWD when changing the hostname. The problems come when someone changes the hostname bud does not delete TSM.PWD. In the example above, a backup following the hostname change will try to decrypt stored password with 'venus' and will get an incorrect result (because 'secret' was originally encrypted with 'mercury'!), so the new backups will be using some garbage encryption key, and it would be really hard to restore the new data correctly if TSM.PWD is lost or if the restore happens on a different machine. Alexei ADSM: Dist Stor Manager ADSM-L@VM.MARIST.EDU wrote on 07/27/2006 06:31:17 AM: Hi Alexei, thanks for your hint - now i come with a new question concerning the 'restore' : Because nothing changes other than the 'hostname' of that linux system ... ... what about the data that has been backed up prior to the time I rename the hostname and reenter the 'encryption key password' ? Because I stay with 'encryptkey save' what happens when (some time) I may do a full restore of the '/home/' -Filespace ? Because this Filespace '/home/' has data backed up that is encrypted with both encryption-key-usage of the old and the new 'hostname' ( but always the same 'tsm-Nodename' ) ... will I am able to restore(and decrypt) all of it ? ... i fear to go into problems - Or do I have to start backup again from 'zero' - for example : by renaming the filespace on the server at the time changing the hostname ? Thanks again for any hints ! -- that is something really confusing to me :-| Rainer Alexei Kojenov schrieb: Rainer, You need to make TSM client prompt you for encryption key password on the next backup after you changed the hostname. The only way to do this is to rename/remove the existing TSM.PWD file (this is the file where TSM client stores its passwords). You should rename this file rather than delete it, in case you have problems and want to revert. Alexei --- Dear TSmers, we have tsmserver 5.3.3.2 /solaris and tsm-Client 5.3.4.0 /linux. On the Client we use tsm-encryption : The 'nodename' Option is set in the dsm.sys and also the 'encryptkey save' OPtion is set and 'encryptiontype AES128' is also set. The inclexc-File contains a line like 'include.encrypt *' So far anything runs fine :-) Problem: Next week we have to change the 'hostname' of that linux-server. The Question now is : - if any - what steps are to be done at the tsm-Client ? ... and even at the tsm-server ? The (tsm)nodename won't be changed. Do I need the TSM-Client in a manual way give once again the encryption-key password to let the encryption-key be generated ? Or is there nothing to be done at the Client ? I have looked throgh the lists and docs and havent't found any 'procedures' for that scenario - just pointers to dependancies on the system's hostname. Thanks in advance for any hints , recipe or links ... ! Rainer -- Rainer Wolf eMail: [EMAIL PROTECTED] kiz - Abt. Infrastruktur Tel/Fax: ++49 731 50-22482/22471 Universitaet Ulm wwweb: http://kiz.uni-ulm.de -- Rainer Wolf eMail: [EMAIL PROTECTED] kiz - Abt. Infrastruktur Tel/Fax: ++49 731 50-22482/22471 Universitaet Ulm wwweb:http://kiz.uni-ulm.de
Re: Using tsm-encryption and want to change the hostname at the Client
Hi Alexei, thanks for your hint - now i come with a new question concerning the 'restore' : Because nothing changes other than the 'hostname' of that linux system ... ... what about the data that has been backed up prior to the time I rename the hostname and reenter the 'encryption key password' ? Because I stay with 'encryptkey save' what happens when (some time) I may do a full restore of the '/home/' -Filespace ? Because this Filespace '/home/' has data backed up that is encrypted with both encryption-key-usage of the old and the new 'hostname' ( but always the same 'tsm-Nodename' ) ... will I am able to restore(and decrypt) all of it ? ... i fear to go into problems - Or do I have to start backup again from 'zero' - for example : by renaming the filespace on the server at the time changing the hostname ? Thanks again for any hints ! -- that is something really confusing to me :-| Rainer Alexei Kojenov schrieb: Rainer, You need to make TSM client prompt you for encryption key password on the next backup after you changed the hostname. The only way to do this is to rename/remove the existing TSM.PWD file (this is the file where TSM client stores its passwords). You should rename this file rather than delete it, in case you have problems and want to revert. Alexei --- Dear TSmers, we have tsmserver 5.3.3.2 /solaris and tsm-Client 5.3.4.0 /linux. On the Client we