Transport encryption
IBM Storage® Protect Plus 10.1.13 introduces Transport Encryption feature to protect the data transport between application host and vSnap during backup and restore. With the transport encryption, each data path of data between the application host and the vSnap can be encrypted and decrypted.
Considerations to use transport encryption
To enable transport encryption, ensure that the prerequisite software is at the required level and all security-related patches are applied. For system requirements, see System requirements.
Important:
- If you are using IBM Storage Protect Plus for backup storage and want to protect the data transport with transport encryption option, you must update both IBM Storage Protect Plus and vSnap to 10.1.13 or later releases.
- After installing or updating to IBM Storage Protect Plus and vSnap to 10.1.13 or later, the transport encryption option is disabled by default. To enable the transport encryption option, see Configuring advanced storage options.
- After you enable transport encryption in IBM Storage Protect Plus 10.1.13 or later and plan to disable it, you must manually disable the transport encryption option.
Review the following information before you enable transport encryption:
- When you enable the transport encryption, each data stream of data between the application host and the vSnap will be encrypted and decrypted. Each stream is handled by one CPU core. Data transport encryption can increase CPU usage, which can affect the system performance. The potential impact on performance depends on CPU types, number of vSnaps, hosts involved in an service level agreement (SLA) and various other factors. The performance may reduce 10% to 50% depending on data types and setup.
- You can fully protect the following data types:
- SQL database and log backups
- Exchange database and log backups
- Windows file system
- Oracle database and log backups on the Linux® systems
- Db2® database and Log backups on the Linux® systems
- MongoDBNote: MongoDB does not have log backup.
- You can partially protect the following data types:
- SAP HANA: You can enable transport encryption feature for SAP HANA DB. Due to technical
limitations, you cannot protect SAP HANA log backups with transport encryption. To protect your SAP
HANA log backup data, you must enable SAP HANA backup encryption.
For more information, see Enabling log encryption for SAP HANA data.
- VMware: You can protect the data transport between the vSnap and a remote VADP with the IBM Storage Protect
Plus transport encryption feature. Also, the path is
always protected when you back up VMware data to Open Snap Store Manager (OSSM). When you backup
VMware data, the VADP reads the data from the data store and sends it to vSnap. You cannot enable
IBM Storage Protect
Plus transport encryption to the data store
connection.
For more information about how to enable transport encryption on VMware to protect VMware data, see Enabling transport encryption for VMware data.
- SAP HANA: You can enable transport encryption feature for SAP HANA DB. Due to technical
limitations, you cannot protect SAP HANA log backups with transport encryption. To protect your SAP
HANA log backup data, you must enable SAP HANA backup encryption.
- Due to technical limitations, you cannot protect the following data types:
- Hyper-V
- Oracle database and log backups on the AIX® systems
- Db2 database and log backups on the AIX® systems
- SAP HANA database and log backups on the AIX® systems
- Microsoft™ 365