Keyrings are groupings of DPX keys. These keys are used to derive actual encryption keys for data-encrypted jobs. Each key in a keyring is assigned to a period when it is applicable for backup and migrate jobs. At any time, only one key in a keyring is applicable. The other keys in a keyring, although retired, may still be needed for restore and migrate jobs.
A keyring, in turn, is a resource that gets assigned to an administrator group. See Assigning Resources and Privilege Classes. When a job is run, the administrator who creates that job must belong to an administrator group containing the keyring that holds the encryption key.
For restore jobs, the same key that was used for backup must be used for restoring the data. Keyring information is recorded along with an encrypted backup instance on the tape volume, so DPX knows which key to use for restore. As with other types of jobs, the keyring specified on the restored media must be assigned to the administrator who created the restore job.
For migrate jobs, the same key that would have been used for the original backup jobs is used for encryption. If an original backup job used encryption, then its data is not re-encrypted during migrate. This means that in order to encrypt the data during migrate, you must have created a keyring and a key before the original backup jobs were run.
Note. It is highly recommended that hardware compression on the tape devices be turned off if you intend to use migrate to create twin tapes after the backup has been completed. This is because encrypted data is hard to compress; thus the resulting data (on tape) will be much greater for the twin than the original if hardware compression is used. If the resulting data exceeds the storage capacity of the target tape, then the migrate job will fail.
The reason for multiple keys on a keyring is to mitigate the effect of compromising an existing key or losing a set of tapes. For example, if the key database is compromised (e.g., stolen), an administrator can simply generate a new key for each keyring to protect all future jobs. For another example, if a tape corresponding to a particular key is stolen, the administrator can generate a new key in its place and delete that previous key to prevent it from being compromised. Note that deleting a key effectively expunges all the backup instances that were encrypted with that key.
See also. For the latest system compatibility details regarding supported hardware, file systems, applications, operating systems, and service packs, see the DPX 4.10 Compatibility Matrix.
Tape encryption of DB2 and Oracle backups requires editing the parameter file job_name.BEX (Windows) or sbt11cfg.BEX (UNIX) in the product directory and setting the following parameters:
DPX provides AES 256-bit software encryption. However, certain tape devices can encrypt data at the hardware level. DPX supports hardware encryption for LTO tape drives of specific types and manufacturers.
See also. For the latest system compatibility details regarding supported hardware, file systems, applications, operating systems, and service packs, see the DPX 4.10 Compatibility Matrix.
Hardware encryption utilizes keyrings for backups and restores in the same way that software encryption does. A job option allows the user to indicate whether to use software or hardware encryption.
The following are additional considerations for hardware encryption:
The user is responsible for assuring the hardware encryption capabilities of their tape devices.
You can use one media pool for both types of tape devices (hardware encryption capable and hardware encryption incapable), but it is better to use separate media pools.
You can use the same keyring for jobs with software encryption or hardware encryption. However, there is a length limitation (10 bytes) for the keyring name in hardware encryption.
You cannot use the same tape for backup jobs with and without the hardware encryption option. DPX selects a suitable tape automatically.
To verify whether a tape is encrypted or not, use the utility tools/tapedump
. First, run the program tapedump
. Second, issue tape deviceName
command. Third, issue open rdonly
command. Fourth, issue read
command several times. If you hit a read permission error, then the tape is encrypted.
Data encryption is an option that can be enabled by setting the Encrypt Data job option when defining a file backup job.
See also. To read more about the encryption options and how to set them in File Backup jobs, go to Other Job Options for File Backup.
Each key in a keyring is assigned to a period when it is applicable for backup and migrate jobs. At any time, only one key in a keyring is applicable. The other keys in a keyring, although retired, may still be needed for restore and migrate jobs.
To add a key to a keyring, follow the procedure below.
Open the Enterprise Information view by clicking the gear icon in the header.
Go to the Keyrings tab. The tab lists all keyrings created by the DPX administrator.
Click Add new key. A new key will be added to the keyring.
Note. The previous key in the keyring is automatically retired. However, it still can be used to access backups encrypted using the key.
Important. Generally, removing keys or keyrings from DPX is not recommended, as removing the key will make it impossible to restore data from backups created using the removed key.
Type the key ID to confirm, then click Remove. The key will be permanently removed from the keyring.
Warning! All backups made using the removed key will become inaccessible.
Note. Only empty keyrings can be removed. To remove a keyring that contains keys, remove all the keys first.
You will be prompted to confirm your choice.
Click Yes. The empty keyring will be deleted from the list.
Click the Configure tab on the Function Tab bar.
Click Keyrings in the Configuration Operations section in the sidebar.
Select the keyring where you want to add the key and do one of the following:
Right-click the keyring and select Add Key.
From the window menu bar, select Keyring > Add Key [Ctrl+Shift+E].
Select Add Key from the task panel in the Add Key section.
Note. The previous key in the keyring is automatically retired. However, it still can be used to access backups encrypted using the key.
Important. Generally, removing keys or keyrings from DPX is not recommended, as removing the key will make it impossible to restore data from backups created using the removed key.
To remove a key, do one of the following:
Right-click the key and select Delete.
From the window menu bar, select Keyring > Delete Key.
Select Delete Key from the task panel in the Add Key section.
You will be prompted to confirm your choice:
Click Yes. The key will be permanently removed from the keyring.
Warning! All backups made using the removed key will become inaccessible.
Note. Only empty keyrings can be removed. To remove a keyring that contains keys, remove all the keys first.
To remove an empty keyring, to one of the following:
Right-click the keyring and select Delete.
From the window menu bar, select Keyring > Delete Keyring.
Select Delete Keyring from the task panel in the Add Key section.
The empty keyring will be deleted without any prompts.
Hover over the keyring and click the edit icon . The Edit Keyring dialog window will open.
To remove a key, hover over the keyring and click the edit icon . The Edit Keyring dialog window will open.
Click theicon. You will be prompted to confirm your choice.
To remove an empty keyring, hover over the keyring and click theicon.
BEX_EDOT
Values are N (no), B (both), O (original), T (twin).
BEX_ENCTYPE
Values are S (software) or H (hardware).
BEX_EKRN
Value is the keyring name.
Keyrings are groupings of DPX keys. These keys are used to derive actual encryption keys for data-encrypted jobs.
See also. To add another key to the keyring, see Adding a Key.
To configure a keyring, follow the procedure below.
Open the Enterprise Information view by clicking the gear icon in the header.
Go to the Keyrings tab. The tab lists all keyrings created by the DPX administrator.
Click Add. The Add Keyring dialog window opens.
Specify the keyring name. Click Add. The keyring is added to your DPX.
Note. The keyring is already created with an active key inside.
Click the Configure tab on the Function Tab bar.
Click Keyrings in the Configuration Operations section in the sidebar.
Open the ADD KEYRING pane by doing one of the following:
Right-click the Enterprise and select Add Keyring.
From the window menu bar, select Keyring > Add Keyring [Ctrl+Shift+K]
Select Add Keyring from the task panel in the Add Key section.
In the ADD KEYRING pane, specify the new keyring name.
Click Add. The keyring is added to the Enterprise.
Note. The keyring is already created with an active key inside.