My concerns with TSM based encryption are: 1) Since encrypted data does not compress well the TSM clients must do both the compression and encryption. 2) TSM compression and encryption can be a performance hit on the client increasing back-up time and further degrading performance during the backup period. 3) With TSM encryption the data is encrypted before it leaves the client so all copies of the data are encrypted. 4) With TSM encryption there are keys for each client that must be managed. This could mean hundreds-thousands of keys in some environments. I understand that TSM 5.3 does that management for you. 5) There is no simple way to encrypt data already backed up and on tape.
For these reasons I am investigating using an encryption appliance that sits transparently between the TSM server and the tape drives used to write offsite tapes: 1) The appliance does the compression & encryption in hardware so there is no performance hit to the clients. 2) Only the backup copies going off site are encrypted, it is not all or nothing. 3) There is only one set of encryption keys to manage. 4) Data already backed up and on tape can be encrypted using the "move data" command. 5) Stronger encryption than that provided by TSM is available. H. Milton Johnson -----Original Message----- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED] On Behalf Of Henrik Wahlstedt Sent: Wednesday, May 25, 2005 2:36 AM To: ADSM-L@VM.MARIST.EDU Subject: Re: Encryption Hi Eric, Yes TSM can encrypt your data, both in 5.2 (des56) and 5.3 (aes 128). You add the lines in a client optionset or in dsm.opt. INCLUDE.ENCRYPT "c:\...\*" ENCRYPTKEY PROMPT or SAVE. Check the client manuals for more information. //Henrik "Jones, Eric J" <[EMAIL PROTECTED]> Sent by: "ADSM: Dist Stor Manager" <ADSM-L@VM.MARIST.EDU> 2005-05-25 03:32 Please respond to "ADSM: Dist Stor Manager" To: ADSM-L@VM.MARIST.EDU cc: (bcc: Henrik Wahlstedt) Subject: Encryption Good Evening. Running TSM 5.2.2 on AIX 5.2 Clients are a mix of Solaris 7,8,9 AIX 4.2, AIX 5.2, Windows NT, Windows 2000 and Windows 2003 most running TSM 5.2.2. I've been reading the forums and was thinking I would probably not have to worry about this until now. I was asked to check and see what it would take to encrypt our data. I have 2 questions. 1: Is it a problem to use an encryption device to encrypt the data before it is sent to the TSM server? I know I would have to have the encryption key to restore the data but I was wondering if there were any problems that I would face. 2: Can TSM encrypt the data? I've read 1 article that indicated it was in TSM 5.3 but I did not see much on 5.2.2 which we are running. Are there any potential problems with using TSM to encrypt if it is possible? I know if you loose the key your done but other than that. Thanks for all the help, Eric
