Re: don´t aynone know anything about Encryption in TSM.
than TSM-related, so please do it outside the list. Zlatko Please respond to ADSM: Dist Stor Manager [EMAIL PROTECTED] Sent by:ADSM: Dist Stor Manager [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: Subject:don´t aynone know anything about Encryption in TSM. Hi i have posted this 2 times before here but havent receved a reply yet. thus led me to belive that knowlegde on this is wery limited. I have a big custemer who is considerating TSM for there backup system. However, they will be needing to take some of there backup offsite. They have extremly valible data witch may not get in the wrong hands. I have been reading up on Encryption in TSM and found it to be only desingd to protect the data on the way to the TSM server. I found no info on werther the data would be Encrypted in the storage pools. My question. Is it possible to make Backupset, and be sure no-one can use it if it gets in the wrong hands (Encrypt it somehow. How can a administrator be sure that no-one can restore his copy-storage-pools. is it posible to encrypt the data somehow. Is it possible to password protect the TSM Database, so that you can´t restore it without a password. what way can they take offsite backup and be sure that there data is safe, even if the bad guys get the tapes. Thanks in advance for any help. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is
RE: don?t aynone know anything about Encryption in TSM.
when i said that they have extremely valible data i am meaning that this genetic reasearch company has the medical records, detatild information on peoples relatives back to the middle ages and the DNA codes of every person in this country. now thats one jucy database. You guys can hopfully see now how ctritical this database is and how protection of it is essential. This is what i have understand of you guys so far. Encryption in TSM is always done on the TSM B/A-Client there do you put a 56bit encryption key on the data witch cannot be retreved without the key. So they need to come up with some sort of disaster Recovery plan, regarding the key retrival if the system admins are unavalible. If what you are saying Kyle Sparger is true then this 56bit key is probably not good enugh for them. I am no expert in Security and don?t know mutch about hacking. I don?t want to sound to paranoyed but then again who knows. This database is the brain, the hart and the lung of the company if it get exposed, every employ there can start lookin for new job the same day. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Kyle Sparger Sent: 4. april 2002 19:14 To: [EMAIL PROTECTED] Subject: Re: don?t aynone know anything about Encryption in TSM. (unless they can hack it, but then any encryption scheme is subject to hacking). And this is a very important point. I could be wrong, but I seem to recall that TSM's encryption uses straight up DES, which uses a 56 bit key. It has been proven that very determined people can brute force 56 bit DES -- distributed.net, which utilizes idle time of thousands of computers, was able to do it in less than 24 hours. There are design specs available for theoretical computers which are supposed to be able to brute force 56 bit DES within minutes -- but the cost of these computers is generally considered prohibitively expensive. However: 1. Consider the following -- KaZaa, a fairly popular napster-alike, has been piggybacking programs for awhile now, one of which is designed to allow remote users to utilize idle cycles on the computers it's installed on. KaZaa is used by thousands of users. Also, how many thousands of computers out there have been broken into, or are waiting to be broken into? All of these are sources of computing power that could be used to crack DES keys. 2. 'Prohibitively expensive' is relative. I've heard estimates that put the price of building such a computer at a little over $1B USD. But then, consider how many billions of dollars countries have spent launching spy sattelites -- don't you think that they would spend just one more billion to be able to actually _use_ the encrypted information they intercepted? :) And if Moore's Law holds true, I seem to recall estimates that place 56-bit key cracking in under a week at 2020-2030. Will your data still need to be secret then? :) Basically, what I'm saying is, TSM's encryption is better than nothing, and is suitable for many purposes, but your original statement, They have extremly valible data witch may not get in the wrong hands. ... that indicates that this may not be suitable for your case :) If you _really_ need to make sure people can't get it, you need to use a lot more than 56 bits. 128 is the bare minimum these days, and even that is starting to come under fire :) -- Kyle Sparger
Re: don?t aynone know anything about Encryption in TSM.
This is what i have understand of you guys so far. Encryption in TSM is always done on the TSM B/A-Client there do you put a 56bit encryption key on the data witch cannot be retreved without the key. So they need to come up with some sort of disaster Recovery plan, regarding the key retrival if the system admins are unavalible. The 'always' above raises a potentially critical point that I don't think has been mentioned in this thread. I attended a Tivoli presentation on new features in TSM 4.1 which stated that only the Windows client would have encryption support. As far as I know, the Windows client is still the only one with encryption support.
Re: don?t aynone know anything about Encryption in TSM.
when i said that they have extremely valible data i am meaning that this genetic reasearch company has the medical records, detatild information on peoples relatives back to the middle ages and the DNA codes of every person in this country. Um, that's spooky. I suspect it's an exaggeration since DNA contains so much information - the human genome contains 3 billion base pairs - that's 3G per person, likely uncompressable due to it's pseudorandom nature. CIA World Fact Book has Iceland's population pegged at about 278,000 (July 2001). That's 834GB of data. Entirely possible, but still spooky. You guys can hopfully see now how ctritical this database is and how protection of it is essential. Personally, I can't imagine a use for it, but I'm not a biotech geek. =) This is what i have understand of you guys so far. Encryption in TSM is always done on the TSM B/A-Client there do you put a 56bit encryption key on the data witch cannot be retreved without the key. So they need to come up with some sort of disaster Recovery plan, regarding the key retrival if the system admins are unavalible. Availability of administrators is not the issue. You need to be able to recover any of the keys ever used for encrypting a backed up file. If what you are saying Kyle Sparger is true then this 56bit key is probably not good enugh for them. I am no expert in Security and don?t know mutch about hacking. I don?t want to sound to paranoyed but then again who knows. No, 56 bits is simply not enough. You need a more robust solution that integrates stronger encryption with the ability to encrypt the key used to encrypt the file, so that the key can be restored, if necessary, by the administrator. (Public key cryptography would be great for this - encrypt the key used to encrypt the data, and only the administrator's key can decrypt it. Keeping the administrator's key safe, now there's a challenge.) This database is the brain, the hart and the lung of the company if it get exposed, every employ there can start lookin for new job the same day. Then you should recommend spending a considerable amount of money on protecting it with more modern tools. Did I mention the fact that I'm a consultant, and would love to see Iceland? *grin* @;^) -JD. -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Kyle Sparger Sent: 4. april 2002 19:14 To: [EMAIL PROTECTED] Subject: Re: don?t aynone know anything about Encryption in TSM. (unless they can hack it, but then any encryption scheme is subject to hacking). And this is a very important point. I could be wrong, but I seem to recall that TSM's encryption uses straight up DES, which uses a 56 bit key. It has been proven that very determined people can brute force 56 bit DES -- distributed.net, which utilizes idle time of thousands of computers, was able to do it in less than 24 hours. There are design specs available for theoretical computers which are supposed to be able to brute force 56 bit DES within minutes -- but the cost of these computers is generally considered prohibitively expensive. However: 1. Consider the following -- KaZaa, a fairly popular napster-alike, has been piggybacking programs for awhile now, one of which is designed to allow remote users to utilize idle cycles on the computers it's installed on. KaZaa is used by thousands of users. Also, how many thousands of computers out there have been broken into, or are waiting to be broken into? All of these are sources of computing power that could be used to crack DES keys. 2. 'Prohibitively expensive' is relative. I've heard estimates that put the price of building such a computer at a little over $1B USD. But then, consider how many billions of dollars countries have spent launching spy sattelites -- don't you think that they would spend just one more billion to be able to actually _use_ the encrypted information they intercepted? :) And if Moore's Law holds true, I seem to recall estimates that place 56-bit key cracking in under a week at 2020-2030. Will your data still need to be secret then? :) Basically, what I'm saying is, TSM's encryption is better than nothing, and is suitable for many purposes, but your original statement, They have extremly valible data witch may not get in the wrong hands. ... that indicates that this may not be suitable for your case :) If you _really_ need to make sure people can't get it, you need to use a lot more than 56 bits. 128 is the bare minimum these days, and even that is starting to come under fire :) -- Kyle Sparger
Re: don?t aynone know anything about Encryption in TSM.