use tsm-encryption : The 'nodename' Option is set in the dsm.sys and also the 'encryptkey save' OPtion is set and 'encryptiontype AES128' is also set. The inclexc-File contains a line like 'include.encrypt *' So far anything runs fine :-) Problem: Next week we have to change the 'hostname' of that linux-server. The Question now is : - if any - what steps are to be done at the tsm-Client ? ... and even at the tsm-server ? The (tsm)nodename won't be changed. Do I need the TSM-Client in a manual way give once again the encryption-key password to let the encryption-key be generated ? Or is there nothing to be done at the Client ? I have looked throgh the lists and docs and havent't found any 'procedures' for that scenario - just pointers to dependancies on the system's hostname. Thanks in advance for any hints , recipe or links ... ! Rainer -- Rainer Wolf eMail: [EMAIL PROTECTED] kiz - Abt. Infrastruktur Tel/Fax: ++49 731 50-22482/22471 Universitaet Ulm wwweb:http://kiz.uni-ulm.de -- Rainer Wolf eMail: [EMAIL PROTECTED] kiz - Abt. Infrastruktur Tel/Fax: ++49 731 50-22482/22471 Universitaet Ulm wwweb:http://kiz.uni-ulm.de
Re: Using tsm-encryption and want to change the hostname at the Client
Rainer, You need to make TSM client prompt you for encryption key password on the next backup after you changed the hostname. The only way to do this is to rename/remove the existing TSM.PWD file (this is the file where TSM client stores its passwords). You should rename this file rather than delete it, in case you have problems and want to revert. Alexei --- Dear TSmers, we have tsmserver 5.3.3.2 /solaris and tsm-Client 5.3.4.0 /linux. On the Client we use tsm-encryption : The 'nodename' Option is set in the dsm.sys and also the 'encryptkey save' OPtion is set and 'encryptiontype AES128' is also set. The inclexc-File contains a line like 'include.encrypt *' So far anything runs fine :-) Problem: Next week we have to change the 'hostname' of that linux-server. The Question now is : - if any - what steps are to be done at the tsm-Client ? ... and even at the tsm-server ? The (tsm)nodename won't be changed. Do I need the TSM-Client in a manual way give once again the encryption-key password to let the encryption-key be generated ? Or is there nothing to be done at the Client ? I have looked throgh the lists and docs and havent't found any 'procedures' for that scenario - just pointers to dependancies on the system's hostname. Thanks in advance for any hints , recipe or links ... ! Rainer -- Rainer Wolf eMail: [EMAIL PROTECTED] kiz - Abt. Infrastruktur Tel/Fax: ++49 731 50-22482/22471 Universitaet Ulm wwweb:http://kiz.uni-ulm.de
Using tsm-encryption and want to change the hostname at the Client
Dear TSmers, we have tsmserver 5.3.3.2 /solaris and tsm-Client 5.3.4.0 /linux. On the Client we use tsm-encryption : The 'nodename' Option is set in the dsm.sys and also the 'encryptkey save' OPtion is set and 'encryptiontype AES128' is also set. The inclexc-File contains a line like 'include.encrypt *' So far anything runs fine :-) Problem: Next week we have to change the 'hostname' of that linux-server. The Question now is : - if any - what steps are to be done at the tsm-Client ? ... and even at the tsm-server ? The (tsm)nodename won't be changed. Do I need the TSM-Client in a manual way give once again the encryption-key password to let the encryption-key be generated ? Or is there nothing to be done at the Client ? I have looked throgh the lists and docs and havent't found any 'procedures' for that scenario - just pointers to dependancies on the system's hostname. Thanks in advance for any hints , recipe or links ... ! Rainer -- Rainer Wolf eMail: [EMAIL PROTECTED] kiz - Abt. Infrastruktur Tel/Fax: ++49 731 50-22482/22471 Universitaet Ulm wwweb:http://kiz.uni-ulm.de
Re: TSM Encryption
Unfortunately no, we have been searching and can not find in the HIPAA documentation the level of encryption required, just that it is required. David Jelinek -Original Message- I would recommend that you open a requirement against the product for stronger encryption. By the way, what are the HIPAA requirements as they relate to data encryption? Are these well documented? BEGIN:VCARD VERSION:2.1 N:Jelinek;David FN:David G Jelinek (E-mail) ORG:Central Michigan University;Information Technology TITLE:Systems Programmer/Staff Specialist TEL;WORK;VOICE:(989) 774-3258 TEL;WORK;FAX:(989) 774-6652 ADR;WORK;ENCODING=QUOTED-PRINTABLE:;Foust 20;Information Technology=0D=0ACMU;Mount Pleasant;MI;48859;United Sta= tes of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Foust 20=0D=0AInformation Technology=0D=0ACMU=0D=0AMount Pleasant, MI 48859= =0D=0AUnited States of America EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020830T181453Z END:VCARD
