Key loss prevention
To prevent loss of encryption data for mission-critical devices and keys, always maintain a minimum of two instances of IBM Guardium Key Lifecycle Manager. Ensure that one of the instances is a replica of the same devices and keys. You might provide more than two redundant instances.
IBM Guardium Key Lifecycle Manager provides support for DS5000 storage servers that automatically generates keys when a new DS5000 device is registered in IBM Guardium Key Lifecycle Manager.
Do not use a setting of 1 (auto accept) for the DS5000 endpoint family. This setting allows generation and serving of keys to DS5000 storage servers before you back up data. For all other device families, back up any new keys that are served.
Remove the backup files from the server and store in a secure location.
For example, copy the backup files to a CD/DVD and lock in a safe
place.
Note: Do not copy the files to an encrypted storage that
is dependent on this product. Doing so might result in the backup
not being available because the product is not available.
IBM Guardium Key Lifecycle Manager also
provides these key loss options:
- backup.keycert.before.serving
- Set this property in the SKLMConfig.properties file to prevent serving new keys until the keys are backed up.
- Automated backup script
- Use the autobackup.bat script to automatically
back up files. IBM Guardium Key Lifecycle Manager does
not serve keys or certificates that are not backed up if the value
of the backup.keycert.before.serving property
is set to
true, or, is not present, in theSKLMConfig.propertiesfile.