Starting in 4.2, encryption is also supported on UNIX and NetWare. Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS Internet e-mail: [EMAIL PROTECTED] The only dumb question is the one that goes unasked. The command line is your friend. Good enough is the enemy of excellence. Thomas Denier [EMAIL PROTECTED] Sent by: ADSM: Dist Stor Manager [EMAIL PROTECTED] 04/05/2002 07:45 Please respond to ADSM: Dist Stor Manager To: [EMAIL PROTECTED] cc: Subject:Re: don?t aynone know anything about Encryption in TSM. This is what i have understand of you guys so far. Encryption in TSM is always done on the TSM B/A-Client there do you put a 56bit encryption key on the data witch cannot be retreved without the key. So they need to come up with some sort of disaster Recovery plan, regarding the key retrival if the system admins are unavalible. The 'always' above raises a potentially critical point that I don't think has been mentioned in this thread. I attended a Tivoli presentation on new features in TSM 4.1 which stated that only the Windows client would have encryption support. As far as I know, the Windows client is still the only one with encryption support.
Re: don?t aynone know anything about Encryption in TSM.
In the DoD arena we prescribe to a security called FIPS-140. Basically, it requires encryption of all the network and a closed environment and extending beyond that is all the issues of vault certification and physical plant protection. Sounds like there has been no government classification placed on this data as yet, but I would bet it would come under some Privacy Act already in place. This is a legal question. Your business needs to get this right, otherwise you have no business. A top down exposures and mitigation need to be performed. -Original Message- From: Justin Derrick [mailto:[EMAIL PROTECTED]] Sent: Friday, April 05, 2002 9:47 AM To: [EMAIL PROTECTED] Subject: Re: don?t aynone know anything about Encryption in TSM. when i said that they have extremely valible data i am meaning that this genetic reasearch company has the medical records, detatild information on peoples relatives back to the middle ages and the DNA codes of every person in this country. Um, that's spooky. I suspect it's an exaggeration since DNA contains so much information - the human genome contains 3 billion base pairs - that's 3G per person, likely uncompressable due to it's pseudorandom nature. CIA World Fact Book has Iceland's population pegged at about 278,000 (July 2001). That's 834GB of data. Entirely possible, but still spooky. You guys can hopfully see now how ctritical this database is and how protection of it is essential. Personally, I can't imagine a use for it, but I'm not a biotech geek. =) This is what i have understand of you guys so far. Encryption in TSM is always done on the TSM B/A-Client there do you put a 56bit encryption key on the data witch cannot be retreved without the key. So they need to come up with some sort of disaster Recovery plan, regarding the key retrival if the system admins are unavalible. Availability of administrators is not the issue. You need to be able to recover any of the keys ever used for encrypting a backed up file. If what you are saying Kyle Sparger is true then this 56bit key is probably not good enugh for them. I am no expert in Security and don?t know mutch about hacking. I don?t want to sound to paranoyed but then again who knows. No, 56 bits is simply not enough. You need a more robust solution that integrates stronger encryption with the ability to encrypt the key used to encrypt the file, so that the key can be restored, if necessary, by the administrator. (Public key cryptography would be great for this - encrypt the key used to encrypt the data, and only the administrator's key can decrypt it. Keeping the administrator's key safe, now there's a challenge.) This database is the brain, the hart and the lung of the company if it get exposed, every employ there can start lookin for new job the same day. Then you should recommend spending a considerable amount of money on protecting it with more modern tools. Did I mention the fact that I'm a consultant, and would love to see Iceland? *grin* @;^) -JD. -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Kyle Sparger Sent: 4. april 2002 19:14 To: [EMAIL PROTECTED] Subject: Re: don?t aynone know anything about Encryption in TSM. (unless they can hack it, but then any encryption scheme is subject to hacking). And this is a very important point. I could be wrong, but I seem to recall that TSM's encryption uses straight up DES, which uses a 56 bit key. It has been proven that very determined people can brute force 56 bit DES -- distributed.net, which utilizes idle time of thousands of computers, was able to do it in less than 24 hours. There are design specs available for theoretical computers which are supposed to be able to brute force 56 bit DES within minutes -- but the cost of these computers is generally considered prohibitively expensive. However: 1. Consider the following -- KaZaa, a fairly popular napster-alike, has been piggybacking programs for awhile now, one of which is designed to allow remote users to utilize idle cycles on the computers it's installed on. KaZaa is used by thousands of users. Also, how many thousands of computers out there have been broken into, or are waiting to be broken into? All of these are sources of computing power that could be used to crack DES keys. 2. 'Prohibitively expensive' is relative. I've heard estimates that put the price of building such a computer at a little over $1B USD. But then, consider how many billions of dollars countries have spent launching spy sattelites -- don't you think that they would spend just one more billion to be able to actually _use_ the encrypted information they intercepted? :) And if Moore's Law holds true, I seem to recall estimates that place 56-bit key cracking in under a week at 2020-2030. Will your data still need to be secret then? :) Basically, what I'm saying is, TSM's encryption is better than nothing, and is suitable for many purposes
Re: don?t aynone know anything about Encryption in TSM.
Hi justin. Personally, I can't imagine a use for it, but I'm not a biotech geek. =) They use this database for Gentetic Research, there is one good thing about genetic Research and Iceland and that here is so few people and we have documents about every birth since 1500 or so. this potential is extrimly good to recearch the relation betweeen inherited decise (like Alzimer, cancer) and the gene?s. so they can find the spesific genes that produce those decises. A few years ago the goverment approved this kined of research here for this firm, the press talked alot about this and there where alot of people who didn?t like this. basicly because they don?t like to have so mutch information about them in some database where they are gittypigs in a giant testlab. Enugh about that thing. I can not go into details about there current security (not that i know mutch about it) but for what i have seen there security is the best i have seen ever. Not even the natunal bank here has more security. you can only get into the server room if your eye is scaned by some x-ray machine and you have a spesific password. curently there are only 4 people who can get in there. i think. so thats not the problem the problem is to sell them TSM. they curently are using HP omniback they where asking alot of questions about encryption in TSM and I didn?t have all the answers for them. so that?s why this conversations began. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Justin Derrick Sent: 5. april 2002 14:47 To: [EMAIL PROTECTED] Subject: Re: don?t aynone know anything about Encryption in TSM. when i said that they have extremely valible data i am meaning that this genetic reasearch company has the medical records, detatild information on peoples relatives back to the middle ages and the DNA codes of every person in this country. Um, that's spooky. I suspect it's an exaggeration since DNA contains so much information - the human genome contains 3 billion base pairs - that's 3G per person, likely uncompressable due to it's pseudorandom nature. CIA World Fact Book has Iceland's population pegged at about 278,000 (July 2001). That's 834GB of data. Entirely possible, but still spooky. You guys can hopfully see now how ctritical this database is and how protection of it is essential. Personally, I can't imagine a use for it, but I'm not a biotech geek. =) This is what i have understand of you guys so far. Encryption in TSM is always done on the TSM B/A-Client there do you put a 56bit encryption key on the data witch cannot be retreved without the key. So they need to come up with some sort of disaster Recovery plan, regarding the key retrival if the system admins are unavalible. Availability of administrators is not the issue. You need to be able to recover any of the keys ever used for encrypting a backed up file. If what you are saying Kyle Sparger is true then this 56bit key is probably not good enugh for them. I am no expert in Security and don?t know mutch about hacking. I don?t want to sound to paranoyed but then again who knows. No, 56 bits is simply not enough. You need a more robust solution that integrates stronger encryption with the ability to encrypt the key used to encrypt the file, so that the key can be restored, if necessary, by the administrator. (Public key cryptography would be great for this - encrypt the key used to encrypt the data, and only the administrator's key can decrypt it. Keeping the administrator's key safe, now there's a challenge.) This database is the brain, the hart and the lung of the company if it get exposed, every employ there can start lookin for new job the same day. Then you should recommend spending a considerable amount of money on protecting it with more modern tools. Did I mention the fact that I'm a consultant, and would love to see Iceland? *grin* @;^) -JD. -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Kyle Sparger Sent: 4. april 2002 19:14 To: [EMAIL PROTECTED] Subject: Re: don?t aynone know anything about Encryption in TSM. (unless they can hack it, but then any encryption scheme is subject to hacking). And this is a very important point. I could be wrong, but I seem to recall that TSM's encryption uses straight up DES, which uses a 56 bit key. It has been proven that very determined people can brute force 56 bit DES -- distributed.net, which utilizes idle time of thousands of computers, was able to do it in less than 24 hours. There are design specs available for theoretical computers which are supposed to be able to brute
RE: don´t aynone know anything about Encryption in TSM.
