Configuring Keyrings

General Considerations

Keyrings are groupings of DPX keys. These keys are used to derive actual encryption keys for data-encrypted jobs. Each key in a keyring is assigned to a period when it is applicable for backup and migrate jobs. At any time, only one key in a keyring is applicable. The other keys in a keyring, although retired, may still be needed for restore and migrate jobs.

A keyring, in turn, is a resource that gets assigned to an administrator group. See Assigning Resources and Privilege Classes. When a job is run, the administrator who creates that job must belong to an administrator group containing the keyring that holds the encryption key.

For restore jobs, the same key that was used for backup must be used for restoring the data. Keyring information is recorded along with an encrypted backup instance on the tape volume, so DPX knows which key to use for restore. As with other types of jobs, the keyring specified on the restored media must be assigned to the administrator who created the restore job.

For migrate jobs, the same key that would have been used for the original backup jobs is used for encryption. If an original backup job used encryption, then its data is not re-encrypted during migrate. This means that in order to encrypt the data during migrate, you must have created a keyring and a key before the original backup jobs were run.

Note. It is highly recommended that hardware compression on the tape devices be turned off if you intend to use migrate to create twin tapes after the backup has been completed. This is because encrypted data is hard to compress; thus the resulting data (on tape) will be much greater for the twin than the original if hardware compression is used. If the resulting data exceeds the storage capacity of the target tape, then the migrate job will fail.

The reason for multiple keys on a keyring is to mitigate the effect of compromising an existing key or losing a set of tapes. For example, if the key database is compromised (e.g., stolen), an administrator can simply generate a new key for each keyring to protect all future jobs. For another example, if a tape corresponding to a particular key is stolen, the administrator can generate a new key in its place and delete that previous key to prevent it from being compromised. Note that deleting a key effectively expunges all the backup instances that were encrypted with that key.

See also. For the latest system compatibility details regarding supported hardware, file systems, applications, operating systems, and service packs, see the DPX 4.10 Compatibility Matrix.

Encryption Considerations for Database Applications

Tape encryption of DB2 and Oracle backups requires editing the parameter file job_name.BEX (Windows) or sbt11cfg.BEX (UNIX) in the product directory and setting the following parameters:

BEX_EDOT

Values are N (no), B (both), O (original), T (twin).

BEX_ENCTYPE

Values are S (software) or H (hardware).

BEX_EKRN

Value is the keyring name.

Software Encryption versus Hardware Encryption

DPX provides AES 256-bit software encryption. However, certain tape devices can encrypt data at the hardware level. DPX supports hardware encryption for LTO tape drives of specific types and manufacturers.

See also. For the latest system compatibility details regarding supported hardware, file systems, applications, operating systems, and service packs, see the DPX 4.10 Compatibility Matrix.

Hardware encryption utilizes keyrings for backups and restores in the same way that software encryption does. A job option allows the user to indicate whether to use software or hardware encryption.

The following are additional considerations for hardware encryption:

  • The user is responsible for assuring the hardware encryption capabilities of their tape devices.

  • You can use one media pool for both types of tape devices (hardware encryption capable and hardware encryption incapable), but it is better to use separate media pools.

  • You can use the same keyring for jobs with software encryption or hardware encryption. However, there is a length limitation (10 bytes) for the keyring name in hardware encryption.

  • You cannot use the same tape for backup jobs with and without the hardware encryption option. DPX selects a suitable tape automatically.

  • To verify whether a tape is encrypted or not, use the utility tools/tapedump. First, run the program tapedump. Second, issue tape deviceName command. Third, issue open rdonly command. Fourth, issue read command several times. If you hit a read permission error, then the tape is encrypted.

Job Options

Data encryption is an option that can be enabled by setting the Encrypt Data job option when defining a file backup job.

See also. To read more about the encryption options and how to set them in File Backup jobs, go to Other Job Options for File Backup.

Last updated