Tivoli® Storage Manager client encryption uses the key that is managed by DSM_ENCRYPT_CLIENTENCRKEY to protect your data. Tivoli Storage Manager client encryption is generally transparent to the application that is using the API, with the exception that partial object restores and retrieves are not possible for objects that have been encrypted or compressed.
For both Tivoli Storage Manager client encryption and application-managed encryption, the encryptionPassword refers to a string value that is used to generate the actual encryption key. The encryptionPassword can be up to 63 characters in length, but the key that is generated from it is always 8 bytes for 56 DES and 16 bytes for 128 AES.
This is the simpler method to implement, where one random encryption key is generated per session and it is stored on the Tivoli Storage Manager server with the object in the server database. During restore, the stored key is used for decryption. Using this method, the management of the key is the responsibility of Tivoli Storage Manager, and the application does not have to deal with the key at all. It is also important to note that since the key is stored in the server database, it is always required to have a valid Tivoli Storage Manager database for a restore of an encrypted object. When the key is transmitted between the API and the server, it is also encrypted. The transmission of the key is secure, and when the key is stored in the Tivoli Storage Manager server database it is encrypted. The only time that the key is placed in the clear with the export data stream is when a node's data are exported between servers.
To enable Tivoli Storage Manager client encryption, do the following things:
include.encrypt /.../* (UNIX) include.encrypt *\...\* (Windows)To encrypt the object /FS1/DB2/FULL, set:
include.encrypt /FS1/DB2/FULL