× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. October 2018

RE: Tape Backup encryption

No one addressed BRMS, so I will. BRMS will encrypt tapes as it writes them. It's incredibly easy to set up and knowing how it's set up makes it transportable to DR sites etc.

It requires the Advanced portion of BRMS (While you're at it add the Network piece too) which is dirt cheap and won't affect maintenance much at all (a couple of dollars a year) Adding all three pieces gives you the ability to use the Enterprise portion of BRMS which is nice to keep all the parts moving together.

Upsides: Easy to set up maintain
Easy to move tapes between partitions say production and development

Downsides: Uses CPU on the partition to do the encryption. This can cause backups to run longer.

BRMS also encrypts all the tapes the same, whereas when the tape library does it, each tape is encrypted differently. That only matters if your level of paranoia is quite high. (High paranoia is a good thing when it comes to computer security)

Also, for the tape library to do encryption it must have the correct feature codes on it, so just getting SKLM going does not provide for encryption. We always order tape libraries with the encryption feature code, so our customers never even question it, but most of the devices I've seen out there do not have it.

Another problem with device level encryption, you MUST KNOW how to set up the DR site with the same equipment and encryption capabilities. YOU MUST have the keys etc. available. If not all you have is worthless very expensive mylar tape you can let the kids play with.


--
Jim Oberholtzer
Agile Technology Architects

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxx> On Behalf Of Denis Robitaille
Sent: Monday, October 29, 2018 7:42 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: RE: Tape Backup encryption

Hello,

We use SKLM here with a TS3500 tape library.

Here is how it works here.

The SKLM server (windows based) generates, serves and keeps the encryption keys. New sets of keys are generated at fixed interval and old sets are kept for several years according to our governance rules.

In the TS3500 configuration, for the tape drive that we want to work with encryption, they are configure to ask the SKLM server (trough it's IP address) for an encryption key.

During backup, the TS3500 receives the data from the IBM I and encrypt it using the key provided by SKLM. On the tape, the ID of the key is written automatically along with the encrypted data.

During a restore, the key ID is retrieved. The TS3500 ask the SKLM server for the corresponding key and is then able to decrypt the tape during the restore.

If you go that way, make sure that your SKLM server is well protected (we have 1 master and 2 slaves located in different data centers). If you loose your keys, you tape will become useless.

Hope this help


Denis Robitaille
Chef de service TI – Solution d’entreprise Infrastructure et opérations

CASCADES CENTRE DES TECHNOLOGIES
412 Marie Victorin
Kingsey falls(Québec) Canada J0A 1B0
Tél : 819 363 6100 Poste :52130
Cell : 819 352 9362


-----Message d'origine-----
De : MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxx> De la part de Gad Miron
Envoyé : 28 octobre 2018 10:18
À : Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Objet : Tape Backup encryption

Hello Pundits

An auditor has visited us lately and suggested we encrypt backup tapes sent to external facility.
Tape is a 3580 LTO7, machine is P9 7.3 .
I've found here
https://www-01.ibm.com/support/docview.wss?uid=nas8N1021280
http://www-01.ibm.com/support/docview.wss?uid=nas8N1017856

that the 3580 tape is capable of hardware encryption/decryption if you configure it with something known as SKLM .
I've noticed that the A/M SKLM is a Windowz/Linux tool not an IBMi one.
Now, How a Windowz/Linux tool causes a 3580 tape connected to IBMi to encrypt/decrypt ?

Any help will be greatly appreciated

Gad
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: http://amzn.to/2dEadiD Cascades - ATTENTION: Ce courriel provient de l'extérieur de l'organisation. Ne pas cliquer sur les liens et ne pas ouvrir les pièces jointes sauf si vous reconnaissez l'expéditeur et que vous êtes sûr que le contenu est légitime.
Cascades - CAUTION: This email is from outside the organization. Do not click on links or open attachments unless you recognize the sender and you are sure the content is safe.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.