jeah ok sorry for my supid question. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Justin Derrick Sent: 3. apríl 2002 15:08 To: [EMAIL PROTECTED] Subject: Re: don´t aynone know anything about Encryption in TSM. Um, why would you need the key? Your question is a little too vague to answer properly. The key is only needed for two steps: encryption, and decryption (ie backup, then restore). Every other operation the TSM server does (store, copy, move, collocate, expire) is done with the encrypted files. The TSM server doesn't care what the contents of the file are, it just moves the files around according to the policies that have been defined. Like I said previously -- this opens up the entire issue of a key repository -- if a user misplaces, forgets, or the key files on the individuals PC are destroyed, the data is *gone*. How do you back up key files when you don't trust your offsite storage to keep your data private? (Possible answer: back up your key files and send them to a different storage company.) But key management is another problem entirely. -JD. -JD. thanks you all for your answers. But i just want to make one thing sure. I still need the Encryption key for the Backup Sets if i back up the client with Encryption? Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Andrew Raibeck Sent: 2. apríl 2002 15:45 To: [EMAIL PROTECTED] Subject: Re: don´t aynone know anything about Encryption in TSM. There is no additional encryption performed by the TSM server. The encrypted data sent by the client remains, of course, encrypted when it is copied to a copy storage pool or backup set (or anywhere else in the TSM hierarchy). Files that were encrypted when they were backed up can not be restored without the encryption key. The encryption key is not stored on the TSM server. Therefore, someone intercepting the TSM server database and storage pool volumes could not restore the data without the encryption key (unless they can hack it, but then any encryption scheme is subject to hacking). Except for TSM client encryption, there are no other TSM-enabled means of encrypting the data. Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS Internet e-mail: [EMAIL PROTECTED] The only dumb question is the one that goes unasked. The command line is your friend. Good enough is the enemy of excellence. Pétur Eyþórsson [EMAIL PROTECTED] Sent by: ADSM: Dist Stor Manager [EMAIL PROTECTED] 04/02/2002 07:57 Please respond to ADSM: Dist Stor Manager To: [EMAIL PROTECTED] cc: Subject:RE: don´t aynone know anything about Encryption in TSM. My question was conserning 2 things. If you use Encryption. Cant people who get a hold of the TSM Database and the Copy Storage Pools, restore the data, whether the data was back up with Encrytpion or not? If you make a bakup set from the data back up. is ther Encryption on that data? if not is ther posible to make the backup sets more secure? I have read about Encryption, witch sais that the data is Encrypted before the data is sent on the TSM Server. i haven´t read anything about Encrytpion on the acctual TSM server data, whether the data uses encryption there or not. It does not matter if the data is Encrypted on the way to the TSM, it only matters if i can secure the data offsite? And i havent read anything about that in TSM only about Encryption in TSM for clients. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Martin, Jon R. Sent: 2. apríl 2002 14:36 To: [EMAIL PROTECTED] Subject: Re: don´t aynone know anything about Encryption in TSM. In Petur's defense, I think he is trying to say he could not find anywhere that specifically said data in a Seq. Access Storage Pool, that goes offsite will be encrypted. I can't see where he
Re: don´t aynone know anything about Encryption in TSM.
My favorite scenario is the disgruntled employee: maintains critical corporate data on his system, backs it up using encryption, deletes the data from his system, then walks off holding the key hostage (paranoid, aren't I). There isn't any way to know somebody is out there using encryption. You can create a forced exclude.encrypt * entry in a client option set, but who thinks to do that? The other issue is, what happens if the key is stolen? There is no way to change the password for existing backed up files. And if you change the key at the client, you wind up in a situation where a point in time restore will require different keys for files that were backed up at different dates. _ William Mansfield Senior Consultant Solution Technology, Inc Joshua S. Bassi [EMAIL PROTECTED] Sent by: ADSM: Dist Stor Manager [EMAIL PROTECTED] 04/03/2002 05:28 PM Please respond to ADSM: Dist Stor Manager To: [EMAIL PROTECTED] cc: Subject:RE: don´t aynone know anything about Encryption in TSM. Andy, What could a customer do for DR of a client which lost it's encryption key and needed to restore data from the TSM backup (encrypted). -- Joshua S. Bassi Sr. Solutions Architect @ rs-unix.com IBM Certified - AIX/HACMP, SAN, Shark Tivoli Certified Consultant- ADSM/TSM Cell (415) 215-0326 -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]] On Behalf Of Andrew Raibeck Sent: Tuesday, April 02, 2002 7:45 AM To: [EMAIL PROTECTED] Subject: Re: don´t aynone know anything about Encryption in TSM. There is no additional encryption performed by the TSM server. The encrypted data sent by the client remains, of course, encrypted when it is copied to a copy storage pool or backup set (or anywhere else in the TSM hierarchy). Files that were encrypted when they were backed up can not be restored without the encryption key. The encryption key is not stored on the TSM server. Therefore, someone intercepting the TSM server database and storage pool volumes could not restore the data without the encryption key (unless they can hack it, but then any encryption scheme is subject to hacking). Except for TSM client encryption, there are no other TSM-enabled means of encrypting the data. Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS Internet e-mail: [EMAIL PROTECTED] The only dumb question is the one that goes unasked. The command line is your friend. Good enough is the enemy of excellence. Pétur Eyþórsson [EMAIL PROTECTED] Sent by: ADSM: Dist Stor Manager [EMAIL PROTECTED] 04/02/2002 07:57 Please respond to ADSM: Dist Stor Manager To: [EMAIL PROTECTED] cc: Subject:RE: don´t aynone know anything about Encryption in TSM. My question was conserning 2 things. If you use Encryption. Cant people who get a hold of the TSM Database and the Copy Storage Pools, restore the data, whether the data was back up with Encrytpion or not? If you make a bakup set from the data back up. is ther Encryption on that data? if not is ther posible to make the backup sets more secure? I have read about Encryption, witch sais that the data is Encrypted before the data is sent on the TSM Server. i haven´t read anything about Encrytpion on the acctual TSM server data, whether the data uses encryption there or not. It does not matter if the data is Encrypted on the way to the TSM, it only matters if i can secure the data offsite? And i havent read anything about that in TSM only about Encryption in TSM for clients. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Martin, Jon R. Sent: 2. apríl 2002 14:36 To: [EMAIL PROTECTED] Subject: Re: don´t aynone know anything about Encryption in TSM. In Petur's defense, I think he is trying to say he could not find anywhere that specifically said data in a Seq. Access Storage Pool, that goes offsite will be encrypted. I can't see where he says he read a document that says it is not encrypted. Jon -Original Message- From: Jack Magill [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 9:10 AM To: [EMAIL PROTECTED] Subject: Re: =?8859_1?B?ZG9utHQg?=aynone know anything about Encryption in TSM. Hi, I was just wondering where you found the information stating that the data was only protected on the way to the server, but not on the server. Encryption is done by the client using an encrytion key that it create and since the key is never passed from client
Re: don t aynone know anything about Encryption in TSM.
