Software encryption using BRMS

Backup, Recovery, and Media Services (BRMS) provides you with the ability to encrypt your data to a tape device. This encryption solution is hardware independent, meaning that you do not need to use an encrypting tape drive or other type of encryption device to encrypt the backup data. Only user data can be encrypted with BRMS.

BRMS uses cryptographic services to perform the encrypted backup. When you begin a backup, the BRMS interface asks you for the keys to use for encryption, and what items you want encrypted. You provide the name of the keystore file and the key label. BRMS saves the key information so that it knows what key information is needed to restore data.

The Tape Management exit program calls BRMS before each file is written. If encryption is requested, the Tape Management exit program determines if the data is to be encrypted, and which keystore file and record label to use. The Tape Management exit program does not verify what data is being encrypted.

Note: Currently, you cannot perform software encryption using save/restore commands. However, you can use save/restore commands to back up cryptographic services master keys and keystore files.