TSM Encryption
Does anyone know what level of encryption is done when using the INCLUDE ENCRYPTION option in your dsm.opt file? Is it DES, triple DES or what? Jim Sporer [EMAIL PROTECTED]
Re: TSM Encryption
Jim, The TSM Backup/Archive client uses 56-bit DES encryption. Thanks, Jim Smith TSM Development Does anyone know what level of encryption is done when using the INCLUDE ENCRYPTION option in your dsm.opt file? Is it DES, triple DES or what? Jim Sporer [EMAIL PROTECTED]
Re: TSM Encryption
Jim, Thanks for the info. Jim Sporer At 10:32 AM 9/26/2002 -0700, you wrote: Jim, The TSM Backup/Archive client uses 56-bit DES encryption. Thanks, Jim Smith TSM Development Does anyone know what level of encryption is done when using the INCLUDE ENCRYPTION option in your dsm.opt file? Is it DES, triple DES or what? Jim Sporer [EMAIL PROTECTED]
Re: TSM Encryption
Hello Jim Follow up question, Can you ask if there is anyway for us to get clients that do stronger encryption, eg tripledes? If not, are there plans in the future to offer strong encryption? This relates to the HIPAA requirements that are coming. Thanks again. Jim Sporer At 10:32 AM 9/26/2002 -0700, you wrote: Jim, The TSM Backup/Archive client uses 56-bit DES encryption. Thanks, Jim Smith TSM Development Does anyone know what level of encryption is done when using the INCLUDE ENCRYPTION option in your dsm.opt file? Is it DES, triple DES or what? Jim Sporer [EMAIL PROTECTED]
Re: TSM Encryption
Jim, I would recommend that you open a requirement against the product for stronger encryption. By the way, what are the HIPAA requirements as they relate to data encryption? Are these well documented? Thanks, Jim Smith TSM development Hello Jim Follow up question, Can you ask if there is anyway for us to get clients that do stronger encryption, eg tripledes? If not, are there plans in the future to offer strong encryption? This relates to the HIPAA requirements that are coming. Thanks again. Jim Sporer At 10:32 AM 9/26/2002 -0700, you wrote: Jim, The TSM Backup/Archive client uses 56-bit DES encryption. Thanks, Jim Smith TSM Development Does anyone know what level of encryption is done when using the INCLUDE ENCRYPTION option in your dsm.opt file? Is it DES, triple DES or what? Jim Sporer [EMAIL PROTECTED]
TSM Encryption, Again :)
Hi everyone. For those who don't remember this discussion a few months ago here is some update. A few months ago we had a chance to offer TSM to one of the largest company here. Soon it became obvious that security where a large concern to them. They asked a lot of Encryption questions witch we couldn't answer right away. So there where some long and helpful discussions about this issue here on adsm.org. we gave them the information they wanted and they agreed to take TSM as there Backup system. I would like to thank you who answered the pervious posts, a lot of our success and win are because of your help and ideas. Now the implementation is well on it's way. The Security team has been reading up on the security issue in TSM, they have found that the 56 bit DES encryption protocol isn't good enough for them. They want to have 3 DES or AES. They are willing to implement it them self to TSM if Tivoli will let them. I have one question for you geniuses out there. Are there any others who need this kind of security out there? Any feedback is greatly appreciated Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is
TSM Encryption Setup Process ??
Hi There, Just wondering if anybody has written or knows of a step-by step guide to implementing TSM encryption for backup and archive ?? As noticed by somebody else in this list the documentation for this function in the manuals is extremely light. Even a quick process outline by someone who has implemented TSM encryption would be appreciated. Thanks, Simon Browne Technical Specialist (Storage) Strategic Outsourcing IBM (NZ) Ltd. Telephone: +64 4 5769787 extn. 9787 Facsimile: +64 4 5765808 extn. 5808 IBM e-mail: [EMAIL PROTECTED] - The contents of this e-mail are confidential. If you have received this communication by mistake, please advise the sender immediately and delete the message and any attachments. The views expressed in this e-mail are not necessarily the views of Westpac Banking Corporation. Westpac Banking Corporation is incorporated in New South Wales, Australia. -
