8.7 Securing TSM Client data with Encryption and SSL technologies

To ensure the security of the backed up data, the Tivoli Storage Manager client implements an encryption function. With this function, you can encrypt the data before sending it to the Tivoli Storage Manager server.

TSM Client Data Encryption

The user can chooses the files that are subject to encryption with include-exclude processing. All files that match the pattern on the include.encrypt specification undergo encryption. The encryption processing is the final task on the client system before the data goes to the server. Other client operations, such as compression, occur before encryption.
Encryption uses a simple key management system, which means that the user either must remember the encryption key password during restore operation or store it locally on the client system. Encryption works for both backup and archive operations.

Encryption is a CPU-intensive process. The encryption process requires additional computing requirements on the client CPU. Carefully decide which data items need encryption, and control them by using the include-exclude statements. The administrator has the option to overwrite client selections by using client options sets.

Also Read: Limitations of using TSM Tape Drive Encryption

Problems can occur with the simple key management scheme, especially in the case of long-term archiving of data. If data is archived with encryption, organizational rules must ensure that the encryption key password remains available for retrieval. Cyclic password changes or lack of external password management can cause situations in which data cannot be retrieved successfully.

When restoring data by using the scheduling function, files might not be restored because the needed encryption key password is not stored locally (PROMPT mode). Or the restored files might be encrypted with a different key than the stored encryption key password.

After the data is stored on the Tivoli Storage Manager server, it is unreadable. The include.encrypt option is the only way to enable encryption on the client.
include.encrypt /database/.../*.*

Place the encryptkey option in the client options file, either the dsm.opt file or the dsm.sys file. Use one of the following options to manage the key that file encryption uses
     encryptkey save
     encryptkey prompt
     encryptkey generate

With the SAVE option, the encryption key password is saved in the Tivoli Storage Manager client’s password file. A prompt is issued for the initial encryption key password. After the initial prompt, the encryption key password that is saved in the password file is used for backups and archives that match the include.encrypt specification.

Also Read: 15 tips to efficiently use the tape drive resources

With the PROMPT option, you manage the encryption key password. You are prompted for the encryption key password when the Tivoli Storage Manager client begins a backup or archive operation. A prompt for the same key is issued when restoring or retrieving the encrypted file.

With the GENERATE option, an encryption key password is dynamically generated when the Tivoli Storage Manager client begins a backup or archive. This generated key password is used for the backups of files that match the include.encrypt specification. The generated key password is kept on the Tivoli Storage Manager server in an encrypted form. The key password is returned to the Tivoli Storage Manager client for decryption during restore and retrieve operations.

TSM Client Data Security (Secure Sockets Layer SSL)

You can use Secure Sockets Layer (SSL) to have another level of protection beyond passwords. Secure Sockets Layer (SSL) is the standard technology to create encrypted connections between servers and clients. SSL provides secure communications for servers and clients over open communications paths through the use of digital certificates.

You can use the Secure Sockets Layer (SSL) or the Transport Layer Security (TLS) protocol to provide transport layer security for a secure connection between Tivoli Storage Manager servers, clients, and storage agents. If you send data between the server, client, and storage agent, use SSL or TLS to encrypt the data.

SSL is provided by the Global Security Kit (GSKit) that is installed with the Tivoli Storage Manager server that the server, client, and storage agent use. The Operations Center and Reporting agent do not use GSKit.

Also Read: Different types of libraries supported by IBM Spectrum Protect (TSM)

Each Tivoli Storage Manager server, client, or storage agent that enables SSL must use a trusted self-signed certificate or obtain a unique certificate that is signed by a certificate authority (CA). You can use your own certificates or purchase certificates from a CA. Either certificate can be installed and added to the key database on the Tivoli Storage Manager server, client, or storage agent. The certificate is verified by the SSL client or server that requests or initiates the SSL communication. SSL is set up independently on the Tivoli Storage Manager server, client, and storage agent.

You can set up SSL or TLS on the Tivoli Storage Manager server, backup-archive client, and storage agent to ensure that your data is encrypted during communication. You can use an SSL certificate to verify an SSL communication request between the server, client, and storage agent.

Check TSM infocenter  website for more details on how to configure Secure communication between clients and server using SSL.

0 Comment to "8.7 Securing TSM Client data with Encryption and SSL technologies"

Post a Comment