Data encryption during backup or archive operations

The way to ensure data security is by encrypting data. Use data encryption to protect data during a backup or archive operation. Advanced Encryption Standard (AES) 128-bit encryption is the default encryption option. For the highest level of data encryption, use 256-bit Advanced Encryption Standard (AES) data encryption by specifying the encryptiontype option.

The data that you include is stored in encrypted form, and encryption does not affect the amount of data that is sent or received.

The include.encrypt option is the only way to enable encryption on the backup-archive client. If no include.encrypt statements are used encryption cannot occur.

Linux operating systems Encryption is not compatible with VMware virtual machine backups that use the incremental forever backup modes (MODE=IFIncremental and MODE=IFFull). If the client is configured for encryption, you cannot use incremental forever backup.

Use the include and exclude options in dsm.sys to define which files to include or exclude from incremental or selective backup processing. A file is eligible for backup unless excluded by an exclude option. It is not necessary to use an include option to include specific files for backup unless those files are in a directory that contains other files that you want to exclude.

To encrypt file data, you must select an encryption key password, which the client uses to generate the encryption key for encrypting and decrypting the file data. Store the encryption key password for later use. You can specify whether to save the encryption key password in a file that is named TSM.sth by using the encryptkey option.

IBM Spectrum Protect™ client encryption allows you to enter a value of up to 63 characters in length. This encryption password needs to be confirmed when encrypting the file for backup, and also needs to be entered when performing restores of encrypted files.

While restoring the encrypted file, the client prompts you for the key password to decrypt the file in the following cases:

The encryptkey option is set to Prompt.
The key supplied by the user in the previous case does not match.
The encryptkey option is set to Save and the locally saved key password does not match the encrypted file.