We aren't using encryption here - yet, nor have I used in the past. It seems to me with this specifc scenario and the discussion in general about this in the last few days, that the main problem is -PROCEDURES. If you loose the key and therefore can't restore your data, then there should be key management as part of you DRM procedures. An Admin at some level should have/store in elecronic or hardcopy form in a safe place onsite and at least one additional copy should be stored at offsite vault. Just like when you change passwords etc., this information should be updated, so if all your Admins got to lunch in one car and ..., someone can get passwrods and get access to your systems! Also no one should be using encryption unless some higher level admin or manager knows about it and has the specific info. My 2 cents. David B. Longo System Administrator Health First, Inc. 3300 Fiske Blvd. Rockledge, FL 32955-4305 PH 321.434.5536 Pager 321.634.8230 Fax:321.434.5525 [EMAIL PROTECTED] [EMAIL PROTECTED] 04/04/02 08:12AM My favorite scenario is the disgruntled employee: maintains critical corporate data on his system, backs it up using encryption, deletes the data from his system, then walks off holding the key hostage (paranoid, aren't I). There isn't any way to know somebody is out there using encryption. You can create a forced exclude.encrypt * entry in a client option set, but who thinks to do that? The other issue is, what happens if the key is stolen? There is no way to change the password for existing backed up files. And if you change the key at the client, you wind up in a situation where a point in time restore will require different keys for files that were backed up at different dates. _ William Mansfield Senior Consultant Solution Technology, Inc Joshua S. Bassi [EMAIL PROTECTED] Sent by: ADSM: Dist Stor Manager [EMAIL PROTECTED] 04/03/2002 05:28 PM Please respond to ADSM: Dist Stor Manager To: [EMAIL PROTECTED] cc: Subject:RE: don t aynone know anything about Encryption in TSM. Andy, What could a customer do for DR of a client which lost it's encryption key and needed to restore data from the TSM backup (encrypted). -- Joshua S. Bassi Sr. Solutions Architect @ rs-unix.com IBM Certified - AIX/HACMP, SAN, Shark Tivoli Certified Consultant- ADSM/TSM Cell (415) 215-0326 -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]] On Behalf Of Andrew Raibeck Sent: Tuesday, April 02, 2002 7:45 AM To: [EMAIL PROTECTED] Subject: Re: don t aynone know anything about Encryption in TSM. There is no additional encryption performed by the TSM server. The encrypted data sent by the client remains, of course, encrypted when it is copied to a copy storage pool or backup set (or anywhere else in the TSM hierarchy). Files that were encrypted when they were backed up can not be restored without the encryption key. The encryption key is not stored on the TSM server. Therefore, someone intercepting the TSM server database and storage pool volumes could not restore the data without the encryption key (unless they can hack it, but then any encryption scheme is subject to hacking). Except for TSM client encryption, there are no other TSM-enabled means of encrypting the data. Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS Internet e-mail: [EMAIL PROTECTED] The only dumb question is the one that goes unasked. The command line is your friend. Good enough is the enemy of excellence. Pétur Eyþórsson [EMAIL PROTECTED] Sent by: ADSM: Dist Stor Manager [EMAIL PROTECTED] 04/02/2002 07:57 Please respond to ADSM: Dist Stor Manager To: [EMAIL PROTECTED] cc: Subject:RE: don t aynone know anything about Encryption in TSM. My question was conserning 2 things. If you use Encryption. Cant people who get a hold of the TSM Database and the Copy Storage Pools, restore the data, whether the data was back up with Encrytpion or not? If you make a bakup set from the data back up. is ther Encryption on that data? if not is ther posible to make the backup sets more secure? I have read about Encryption, witch sais that the data is Encrypted before the data is sent on the TSM Server. i haven t read anything about Encrytpion on the acctual TSM server data, whether the data uses encryption there or not. It does not matter if the data is Encrypted on the way to the TSM, it only matters if i can secure the data offsite? And i havent read anything about that in TSM only about Encryption in TSM for clients. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569
Re: don´t aynone know anything about Encryption in TSM.
(unless they can hack it, but then any encryption scheme is subject to hacking). And this is a very important point. I could be wrong, but I seem to recall that TSM's encryption uses straight up DES, which uses a 56 bit key. It has been proven that very determined people can brute force 56 bit DES -- distributed.net, which utilizes idle time of thousands of computers, was able to do it in less than 24 hours. There are design specs available for theoretical computers which are supposed to be able to brute force 56 bit DES within minutes -- but the cost of these computers is generally considered prohibitively expensive. However: 1. Consider the following -- KaZaa, a fairly popular napster-alike, has been piggybacking programs for awhile now, one of which is designed to allow remote users to utilize idle cycles on the computers it's installed on. KaZaa is used by thousands of users. Also, how many thousands of computers out there have been broken into, or are waiting to be broken into? All of these are sources of computing power that could be used to crack DES keys. 2. 'Prohibitively expensive' is relative. I've heard estimates that put the price of building such a computer at a little over $1B USD. But then, consider how many billions of dollars countries have spent launching spy sattelites -- don't you think that they would spend just one more billion to be able to actually _use_ the encrypted information they intercepted? :) And if Moore's Law holds true, I seem to recall estimates that place 56-bit key cracking in under a week at 2020-2030. Will your data still need to be secret then? :) Basically, what I'm saying is, TSM's encryption is better than nothing, and is suitable for many purposes, but your original statement, They have extremly valible data witch may not get in the wrong hands. ... that indicates that this may not be suitable for your case :) If you _really_ need to make sure people can't get it, you need to use a lot more than 56 bits. 128 is the bare minimum these days, and even that is starting to come under fire :) -- Kyle Sparger
Re: don´t aynone know anything about Encryption in TSM.
Um, why would you need the key? Your question is a little too vague to answer properly. The key is only needed for two steps: encryption, and decryption (ie backup, then restore). Every other operation the TSM server does (store, copy, move, collocate, expire) is done with the encrypted files. The TSM server doesn't care what the contents of the file are, it just moves the files around according to the policies that have been defined. Like I said previously -- this opens up the entire issue of a key repository -- if a user misplaces, forgets, or the key files on the individuals PC are destroyed, the data is *gone*. How do you back up key files when you don't trust your offsite storage to keep your data private? (Possible answer: back up your key files and send them to a different storage company.) But key management is another problem entirely. -JD. -JD. thanks you all for your answers. But i just want to make one thing sure. I still need the Encryption key for the Backup Sets if i back up the client with Encryption? Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Andrew Raibeck Sent: 2. apríl 2002 15:45 To: [EMAIL PROTECTED] Subject: Re: don´t aynone know anything about Encryption in TSM. There is no additional encryption performed by the TSM server. The encrypted data sent by the client remains, of course, encrypted when it is copied to a copy storage pool or backup set (or anywhere else in the TSM hierarchy). Files that were encrypted when they were backed up can not be restored without the encryption key. The encryption key is not stored on the TSM server. Therefore, someone intercepting the TSM server database and storage pool volumes could not restore the data without the encryption key (unless they can hack it, but then any encryption scheme is subject to hacking). Except for TSM client encryption, there are no other TSM-enabled means of encrypting the data. Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS Internet e-mail: [EMAIL PROTECTED] The only dumb question is the one that goes unasked. The command line is your friend. Good enough is the enemy of excellence. Pétur Eyþórsson [EMAIL PROTECTED] Sent by: ADSM: Dist Stor Manager [EMAIL PROTECTED] 04/02/2002 07:57 Please respond to ADSM: Dist Stor Manager To: [EMAIL PROTECTED] cc: Subject:RE: don´t aynone know anything about Encryption in TSM. My question was conserning 2 things. If you use Encryption. Cant people who get a hold of the TSM Database and the Copy Storage Pools, restore the data, whether the data was back up with Encrytpion or not? If you make a bakup set from the data back up. is ther Encryption on that data? if not is ther posible to make the backup sets more secure? I have read about Encryption, witch sais that the data is Encrypted before the data is sent on the TSM Server. i haven´t read anything about Encrytpion on the acctual TSM server data, whether the data uses encryption there or not. It does not matter if the data is Encrypted on the way to the TSM, it only matters if i can secure the data offsite? And i havent read anything about that in TSM only about Encryption in TSM for clients. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Martin, Jon R. Sent: 2. apríl 2002 14:36 To: [EMAIL PROTECTED] Subject: Re: don´t aynone know anything about Encryption in TSM. In Petur's defense, I think he is trying to say he could not find anywhere that specifically said data in a Seq. Access Storage Pool, that goes offsite will be encrypted. I can't see where he says he read a document that says it is not encrypted. Jon -Original Message- From: Jack Magill [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 9:10 AM To: [EMAIL PROTECTED] Subject: Re: =?8859_1?B?ZG9utHQg?=aynone know anything about Encryption in TSM. Hi, I was just wondering where you found the information stating that the data was only protected on the way to the server, but not on the server. Encryption is done by the client using an encrytion key that it create and since the key is never passed from client to server, there is no way for the server to de
RE: don´t aynone know anything about Encryption in TSM.
