Backup encryption methods for replication activities

IBM® Security Guardium® Key Lifecycle Manager supports password-based encryption and HSM-based encryption for backups and replication activities.

Password-based encryption

When you run the IBM Security Guardium Key Lifecycle Manager automated replication program on the master server, you must specify a password to encrypt the backup key. This backup key is used to encrypt backup contents. The encrypted backup data, the backup key, and the password are replicated on the clone server that you configured for replication. The clone server uses the replicated password to decrypt and restore the backup files.

HSM-based encryption

When you run the automated replication on the master server, data is backed up and encrypted by a backup key. If Hardware Security Module (HSM) is configured with IBM Security Guardium Key Lifecycle Manager, master key in HSM encrypts the backup key. When data is replicated on the clone server with HSM configured, the master key, which is stored in HSM, decrypts the backup key. Then, the backup key is used to restore backup contents.

Consider the following guidelines for using HSM-based encryption.
  • Same HSM partition must be present with all its key entries intact on all the clone servers.
  • Master key that you used for the backup key encryption must be intact to replicate the backup file on the clone server. If the master key is refreshed, all the older backups are inaccessible or unusable.
  • You must connect to the same HSM and the master key for automated replication irrespective of whether you use HSM-based encryption or password-based encryption.
HSM-based encryption is the default method for the backups and replication when HSM is configured to store the master key. You can also use the password-based encryption when HSM is configured by setting the following property in the SKLMConfig.properties file.
enablePBEInHSM=true
Note:
  • If HSM is not configured, you can only use password-based encryption for the backups and replication.
  • If the value for enablePBEInHSM is not set or set to any other value than true, the value is assumed as false.
  • You can replicate and restore a backup file that is created by using either password-based or HSM-based encryption irrespective of the value set for enablePBEInHSM.

Replication configuration