TSM Backup Client Data Encryption

In TSM 5.4+, there is an option for backup encryption. Unlike SSL encryption, the data is stored on the server in an encrypted format. So, your tapes are finally, really, secure. Without paying for encryption capable libraries and drives. I always thought it was kind of lame of IBM to say that the TSM backup takes are useless without the TSM database. It looks to me like the data is in the clear on the tape, there’s no reason you couldn’t read the whole tape into a huge file and text search it if you really wanted it bad enough.

WARNING: If you lose your encryption pass phrase, the data is un-recoverable from TSM. Really. Gone. For good. You can save the key to the server in the TSM database (that’s what I’m doing), or you can just make REALLY sure you have it safely documented. Oh, and this will break your de-duplication because the data is encrypted as far as the server is concerned. It’s only de-crypted on the client in the event of a restore.

This is SUPER, and I do mean SUPER simple to setup. Just add this to your client option file:

ENCRYPTKEY generate

You can also specify prompt (which will prompt every time), or save (which will save the passphrase to a file on the client). If you specify generate, a pass-phrase will to automatically generated, and store on the TSM server. The encryption type is AES128 be default, but you can over-ride it and use DES56. The only reason I can think of to use DES56 is for performance.

There are 2 new include/exclude options too:

Exclude.Encryption
Include.Encryption

By default NO data is encrypted, so you’ll have to use the Include.Encryption option to add directories and files. IBM isn’t recommending you encrypt OS system files because of the possibility that you might lose your encryption pass-phrase file and not be able to restore. There are a couple of things you can do to mediate this. You can use the “ENCRYPTIONKEY generate” option, so the passphrase is in the TSM database. If you still don’t feel safe about that, you can only encrypt the really sensitive files like /etc/security/passwd. Or, you can enable SSL to encrypt the data over the wire, and only encrypt the sensitive application data (which doesn’t encrypt the data on the actual TSM server media).

Oh, and if you lose the encryption key the data is NOT RECOVERABLE. No, really, they mean it.

Leave a Reply

Your email address will not be published. Required fields are marked *