Recovering from an encrypted backup using an encrypted tape

Hardware tape encryption uses tape devices with data encryption capabilities and the IBM® Encryption Key Manager (EKM) to encrypt your data. i5/OS only supports library-managed encryption. Use these steps to recover data that you have backed up using an encrypting tape drive or tape library.

To restore from an encrypted backup using an encrypting tape drive or tape library, follow these steps:

Ensure that the EKM is running and connected to the system where you plan to restore the data. The EKM contains the encryption keys that are needed for the recovery operation.
Restore the data from the most recent backup tape. When the data is restored, it is decrypted. When you share tapes with another company, EKM writes the tape with the other company's public key. They can decrypt and read the tape using their private key.

Attention: It is important to preserve your keystore data, which is stored in the EKM. Without access to your keystore data, you will be unable to decrypt your encrypted tapes during a restore operation. Back up the keystore data so that you can recover it as needed. You also can have two EKMs that are mirror images of each other with built-in backup of the critical keystore information, as well as a failover if an EKM becomes unavailable. When you configure your tape device, you can point it to two EKMs. If one EKM becomes unavailable for any reason, your device will use the alternate EKM.

You can restore backups that were encrypted using hardware encryption on V5R2 and later, but not on earlier systems.

For more information about the EKM setup tasks, see IBM Encryption Key Manager Introduction, Planning, and User's Guide, GA76-0418, in the IBM Publications Center. This manual is available from the IBM Publications Center as a printed hardcopy that you can order, in an online format that you can download at no charge, or both.