In the given example for Oracle all encryption keys are kept in TSM database. So you will be able to decrypt data only if you have restored TSM database. It is logical, because after loosing TSM database you are loosing everything. I heard there are some tools to read TSM backups from tapes without TSM Server. Of course you couldn't use them in case of encryption. We have tested DR solutions based on SAN online mirroring for TSM database and based on restoring TSM database from backup tapes. In both case it was no problems with encrypted data. I think, maintaining encryption keys in TSM database is the best way. TSM supports different ways of keeping encryption keys, but they are much more complicated and, in my opinion, dangerous from data loosing point of view.
Grigori G. Solonovitch Senior Technical Architect Information Technology Bank of Kuwait and Middle East http://www.bkme.com Phone: (+965) 2231-2274 Mobile: (+965) 99798073 E-Mail: g.solonovi...@bkme.com Please consider the environment before printing this Email -----Original Message----- From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of Fred Johanson Sent: Tuesday, January 12, 2010 5:36 PM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Excrypting Exchange Data Del, Grigori, Thank you, this is very useful, especially as the subject was brought up in a meeting yesterday afternoon. What I couldn't answer then is whether it is possible to decrypt an ORACLE backup on a different machine, two possible instances being if the machine dies can the files be restored on a rebuilt machine or if the machine is retired are the backups available on the replacement with new name or OS? -----Original Message----- From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of Grigori Solonovitch Sent: Tuesday, January 12, 2010 6:16 AM To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Excrypting Exchange Data Unfortunately, I have no experience in encryption TDP for Exchange backups. For Oracle database we are using: 1) in dsm.sys: Encryptiontype AES128 Encryptkey generate InclExcl /backup/tsm/ba/InclExcl.list 2) in Include/Exclude list: include /ifns_ifns/.../* DBLPAR05 3) from activity log: ANE4991I (Session: 2536, Node: LPAR05_ORA) TDP Oracle AIX ANU0599 TDP for Oracle: (4997220): =>(LPAR05_ORA) ANU2526I Backup details for backup piece /ifns_ifns///LPAR05/ifns.11.1.54535.1.708019250 (database "IFNSDB"). Total bytes sent: 6077546496. Total processing time: 00:08:05. Throughput rate: 12237.33Kb/Sec. Compressed: Yes , 59%. Encryption: AES_128BIT. LAN-Free: No. Grigori G. Solonovitch Senior Technical Architect Information Technology Bank of Kuwait and Middle East http://www.bkme.com Phone: (+965) 2231-2274 Mobile: (+965) 99798073 E-Mail: g.solonovi...@bkme.com Please consider the environment before printing this Email -----Original Message----- From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of Stefan Folkerts Sent: Tuesday, January 12, 2010 2:58 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Excrypting Exchange Data What is supposed to be a walk in the park (when reading the very limited amount of documentation on encryption in the protection for mail (exchange) documentation) is turning into a little bit of a headache. :) I currenty have my exchange dsm.opt setup like this ; enableclientencryptkey yes encryptiontype AES128 INCLUDE.ENCRYPT *\...\* Also tried ; include.encrypt "SERVERNAME\First Storage Group\...\*" Doesn't change the situation, it still doesn't work. I get NO request for key input, I am 100% sure this is not done before and I cannot seem to see my error here..please somebody point me at the error in my ways! It would be great if somebody could post his dsm.opt file for an encrypted Exchange server. Regards, Stefan Please consider the environment before printing this Email. ________________________________ "This email message and any attachments transmitted with it may contain confidential and proprietary information, intended only for the named recipient(s). If you have received this message in error, or if you are not the named recipient(s), please delete this email after notifying the sender immediately. BKME cannot guarantee the integrity of this communication and accepts no liability for any damage caused by this email or its attachments due to viruses, any other defects, interception or unauthorized modification. The information, views, opinions and comments of this message are those of the individual and not necessarily endorsed by BKME."
