Encryptkey

The backup-archive client supports the option to encrypt files that are being backed up or archived to the IBM Spectrum® Protect server. This option is enabled with the include.encrypt option.

All files matching the pattern on the include.encrypt specification are encrypted before the data is sent to the server. There are three options for managing the key used to encrypt the files (prompt, save, and generate). All three options can be used with either the backup-archive client or the IBM Spectrum Protect API.

Windows operating systems The encryption key password is case-sensitive and can be up to 63 characters in length

Mac OS X operating systems Oracle Solaris operating systems Linux operating systems AIX operating systems The encryption key password is case-sensitive and can be up to 64 characters in length.

The following characters can be included in the encryption key password:

A-Z: Any letter, A through Z, uppercase or lowercase. You cannot specify national language characters.
0-9: Any number, 0 through 9
+: Plus
.: Period
_: Underscore
-: Hyphen
&: Ampersand

Note:

The API has an alternate way of specifying encryptkey=generate; the previous enableclientencryptkey=yes option can also be specified to request generate encryption processing.
The enableclientencryptkey=yes API option is still supported, so it is possible when using the API to specify two conflicting options. For example, enableclientencryptkey=yes and encryptkey=prompt or encryptkey=save.
When conflicting values are specified, the API returns an error message.

Attention: When using the prompt option, your encryption key is not saved in the IBM Spectrum Protect password file on UNIX. If you forget the key, your data cannot be recovered.

Attention: When using the prompt option, your encryption key is not saved in the Windows Registry. If you forget the key, your data cannot be recovered.

Supported Clients

This option is valid for all clients. The server can also define this option.

Options File

Mac OS X operating systems Oracle Solaris operating systems Linux operating systems AIX operating systems Place this option in the client system-options file (dsm.sys) within a server stanza. You can set this option on the Authorization tab, Encryption Key Password section of the Preferences editor.

Windows operating systems Place this option in the client options file (dsm.opt). You can set this option on the Authorization tab, Encryption Key Password section of the Preferences editor.

Syntax

Parameters

save

The encryption key password is saved in the backup-archive client password file. A prompt is issued for an initial encryption key password, and after the initial prompt, the saved encryption key password in the password file is used for the backups and archives of files matching the include.encrypt specification. The key is retrieved from the password file on restore and retrieve operations.

Windows operating systems The password can be up to 63 bytes in length.

Mac OS X operating systems Oracle Solaris operating systems Linux operating systems AIX operating systems The password can be up to 64 bytes in length.

When the save option is specified for an API application, the initial key password must be provided by the application using the API in the dsmInitEx function call. The API itself does not issue a prompt to the user but relies on the application to prompt the user as necessary.

This parameter is the default.

Note: The following restrictions apply:

This option can only be used when passwordaccess generate is also specified.
The root user or an authorized user must specify the initial encryption key password.

prompt

The management of the encryption key password is provided by the user. The user is prompted for the encryption key password when the client begins a backup or archive. A prompt for the same password is issued when restoring or retrieving the encrypted file.

Windows operating systems This password can be up to 63 bytes in length.

Mac OS X operating systems Oracle Solaris operating systems Linux operating systems AIX operating systems This password can be up to 64 bytes in length.

When the prompt option is specified for an API application, the key password must be provided by the application using the API in the dsmInitEx function call. The API itself does not issue a prompt to the user but relies on the application to prompt the user as necessary.

generate

An encryption key password is dynamically generated when the client begins a backup or archive. This generated key password is used for the backups of files matching the include.encrypt specification. The generated key password, in an encrypted form, is kept on the IBM Spectrum Protect server. The key password is returned to the client to enable the file to be decrypted on restore and retrieve operations.

Examples

Options file:: encryptkey prompt
Command line:: Does not apply.