How encryption works in IBM Tivoli Storage Manager (TSM) Server

It is often critical to secure client data, especially when that data might be of a sensitive nature. To ensure that data for off-site volumes is protected, IBM tape encryption technology is available. This technology uses a stronger level of encryption by requiring 256-bit Advanced Encryption Standard (AES) encryption keys. Keys are passed to the drive by a key manager to encrypt and decrypt data.

IBM tape technology supports different methods of drive encryption for the following devices:
  • IBM 3592 generation 2 and generation 3
  • IBM linear tape open (LTO) generation 4 and generation 5

Encryption types supported by TSM

TSM supports three types of Encryption Methods.

Also Read: Limitations of using TSM Tape Drive Encryption


Application Encryption
Encryption keys are managed by the application, in this case. Tivoli Storage Manager generates and stores the keys in the server database. Data is encrypted during WRITE operations, when the encryption key is passed from the server to the drive. Data is decrypted for READ operations.

But when using application encryption, you must take extra care to secure database backups because the encryption keys that are used to encrypt and decrypt data are stored in the server database. To restore your data, you must have the correct database backup and corresponding encryption keys to access your information. Ensure that you back up the database frequently and safeguard the backups to prevent data loss or theft. Anyone who has access to both the database backup and the encryption keys has access to your data.

Use application-managed encryption for only storage pool volumes. Other volumes such as backup-set tapes, export volumes, and database backups are not encrypted using the application method.

Library Encryption

Encryption keys are managed by the library. Keys are stored in an encryption key manager and provided to the drive. If you set up the hardware to use the library encryption, you can use this method by setting the DRIVEENCRYPTION parameter in the device class definition to ALLOW. Only certain IBM libraries support IBM LTO-4 library encryption.

System Encryption

System encryption is available on AIX. Encryption keys that are provided to the drive are managed by the device driver or operating system and stored in an encryption key manager. If the hardware is set up to use system encryption, you can use this method by setting the DRIVEENCRYPTION parameter in the device class definition to ALLOW. 

Also Read: How to configure TSM Server Administrative Schedules ?

The methods of drive encryption that you can use with Tivoli Storage Manager are set up at the hardware level. Tivoli Storage Manager cannot control or change which encryption method is used in the hardware configuration. If the hardware is set up for the application encryption method, Tivoli Storage Manager can turn encryption on or off depending on the DRIVEENCRYPTION value on the device class. Drive encryption is supported only for Ultrium 4, Ultrium 5, and Ultrium 6 drives and media.



update deviceclass <deviceclassname> library=<libraryname> driveencryption=ON/ALLOW/EXTERNAL/OFF

Choosing an correct Encryption method for your backups

Deciding on which encryption method you want to use depends on how you want to manage your data. If you only want to encrypt storage pool volumes and eliminate some encryption processing on your system, the Application method should be enabled. This method allows Tivoli Storage Manager to manage the encryption keys. When using Application encryption, you must take extra care to secure database backups since the encryption keys are stored in the server database. Without access to database backups and matching encryption keys, you will not be able to restore your data.

If you want to encrypt all of your data in a particular logical library or encrypt data on more than just storage pool volumes, the System or Library method can be used. These methods are virtually transparent to the server. Tivoli Storage Manager is aware of them being used and displays informational messages when writing to an empty volume.


Also Read: Monitoring and Managing Tape Volumes

Library managed encryption allows you to control which volumes are encrypted through the use of their serial numbers. You can specify a range or set of volumes to encrypt. With Application managed encryption, you can create dedicated storage pools that only contain encrypted volumes. This way, you can use storage pool hierarchies and policies to manage the way data is encrypted.

The Library and System methods of encryption can share the same encryption key manager, which allows the two modes to be interchanged. However, this can only occur if the encryption key manager is set up to share keys. Tivoli Storage Manager cannot currently verify if encryption key managers for both methods are the same. Neither can Tivoli Storage Manager share or use encryption keys between the application method and either library or system methods of encryption.

To determine whether or not a volume is encrypted and which method was used, you can issue the QUERY VOLUME command with FORMAT=DETAILED. 


Also Read: Tape Library related Interview Questions

The encryptiontype option allows you to choose the algorithm for data encryption. The encryptiontype option allows you to use AES 128-bit data encryption, providing a stronger form of data encryption than DES 56-bit data encryption. The encryption type only affects backup and archive operations. Place this option in the dsm.sys file within a server stanza.



Encryptiontype AES128 (OR) DES56

There are three options for managing the key used to encrypt the files (prompt, save, and generate). All three options can be used with either the backup-archive client or the Tivoli Storage Manager API. Place this option in the dsm.sys file within a server stanza.


Encryptkey  save (OR) prompt (OR) generate

Changing encryption method and hardware configuration

If you want to change the encryption method for a given set of volumes, the volumes need to be returned to scratch status. Updating the parameter value will only affect empty volumes. For example, if you currently have Application managed encryption enabled, and you decide that you don't want encryption enabled at all, only empty volumes will be impacted by the change. Filling volumes will continue to be encrypted while new volumes will not. If you do not want currently filling volumes to continue being encrypted, the volume status should be changed to READONLY. This will ensure that Tivoli Storage Manager does not append any more encrypted data to the volumes. You can use the MOVE DATA command to transfer the data to a new volume after the update of the DRIVEENCRYPTION parameter. The data will then be available in an un-encrypted format.

When migrating from one hardware configuration to another, you will need to move your data from the old volumes to new volumes with new encryption keys and key managers. You can do this by setting up two logical libraries and storage pools (each with a different encryption method) and migrating the data from the old volumes to the new volumes. This will eliminate volumes that were encrypted using the original method.Assume that you have volumes that were encrypted using the Library method and you want to migrate to the Application method. Tivoli Storage Manager will be unable to determine which encryption keys are needed for data on these volumes because the library's encryption key manager stores these keys and Tivoli Storage Manager does not have access to them.

0 Comment to "How encryption works in IBM Tivoli Storage Manager (TSM) Server"

Post a Comment