With application managed encryption, the application provides the key password to the API (using key DSM_ENCRYPT_USER) and it is the application's responsibility to manage the key password.
The application provides the key password in the dsmInitEx call and must provide the proper key password at restore time. If the key password is lost, there is no way to restore the data. The same key password must be used for backup and restore (or archive and retrieve) of the same object. This method does not have a Tivoli Storage Manager server level dependency. To set up this method, the application needs to do the following:
include.encrypt /.../* (UNIX)
include.encrypt *\...\* (Windows)
To encrypt the object /FS1/DB2/FULL, set:
include.encrypt /FS1/DB2/FULL
After a send of an object, the dsmEndSendObjEx specifies whether an object has been encrypted and which method was used. Possible values in the encryptionType field are:
The following table lists the API encryption types, prerequisites, and functions available.
Type | Prerequisite | Function available |
---|---|---|
ENCRYPTIONTYPE | None | Set -ENCRYPTIONTYPE=DES56|AES128 in the option string passed to the API in the dsmInitEx call on Windows. This option can also be set in dsm.opt (Windows ) or dsm.sys (UNIX). ENCRYPTIONTYPE is AES128 by default. |
EncryptKey=save | None | API and backup-archive |
EncryptKey=prompt | None | API and backup-archive |
EncryptKey=generate | None | API and backup-archive |
EnableClientEncryptKey | None | API only |
Table 2 shows how both Authorized Users and non-Authorized Users can encrypt or decrypt data during a backup or restore operation, depending on the value specified for the passwordaccess option. The TSM.PWD file must exist to perform the following authorized-user and non-authorized-user operations. The authorized user creates the TSM.PWD file and sets the encryptkey option to save and the passwordaccess option to generate.
Operation | passwordaccess option | encryptkey option | Result |
---|---|---|---|
Authorized user backup | generate | save | Data encrypted. |
generate | prompt | Data encrypted if encryptionPasswordP contains an encryption password. | |
prompt | save | Data encrypted if encryptionPasswordP contains an encryption password. | |
prompt | prompt | Data encrypted if encryptionPasswordP contains an encryption password. | |
Authorized user restore | generate | save | Data encrypted. |
generate | prompt | Data encrypted if encryptionPasswordP contains an encryption password. | |
prompt | save | Data encrypted if encryptionPasswordP contains an encryption password. | |
prompt | prompt | Data encrypted if encryptionPasswordP contains an encryption password. | |
Non-authorized user backup | generate | save | Data encrypted. |
generate | prompt | Data encrypted if encryptionPasswordP contains an encryption password. | |
prompt | save | Data encrypted if encryptionPasswordP contains an encryption password. | |
prompt | prompt | Data encrypted if encryptionPasswordP contains an encryption password. | |
Non-authorized user restore | generate | save | Data encrypted. |
generate | prompt | Data encrypted if encryptionPasswordP contains an encryption password. | |
prompt | save | data encrypted if encryptionPasswordP contains an encryption password. | |
prompt | prompt | Data encrypted if encryptionPasswordP contains an encryption password. |