Andy, What could a customer do for DR of a client which lost it's encryption key and needed to restore data from the TSM backup (encrypted). -- Joshua S. Bassi Sr. Solutions Architect @ rs-unix.com IBM Certified - AIX/HACMP, SAN, Shark Tivoli Certified Consultant- ADSM/TSM Cell (415) 215-0326 -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]] On Behalf Of Andrew Raibeck Sent: Tuesday, April 02, 2002 7:45 AM To: [EMAIL PROTECTED] Subject: Re: don´t aynone know anything about Encryption in TSM. There is no additional encryption performed by the TSM server. The encrypted data sent by the client remains, of course, encrypted when it is copied to a copy storage pool or backup set (or anywhere else in the TSM hierarchy). Files that were encrypted when they were backed up can not be restored without the encryption key. The encryption key is not stored on the TSM server. Therefore, someone intercepting the TSM server database and storage pool volumes could not restore the data without the encryption key (unless they can hack it, but then any encryption scheme is subject to hacking). Except for TSM client encryption, there are no other TSM-enabled means of encrypting the data. Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS Internet e-mail: [EMAIL PROTECTED] The only dumb question is the one that goes unasked. The command line is your friend. Good enough is the enemy of excellence. Pétur Eyþórsson [EMAIL PROTECTED] Sent by: ADSM: Dist Stor Manager [EMAIL PROTECTED] 04/02/2002 07:57 Please respond to ADSM: Dist Stor Manager To: [EMAIL PROTECTED] cc: Subject:RE: don´t aynone know anything about Encryption in TSM. My question was conserning 2 things. If you use Encryption. Cant people who get a hold of the TSM Database and the Copy Storage Pools, restore the data, whether the data was back up with Encrytpion or not? If you make a bakup set from the data back up. is ther Encryption on that data? if not is ther posible to make the backup sets more secure? I have read about Encryption, witch sais that the data is Encrypted before the data is sent on the TSM Server. i haven´t read anything about Encrytpion on the acctual TSM server data, whether the data uses encryption there or not. It does not matter if the data is Encrypted on the way to the TSM, it only matters if i can secure the data offsite? And i havent read anything about that in TSM only about Encryption in TSM for clients. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Martin, Jon R. Sent: 2. apríl 2002 14:36 To: [EMAIL PROTECTED] Subject: Re: don´t aynone know anything about Encryption in TSM. In Petur's defense, I think he is trying to say he could not find anywhere that specifically said data in a Seq. Access Storage Pool, that goes offsite will be encrypted. I can't see where he says he read a document that says it is not encrypted. Jon -Original Message- From: Jack Magill [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 9:10 AM To: [EMAIL PROTECTED] Subject: Re: =?8859_1?B?ZG9utHQg?=aynone know anything about Encryption in TSM. Hi, I was just wondering where you found the information stating that the data was only protected on the way to the server, but not on the server. Encryption is done by the client using an encrytion key that it create and since the key is never passed from client to server, there is no way for the server to de-crypt the data before storage. Please let me know, as I would like to look at the documentation. Jack From: Pétur Eyþórsson [EMAIL PROTECTED] Date: 2002/04/02 Tue AM 07:04:45 EST To: [EMAIL PROTECTED] Subject: don´t aynone know anything about Encryption in TSM. Hi i have posted this 2 times before here but havent receved a reply yet. thus led me to belive that knowlegde on this is wery limited. I have a big custemer who is considerating TSM for there backup system. However, they will be needing to take some of there backup offsite. They have extremly valible data witch may not get in the wrong hands. I have been reading up on Encryption in TSM and found it to be only desingd to protect the data on the way to the TSM server. I found no info on werther the data would be Encrypted in the storage pools. My question. Is it possible to make Backupset, and be sure no-one can use it if it gets in the wrong hands (Encrypt it somehow. How can a administrator be sure that no-one can restore his copy
Re: don´t aynone know anything about Encryption in TSM.
What could a customer do for DR of a client which lost it's encryption key and needed to restore data from the TSM backup (encrypted). Start guessing, I suppose. Other than that, they would be out of luck. Like I said below: someone intercepting the TSM server database and storage pool volumes could not restore the data without the encryption key (unless they can hack it, but then any encryption scheme is subject to hacking). While that was presumably in the context of someone illegitimately trying to access the data, that isn't really pertinent. No matter who is trying to access the data, legitimate or now, they won't be able to get the data without the encryption key. There is nothing we at IBM can do to get the data back, as we build no back doors into the product (if we did, that would be a potential security issue). Someone else made a post on this topic and mentioned something about encryption key management. I am not familiar with the formalities of this discipline, but it seems to me that if you are going to start encrypting your TSM data, you should consider implementing policies for managing encryption keys. Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS Internet e-mail: [EMAIL PROTECTED] The only dumb question is the one that goes unasked. The command line is your friend. Good enough is the enemy of excellence. Joshua S. Bassi [EMAIL PROTECTED] Sent by: ADSM: Dist Stor Manager [EMAIL PROTECTED] 04/03/2002 16:28 Please respond to ADSM: Dist Stor Manager To: [EMAIL PROTECTED] cc: Subject:RE: don´t aynone know anything about Encryption in TSM. Andy, What could a customer do for DR of a client which lost it's encryption key and needed to restore data from the TSM backup (encrypted). -- Joshua S. Bassi Sr. Solutions Architect @ rs-unix.com IBM Certified - AIX/HACMP, SAN, Shark Tivoli Certified Consultant- ADSM/TSM Cell (415) 215-0326 -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]] On Behalf Of Andrew Raibeck Sent: Tuesday, April 02, 2002 7:45 AM To: [EMAIL PROTECTED] Subject: Re: don´t aynone know anything about Encryption in TSM. There is no additional encryption performed by the TSM server. The encrypted data sent by the client remains, of course, encrypted when it is copied to a copy storage pool or backup set (or anywhere else in the TSM hierarchy). Files that were encrypted when they were backed up can not be restored without the encryption key. The encryption key is not stored on the TSM server. Therefore, someone intercepting the TSM server database and storage pool volumes could not restore the data without the encryption key (unless they can hack it, but then any encryption scheme is subject to hacking). Except for TSM client encryption, there are no other TSM-enabled means of encrypting the data. Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS Internet e-mail: [EMAIL PROTECTED] The only dumb question is the one that goes unasked. The command line is your friend. Good enough is the enemy of excellence. Pétur Eyþórsson [EMAIL PROTECTED] Sent by: ADSM: Dist Stor Manager [EMAIL PROTECTED] 04/02/2002 07:57 Please respond to ADSM: Dist Stor Manager To: [EMAIL PROTECTED] cc: Subject:RE: don´t aynone know anything about Encryption in TSM. My question was conserning 2 things. If you use Encryption. Cant people who get a hold of the TSM Database and the Copy Storage Pools, restore the data, whether the data was back up with Encrytpion or not? If you make a bakup set from the data back up. is ther Encryption on that data? if not is ther posible to make the backup sets more secure? I have read about Encryption, witch sais that the data is Encrypted before the data is sent on the TSM Server. i haven´t read anything about Encrytpion on the acctual TSM server data, whether the data uses encryption there or not. It does not matter if the data is Encrypted on the way to the TSM, it only matters if i can secure the data offsite? And i havent read anything about that in TSM only about Encryption in TSM for clients. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Martin, Jon R. Sent: 2. apríl 2002 14:36 To: [EMAIL PROTECTED] Subject: Re: don´t aynone know anything about Encryption in TSM. In Petur's defense, I think he is trying to say he could not find anywhere
don´t aynone know anything about Encryption in TSM.
