Backup encryption methods for replication activities
IBM® Security Guardium® Key Lifecycle Manager supports password-based encryption and HSM-based encryption for backups and replication activities.
Password-based encryption
When you run the IBM Security Guardium Key Lifecycle Manager automated replication program on the master server, you must specify a password to encrypt the backup key. This backup key is used to encrypt backup contents. The encrypted backup data, the backup key, and the password are replicated on the clone server that you configured for replication. The clone server uses the replicated password to decrypt and restore the backup files.
HSM-based encryption
When you run the automated replication on the master server, data is backed up and encrypted by a backup key. If Hardware Security Module (HSM) is configured with IBM Security Guardium Key Lifecycle Manager, master key in HSM encrypts the backup key. When data is replicated on the clone server with HSM configured, the master key, which is stored in HSM, decrypts the backup key. Then, the backup key is used to restore backup contents.
- Same HSM partition must be present with all its key entries intact on all the clone servers.
- Master key that you used for the backup key encryption must be intact to replicate the backup file on the clone server. If the master key is refreshed, all the older backups are inaccessible or unusable.
- You must connect to the same HSM and the master key for automated replication irrespective of whether you use HSM-based encryption or password-based encryption.
enablePBEInHSM=true
- If HSM is not configured, you can only use password-based encryption for the backups and replication.
- If the value for enablePBEInHSM is not set or set to any other value than true, the value is assumed as false.
- You can replicate and restore a backup file that is created by using either password-based or HSM-based encryption irrespective of the value set for enablePBEInHSM.