Thanks - that clears things up - a little bit - My question is, will the older EKM work with the TS3500? What what I have read in the TS3500 Planning Guide, it seems to imply it will.
On Thu, Apr 4, 2013 at 1:01 PM, Mike De Gasperis <mike.degaspe...@wowway.com > wrote: > Forgot to include this link from IBM regarding their EKM support. > > http://www-01.ibm.com/support/docview.wss?uid=ssg1S4000504 > > > ----- Original Message ----- > Wanda, > > As always, thanks for the detailed explanation. However, it brings up lots > of questions. > > >>> With externally-managed encryption, the keys are managed by the EKM. > > Since this would be hardware-based and encrypts everything, this is the way > we would go. > > >>> You set the encryption mode on the library to library-managed. The EKM > has to be run on a server. It is a pay-for product. > > Huh? I downloaded EKM from the IBM FTP sight. It is Java based and nobody > ever said anything about paying for it? As I understand it, in this > scenario with our 3494 (soon to be replace with a TS3500/3584), the "EKM > server" has to talk to the tape library to get the keys from it > (DRIVEE=ALLOW). When Googling, one doc/comment we saw the person simply > installed it on the TSM server. My question, since I am running 7-servers, > do I need multiple instance - one per TSM server or just one and it gets > everything from the 3494? I am confused...... > > >>> High learning curve. Lots of testing required to make sure you can > recover. > > Agreed. We are still digging through the docs on just installing and > implementing EKM and who connects to who and where...... > > >>> You have to be careful about protecting the EKM; you have to recover > the EKM at a DR site before you can read your tapes. > (If you have a hot site, better to share the keys between the libraries.) > > More like a "lukewarm sight" - I have an offsite vault/TSM server where the > tapes are stored and daily each production TSM server does a DB backup to > the offsite TSM server. > > >>> But with the EKM, your security group can control the key management, > certificate changing, etc. And then DB backup tapes, EXPORT, and BACKUPSET > tapes can be encrypted. > > This totally throws me off - I really need a "paint by numbers" diagram on > how all the pieces connect - I have never dealt with encryption..... > > > On Thu, Apr 4, 2013 at 12:10 PM, Prather, Wanda <wanda.prat...@icfi.com > >wrote: > > > With externally-managed encryption, the keys are managed by the EKM. > > TSM doesn't' know it's happening. > > You set the encryption mode on the library to library-managed. > > The EKM has to be run on a server. It is a pay-for product. > > But the cost of the software is trivial compared to the implementation > > cost. > > High learning curve. Lots of testing required to make sure you can > > recover. > > > > You have to be careful about protecting the EKM; you have to recover the > > EKM at a DR site before you can read your tapes. > > (If you have a hot site, better to share the keys between the libraries.) > > It is possible (not likely, but possible) to get yourself in a DR > > situation where NOBODY, including IBM, can read those encrypted tapes. > > Test, test, CYA, test. > > But with the EKM, your security group can control the key management, > > certificate changing, etc. > > And then DB backup tapes, EXPORT, and BACKUPSET tapes can be encrypted. > > > > > > > -- > *Zoltan Forray* > TSM Software & Hardware Administrator > Virginia Commonwealth University > UCC/Office of Technology Services > zfor...@vcu.edu - 804-828-4807 > Don't be a phishing victim - VCU and other reputable organizations will > never use email to request that you reply with your password, social > security number or confidential personal information. For more details > visit http://infosecurity.vcu.edu/phishing.html > -- *Zoltan Forray* TSM Software & Hardware Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