Hi i have posted this 2 times before here but havent receved a reply yet. thus led me to belive that knowlegde on this is wery limited. I have a big custemer who is considerating TSM for there backup system. However, they will be needing to take some of there backup offsite. They have extremly valible data witch may not get in the wrong hands. I have been reading up on Encryption in TSM and found it to be only desingd to protect the data on the way to the TSM server. I found no info on werther the data would be Encrypted in the storage pools. My question. Is it possible to make Backupset, and be sure no-one can use it if it gets in the wrong hands (Encrypt it somehow. How can a administrator be sure that no-one can restore his copy-storage-pools. is it posible to encrypt the data somehow. Is it possible to password protect the TSM Database, so that you can´t restore it without a password. what way can they take offsite backup and be sure that there data is safe, even if the bad guys get the tapes. Thanks in advance for any help. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is
RE: don´t aynone know anything about Encryption in TSM.
Petur Although my knowledge is limited, my understanding is the data in the offsite storage pools can only be accessed by the TSM database which created them. regards Andy -Original Message- From: Pétur Eyþórsson [mailto:[EMAIL PROTECTED]] Sent: 02 April 2002 13:05 To: [EMAIL PROTECTED] Subject: don´t aynone know anything about Encryption in TSM. Hi i have posted this 2 times before here but havent receved a reply yet. thus led me to belive that knowlegde on this is wery limited. I have a big custemer who is considerating TSM for there backup system. However, they will be needing to take some of there backup offsite. They have extremly valible data witch may not get in the wrong hands. I have been reading up on Encryption in TSM and found it to be only desingd to protect the data on the way to the TSM server. I found no info on werther the data would be Encrypted in the storage pools. My question. Is it possible to make Backupset, and be sure no-one can use it if it gets in the wrong hands (Encrypt it somehow. How can a administrator be sure that no-one can restore his copy-storage-pools. is it posible to encrypt the data somehow. Is it possible to password protect the TSM Database, so that you can´t restore it without a password. what way can they take offsite backup and be sure that there data is safe, even if the bad guys get the tapes. Thanks in advance for any help. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk DISCLAIMER: The information contained in this e-mail is confidential and may be privileged. It is intended for the addressee only. If you are not the intended recipient, please delete this e-mail immediately. The contents of this e-mail must not be disclosed or copied without the sender's consent. We cannot accept any responsibility for viruses, so please scan all attachments. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. The company does not take any responsibility for the views of the author. This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk
Re: don´t aynone know anything about Encryption in TSM.
From where did you get your information about TSM encryption? When files are included for encryption, the data is encrypted when it is sent to the server. The server does not decrypt it before putting it in the storage pools. Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS Internet e-mail: [EMAIL PROTECTED] The only dumb question is the one that goes unasked. The command line is your friend. Good enough is the enemy of excellence. Pétur Eyþórsson [EMAIL PROTECTED] Sent by: ADSM: Dist Stor Manager [EMAIL PROTECTED] 04/02/2002 05:04 Please respond to ADSM: Dist Stor Manager To: [EMAIL PROTECTED] cc: Subject:don´t aynone know anything about Encryption in TSM. Hi i have posted this 2 times before here but havent receved a reply yet. thus led me to belive that knowlegde on this is wery limited. I have a big custemer who is considerating TSM for there backup system. However, they will be needing to take some of there backup offsite. They have extremly valible data witch may not get in the wrong hands. I have been reading up on Encryption in TSM and found it to be only desingd to protect the data on the way to the TSM server. I found no info on werther the data would be Encrypted in the storage pools. My question. Is it possible to make Backupset, and be sure no-one can use it if it gets in the wrong hands (Encrypt it somehow. How can a administrator be sure that no-one can restore his copy-storage-pools. is it posible to encrypt the data somehow. Is it possible to password protect the TSM Database, so that you can´t restore it without a password. what way can they take offsite backup and be sure that there data is safe, even if the bad guys get the tapes. Thanks in advance for any help. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is
Re: don´t aynone know anything about Encryption in TSM.
Hi, I was just wondering where you found the information stating that the data was only protected on the way to the server, but not on the server. Encryption is done by the client using an encrytion key that it create and since the key is never passed from client to server, there is no way for the server to de-crypt the data before storage. Please let me know, as I would like to look at the documentation. Jack From: Pétur Eyþórsson [EMAIL PROTECTED] Date: 2002/04/02 Tue AM 07:04:45 EST To: [EMAIL PROTECTED] Subject: don´t aynone know anything about Encryption in TSM. Hi i have posted this 2 times before here but havent receved a reply yet. thus led me to belive that knowlegde on this is wery limited. I have a big custemer who is considerating TSM for there backup system. However, they will be needing to take some of there backup offsite. They have extremly valible data witch may not get in the wrong hands. I have been reading up on Encryption in TSM and found it to be only desingd to protect the data on the way to the TSM server. I found no info on werther the data would be Encrypted in the storage pools. My question. Is it possible to make Backupset, and be sure no-one can use it if it gets in the wrong hands (Encrypt it somehow. How can a administrator be sure that no-one can restore his copy-storage-pools. is it posible to encrypt the data somehow. Is it possible to password protect the TSM Database, so that you can´t restore it without a password. what way can they take offsite backup and be sure that there data is safe, even if the bad guys get the tapes. Thanks in advance for any help. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is
Re: don´t aynone know anything about Encryption in TSM.
In Petur's defense, I think he is trying to say he could not find anywhere that specifically said data in a Seq. Access Storage Pool, that goes offsite will be encrypted. I can't see where he says he read a document that says it is not encrypted. Jon -Original Message- From: Jack Magill [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 9:10 AM To: [EMAIL PROTECTED] Subject: Re: =?8859_1?B?ZG9utHQg?=aynone know anything about Encryption in TSM. Hi, I was just wondering where you found the information stating that the data was only protected on the way to the server, but not on the server. Encryption is done by the client using an encrytion key that it create and since the key is never passed from client to server, there is no way for the server to de-crypt the data before storage. Please let me know, as I would like to look at the documentation. Jack From: Pétur Eyþórsson [EMAIL PROTECTED] Date: 2002/04/02 Tue AM 07:04:45 EST To: [EMAIL PROTECTED] Subject: don´t aynone know anything about Encryption in TSM. Hi i have posted this 2 times before here but havent receved a reply yet. thus led me to belive that knowlegde on this is wery limited. I have a big custemer who is considerating TSM for there backup system. However, they will be needing to take some of there backup offsite. They have extremly valible data witch may not get in the wrong hands. I have been reading up on Encryption in TSM and found it to be only desingd to protect the data on the way to the TSM server. I found no info on werther the data would be Encrypted in the storage pools. My question. Is it possible to make Backupset, and be sure no-one can use it if it gets in the wrong hands (Encrypt it somehow. How can a administrator be sure that no-one can restore his copy-storage-pools. is it posible to encrypt the data somehow. Is it possible to password protect the TSM Database, so that you can´t restore it without a password. what way can they take offsite backup and be sure that there data is safe, even if the bad guys get the tapes. Thanks in advance for any help. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is
RE: don´t aynone know anything about Encryption in TSM.
