IBM Storage Protect client encryption

IBM® Storage Protect client encryption uses the key that is managed by the DSM_ENCRYPT_CLIENTENCRKEY value to protect your data. Client encryption is transparent to the application that is using the API, with the exception that partial object restore operations and retrieve operations are not possible for objects that were encrypted or compressed.

For both IBM Storage Protect client encryption and application-managed encryption, the encryption password refers to a string value that is used to generate the actual encryption key. The value for the encryption password option is 1-63 characters in length, but the key that is generated from it is always 8 bytes for 56 DES, 16 bytes for 128 AES, and 32 bytes for 256 AES.

Attention: If the encryption key is not available, data cannot be restored or retrieved. When you use ENABLECLIENTENCRYPTKEY for encryption, the encryption key is stored on the server database. For objects that use this method, the server database must exist and have the proper values for the objects for a proper restore. Ensure that you back up the server database frequently to prevent data loss.

This is the simpler method to implement, where one random encryption key is generated per session and it is stored on the IBM Storage Protect server with the object in the server database. During restore, the stored key is used for decryption. Using this method, the management of the key is the responsibility of IBM Storage Protect, and the application does not have to deal with the key at all. Because the key is stored in the server database, you must have a valid IBM Storage Protect database for a restore operation of an encrypted object. When the key is transmitted between the API and the server, it is also encrypted. The transmission of the key is secure, and when the key is stored in the IBM Storage Protect server database it is encrypted. The only time that the key is placed in the clear with the export data stream is when a node's data are exported between servers.

To enable IBM Storage Protect client encryption, complete the following steps:

  1. Specify -ENABLECLIENTENCRYPTKEY=YES in the option string that is passed to the API on the dsmInitEx call or set the option in the system option file dsm.opt (Windows) or dsm.sys (UNIX or Linux®).
  2. Set the include.encrypt for the objects to encrypt. For example, to encrypt all data, set: 
      include.encrypt /.../* (UNIX)
    and 
      include.encrypt *\...\* (Windows)

    To encrypt the object /FS1/DB2/FULL, set:

    include.encrypt /FS1/DB2/FULL