The backup-archive client supports the option to encrypt files that are being backed up or archived to the IBM Spectrum Protect server. This option is enabled with the include.encrypt option.
All files matching the pattern on the include.encrypt specification are encrypted before the data is sent to the server. There are three options for managing the key used to encrypt the files (prompt, save, and generate). All three options can be used with either the backup-archive client or the IBM Spectrum Protect API.
The encryption key password is case-sensitive and can be up to 63 characters in length
The encryption key password is case-sensitive and can be up to 64 characters in length.
- Any letter, A through Z, uppercase or lowercase. You cannot specify national language characters.
- Any number, 0 through 9
- The API has an alternate way of specifying encryptkey=generate; the previous enableclientencryptkey=yes option can also be specified to request generate encryption processing.
- The enableclientencryptkey=yes API option is still supported, so it is possible when using the API to specify two conflicting options. For example, enableclientencryptkey=yes and encryptkey=prompt or encryptkey=save.
- When conflicting values are specified, the API returns an error message.
This option is valid for all clients. The server can also define this option.
Place this option in the client system-options file (dsm.sys) within a server stanza. You can set this option on the Authorization tab, Encryption Key Password section of the Preferences editor.
Place this option in the client options file (dsm.opt). You can set this option on the Authorization tab, Encryption Key Password section of the Preferences editor.
- The encryption key password is saved in the backup-archive client password file. A prompt is
issued for an initial encryption key password, and after the initial prompt, the saved encryption
key password in the password file is used for the backups and archives of files matching the
include.encrypt specification. The key is retrieved from the password file on
restore and retrieve operations.
The password can be up to 63 bytes in length.
The password can be up to 64 bytes in length.
When the save option is specified for an API application, the initial key password must be provided by the application using the API in the dsmInitEx function call. The API itself does not issue a prompt to the user but relies on the application to prompt the user as necessary.
This parameter is the default.Note: The following restrictions apply:
- This option can only be used when passwordaccess generate is also specified.
- The root user or an authorized user must specify the initial encryption key password.
- The management of the encryption key password is provided by the user. The user is prompted for
the encryption key password when the client begins a backup or archive. A prompt for the same
password is issued when restoring or retrieving the encrypted file.
This password can be up to 63 bytes in length.
This password can be up to 64 bytes in length.
When the prompt option is specified for an API application, the key password must be provided by the application using the API in the dsmInitEx function call. The API itself does not issue a prompt to the user but relies on the application to prompt the user as necessary.
- An encryption key password is dynamically generated when the client begins a backup or archive. This generated key password is used for the backups of files matching the include.encrypt specification. The generated key password, in an encrypted form, is kept on the IBM Spectrum Protect server. The key password is returned to the client to enable the file to be decrypted on restore and retrieve operations.
- Options file:
- Command line:
- Does not apply.