My question was conserning 2 things. If you use Encryption. Cant people who get a hold of the TSM Database and the Copy Storage Pools, restore the data, whether the data was back up with Encrytpion or not? If you make a bakup set from the data back up. is ther Encryption on that data? if not is ther posible to make the backup sets more secure? I have read about Encryption, witch sais that the data is Encrypted before the data is sent on the TSM Server. i haven´t read anything about Encrytpion on the acctual TSM server data, whether the data uses encryption there or not. It does not matter if the data is Encrypted on the way to the TSM, it only matters if i can secure the data offsite? And i havent read anything about that in TSM only about Encryption in TSM for clients. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Martin, Jon R. Sent: 2. apríl 2002 14:36 To: [EMAIL PROTECTED] Subject: Re: don´t aynone know anything about Encryption in TSM. In Petur's defense, I think he is trying to say he could not find anywhere that specifically said data in a Seq. Access Storage Pool, that goes offsite will be encrypted. I can't see where he says he read a document that says it is not encrypted. Jon -Original Message- From: Jack Magill [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 9:10 AM To: [EMAIL PROTECTED] Subject: Re: =?8859_1?B?ZG9utHQg?=aynone know anything about Encryption in TSM. Hi, I was just wondering where you found the information stating that the data was only protected on the way to the server, but not on the server. Encryption is done by the client using an encrytion key that it create and since the key is never passed from client to server, there is no way for the server to de-crypt the data before storage. Please let me know, as I would like to look at the documentation. Jack From: Pétur Eyþórsson [EMAIL PROTECTED] Date: 2002/04/02 Tue AM 07:04:45 EST To: [EMAIL PROTECTED] Subject: don´t aynone know anything about Encryption in TSM. Hi i have posted this 2 times before here but havent receved a reply yet. thus led me to belive that knowlegde on this is wery limited. I have a big custemer who is considerating TSM for there backup system. However, they will be needing to take some of there backup offsite. They have extremly valible data witch may not get in the wrong hands. I have been reading up on Encryption in TSM and found it to be only desingd to protect the data on the way to the TSM server. I found no info on werther the data would be Encrypted in the storage pools. My question. Is it possible to make Backupset, and be sure no-one can use it if it gets in the wrong hands (Encrypt it somehow. How can a administrator be sure that no-one can restore his copy-storage-pools. is it posible to encrypt the data somehow. Is it possible to password protect the TSM Database, so that you can´t restore it without a password. what way can they take offsite backup and be sure that there data is safe, even if the bad guys get the tapes. Thanks in advance for any help. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is
Re: don´t aynone know anything about Encryption in TSM.
There is no additional encryption performed by the TSM server. The encrypted data sent by the client remains, of course, encrypted when it is copied to a copy storage pool or backup set (or anywhere else in the TSM hierarchy). Files that were encrypted when they were backed up can not be restored without the encryption key. The encryption key is not stored on the TSM server. Therefore, someone intercepting the TSM server database and storage pool volumes could not restore the data without the encryption key (unless they can hack it, but then any encryption scheme is subject to hacking). Except for TSM client encryption, there are no other TSM-enabled means of encrypting the data. Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS Internet e-mail: [EMAIL PROTECTED] The only dumb question is the one that goes unasked. The command line is your friend. Good enough is the enemy of excellence. Pétur Eyþórsson [EMAIL PROTECTED] Sent by: ADSM: Dist Stor Manager [EMAIL PROTECTED] 04/02/2002 07:57 Please respond to ADSM: Dist Stor Manager To: [EMAIL PROTECTED] cc: Subject:RE: don´t aynone know anything about Encryption in TSM. My question was conserning 2 things. If you use Encryption. Cant people who get a hold of the TSM Database and the Copy Storage Pools, restore the data, whether the data was back up with Encrytpion or not? If you make a bakup set from the data back up. is ther Encryption on that data? if not is ther posible to make the backup sets more secure? I have read about Encryption, witch sais that the data is Encrypted before the data is sent on the TSM Server. i haven´t read anything about Encrytpion on the acctual TSM server data, whether the data uses encryption there or not. It does not matter if the data is Encrypted on the way to the TSM, it only matters if i can secure the data offsite? And i havent read anything about that in TSM only about Encryption in TSM for clients. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Martin, Jon R. Sent: 2. apríl 2002 14:36 To: [EMAIL PROTECTED] Subject: Re: don´t aynone know anything about Encryption in TSM. In Petur's defense, I think he is trying to say he could not find anywhere that specifically said data in a Seq. Access Storage Pool, that goes offsite will be encrypted. I can't see where he says he read a document that says it is not encrypted. Jon -Original Message- From: Jack Magill [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 9:10 AM To: [EMAIL PROTECTED] Subject: Re: =?8859_1?B?ZG9utHQg?=aynone know anything about Encryption in TSM. Hi, I was just wondering where you found the information stating that the data was only protected on the way to the server, but not on the server. Encryption is done by the client using an encrytion key that it create and since the key is never passed from client to server, there is no way for the server to de-crypt the data before storage. Please let me know, as I would like to look at the documentation. Jack From: Pétur Eyþórsson [EMAIL PROTECTED] Date: 2002/04/02 Tue AM 07:04:45 EST To: [EMAIL PROTECTED] Subject: don´t aynone know anything about Encryption in TSM. Hi i have posted this 2 times before here but havent receved a reply yet. thus led me to belive that knowlegde on this is wery limited. I have a big custemer who is considerating TSM for there backup system. However, they will be needing to take some of there backup offsite. They have extremly valible data witch may not get in the wrong hands. I have been reading up on Encryption in TSM and found it to be only desingd to protect the data on the way to the TSM server. I found no info on werther the data would be Encrypted in the storage pools. My question. Is it possible to make Backupset, and be sure no-one can use it if it gets in the wrong hands (Encrypt it somehow. How can a administrator be sure that no-one can restore his copy-storage-pools. is it posible to encrypt the data somehow. Is it possible to password protect the TSM Database, so that you can´t restore it without a password. what way can they take offsite backup and be sure that there data is safe, even if the bad guys get the tapes. Thanks in advance for any help. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi
Re: don´t aynone know anything about Encryption in TSM.
My understanding from what I've read (I've never used it) is... Clients set an encryption key (password) on the files they'd like to protect. Files are sent to the TSM server, encrypted. The TSM server does NOT have the encryption key, although the key may be saved to disk on a client's system.** Files are stored on the TSM server's storagepools, encrypted. The TSM database is NOT encrypted during backups. Backups (copystoragepools) of the user data ARE encrypted, because the only version TSM has is encrypted. Restores on the user end REQUIRE the key that was used to encrypt the file, or else the data is lost forever. ** (Although, it can tell that you don't have the correct key, as evidenced by Message # ANS1469E, which is interesting, and probably a weakness, since your adversary will know if they got the correct key in a brute-force attack.) To answer your question more directly... If someone were to 'steal' your tapes and restore the TSM server, they could do so successfully, but they could not decrypt your files without the original key. (Obviously, this doesn't include the possibility of cryptanalysis or brute-force attacks on the encryption method.) The important part to remember is that you suddenly need a key management solution. Backing up your data securely isn't of much value if the only person in the organization who has the keys to those files finds themselves under the wheels of a bus. Here's some suggested reading (TSM 4.1 Manuals) Installing the Clients, Chapter 8, under 'Encryptkey', and Include Options. (You're correct though, documentation on the Encryption methodology is sparse.) If you really want to deeply immerse yourself in this, check out 'Applied Cryptography' and get a feeling for how complex the situation really is. -JD.
RE: don´t aynone know anything about Encryption in TSM.
thanks you all for your answers. But i just want to make one thing sure. I still need the Encryption key for the Backup Sets if i back up the client with Encryption? Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Andrew Raibeck Sent: 2. apríl 2002 15:45 To: [EMAIL PROTECTED] Subject: Re: don´t aynone know anything about Encryption in TSM. There is no additional encryption performed by the TSM server. The encrypted data sent by the client remains, of course, encrypted when it is copied to a copy storage pool or backup set (or anywhere else in the TSM hierarchy). Files that were encrypted when they were backed up can not be restored without the encryption key. The encryption key is not stored on the TSM server. Therefore, someone intercepting the TSM server database and storage pool volumes could not restore the data without the encryption key (unless they can hack it, but then any encryption scheme is subject to hacking). Except for TSM client encryption, there are no other TSM-enabled means of encrypting the data. Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS Internet e-mail: [EMAIL PROTECTED] The only dumb question is the one that goes unasked. The command line is your friend. Good enough is the enemy of excellence. Pétur Eyþórsson [EMAIL PROTECTED] Sent by: ADSM: Dist Stor Manager [EMAIL PROTECTED] 04/02/2002 07:57 Please respond to ADSM: Dist Stor Manager To: [EMAIL PROTECTED] cc: Subject:RE: don´t aynone know anything about Encryption in TSM. My question was conserning 2 things. If you use Encryption. Cant people who get a hold of the TSM Database and the Copy Storage Pools, restore the data, whether the data was back up with Encrytpion or not? If you make a bakup set from the data back up. is ther Encryption on that data? if not is ther posible to make the backup sets more secure? I have read about Encryption, witch sais that the data is Encrypted before the data is sent on the TSM Server. i haven´t read anything about Encrytpion on the acctual TSM server data, whether the data uses encryption there or not. It does not matter if the data is Encrypted on the way to the TSM, it only matters if i can secure the data offsite? And i havent read anything about that in TSM only about Encryption in TSM for clients. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Martin, Jon R. Sent: 2. apríl 2002 14:36 To: [EMAIL PROTECTED] Subject: Re: don´t aynone know anything about Encryption in TSM. In Petur's defense, I think he is trying to say he could not find anywhere that specifically said data in a Seq. Access Storage Pool, that goes offsite will be encrypted. I can't see where he says he read a document that says it is not encrypted. Jon -Original Message- From: Jack Magill [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 9:10 AM To: [EMAIL PROTECTED] Subject: Re: =?8859_1?B?ZG9utHQg?=aynone know anything about Encryption in TSM. Hi, I was just wondering where you found the information stating that the data was only protected on the way to the server, but not on the server. Encryption is done by the client using an encrytion key that it create and since the key is never passed from client to server, there is no way for the server to de-crypt the data before storage. Please let me know, as I would like to look at the documentation. Jack From: Pétur Eyþórsson [EMAIL PROTECTED] Date: 2002/04/02 Tue AM 07:04:45 EST To: [EMAIL PROTECTED] Subject: don´t aynone know anything about Encryption in TSM. Hi i have posted this 2 times before here but havent receved a reply yet. thus led me to belive that knowlegde on this is wery limited. I have a big custemer who is considerating TSM for there backup system. However, they will be needing to take some of there backup offsite. They have extremly valible data witch may not get in the wrong hands. I have been reading up on Encryption in TSM and found it to be only desingd to protect the data on the way to the TSM server. I found no info on werther the data would be Encrypted in the storage pools. My question. Is it possible to make Backupset
Re: don´t aynone know anything about Encryption in TSM.
As I said below, files that were encrypted when they were backed up can not be restored without the encryption key. It does not matter from which media you do the restore. If you try to restore but do not have the encryption key, then you will not be able to restore the data, and IBM support will not be able to help you. There is no back door to decrypt the data. You need the encryption key. Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS Internet e-mail: [EMAIL PROTECTED] The only dumb question is the one that goes unasked. The command line is your friend. Good enough is the enemy of excellence. Pétur Eyþórsson [EMAIL PROTECTED] Sent by: ADSM: Dist Stor Manager [EMAIL PROTECTED] 04/02/2002 10:12 Please respond to ADSM: Dist Stor Manager To: [EMAIL PROTECTED] cc: Subject:RE: don´t aynone know anything about Encryption in TSM. thanks you all for your answers. But i just want to make one thing sure. I still need the Encryption key for the Backup Sets if i back up the client with Encryption? Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Andrew Raibeck Sent: 2. apríl 2002 15:45 To: [EMAIL PROTECTED] Subject: Re: don´t aynone know anything about Encryption in TSM. There is no additional encryption performed by the TSM server. The encrypted data sent by the client remains, of course, encrypted when it is copied to a copy storage pool or backup set (or anywhere else in the TSM hierarchy). Files that were encrypted when they were backed up can not be restored without the encryption key. The encryption key is not stored on the TSM server. Therefore, someone intercepting the TSM server database and storage pool volumes could not restore the data without the encryption key (unless they can hack it, but then any encryption scheme is subject to hacking). Except for TSM client encryption, there are no other TSM-enabled means of encrypting the data. Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS Internet e-mail: [EMAIL PROTECTED] The only dumb question is the one that goes unasked. The command line is your friend. Good enough is the enemy of excellence. Pétur Eyþórsson [EMAIL PROTECTED] Sent by: ADSM: Dist Stor Manager [EMAIL PROTECTED] 04/02/2002 07:57 Please respond to ADSM: Dist Stor Manager To: [EMAIL PROTECTED] cc: Subject:RE: don´t aynone know anything about Encryption in TSM. My question was conserning 2 things. If you use Encryption. Cant people who get a hold of the TSM Database and the Copy Storage Pools, restore the data, whether the data was back up with Encrytpion or not? If you make a bakup set from the data back up. is ther Encryption on that data? if not is ther posible to make the backup sets more secure? I have read about Encryption, witch sais that the data is Encrypted before the data is sent on the TSM Server. i haven´t read anything about Encrytpion on the acctual TSM server data, whether the data uses encryption there or not. It does not matter if the data is Encrypted on the way to the TSM, it only matters if i can secure the data offsite? And i havent read anything about that in TSM only about Encryption in TSM for clients. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Martin, Jon R. Sent: 2. apríl 2002 14:36 To: [EMAIL PROTECTED] Subject: Re: don´t aynone know anything about Encryption in TSM. In Petur's defense, I think he is trying to say he could not find anywhere that specifically said data in a Seq. Access Storage Pool, that goes offsite will be encrypted. I can't see where he says he read a document that says it is not encrypted. Jon -Original Message- From: Jack Magill [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 9:10 AM To: [EMAIL PROTECTED] Subject: Re: =?8859_1?B?ZG9utHQg?=aynone know anything about Encryption in TSM. Hi, I was just wondering where you found the information stating that the data was only protected on the way to the server, but not on the server. Encryption is done by the client using an encrytion key
Re: don´t aynone know anything about Encryption in TSM.
It's pretty clearly stated in the 3.7.3 and 4.1 tech guide (SG24-6110), page 56: ... data stored on the Tivoli Storage Manager server is encrypted and thus unreadable by any malicious administrators. _ William Mansfield Senior Consultant Solution Technology, Inc 630 718 4238 Martin, Jon R. [EMAIL PROTECTED] Sent by: ADSM: Dist Stor Manager [EMAIL PROTECTED] 04/02/2002 08:35 AM Please respond to ADSM: Dist Stor Manager To: [EMAIL PROTECTED] cc: Subject:Re: =?8859_1?B?ZG9utHQg?=aynone know anything about Encryption in TSM. In Petur's defense, I think he is trying to say he could not find anywhere that specifically said data in a Seq. Access Storage Pool, that goes offsite will be encrypted. I can't see where he says he read a document that says it is not encrypted. Jon -Original Message- From: Jack Magill [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 9:10 AM To: [EMAIL PROTECTED] Subject: Re: =?8859_1?B?ZG9utHQg?=aynone know anything about Encryption in TSM. Hi, I was just wondering where you found the information stating that the data was only protected on the way to the server, but not on the server. Encryption is done by the client using an encrytion key that it create and since the key is never passed from client to server, there is no way for the server to de-crypt the data before storage. Please let me know, as I would like to look at the documentation. Jack From: Pétur Eyþórsson [EMAIL PROTECTED] Date: 2002/04/02 Tue AM 07:04:45 EST To: [EMAIL PROTECTED] Subject: don´t aynone know anything about Encryption in TSM. Hi i have posted this 2 times before here but havent receved a reply yet. thus led me to belive that knowlegde on this is wery limited. I have a big custemer who is considerating TSM for there backup system. However, they will be needing to take some of there backup offsite. They have extremly valible data witch may not get in the wrong hands. I have been reading up on Encryption in TSM and found it to be only desingd to protect the data on the way to the TSM server. I found no info on werther the data would be Encrypted in the storage pools. My question. Is it possible to make Backupset, and be sure no-one can use it if it gets in the wrong hands (Encrypt it somehow. How can a administrator be sure that no-one can restore his copy-storage-pools. is it posible to encrypt the data somehow. Is it possible to password protect the TSM Database, so that you can´t restore it without a password. what way can they take offsite backup and be sure that there data is safe, even if the bad guys get the tapes. Thanks in advance for any help. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37105 Iceland URL:http://www.nyherji.is