Backing up encrypted auxiliary storage pools

Disk encryption enables you to encrypt data stored in user auxiliary storage pools (ASPs) and independent ASPs. You back up an encrypted ASP in the same way as for an unencrypted ASP. However, if the data in the system ASP or independent ASP is lost, you need to perform additional recovery steps.

In order to use disk encryption, you must have installed Option 45 - Encrypted ASP Enablement, a feature of the operating system. The option to enable encryption is available when you create an user ASP or independent ASP using Navigator for i or System i® Navigator.

When you set up an encrypted ASP, the system generates a data key, which encrypts the data written to that storage pool and decrypts data read from that storage pool. The data keys for independent ASPs are kept with the storage pool and are protected with the ASP master key. User ASPs are protected with a data key that is stored in the Licensed Internal Code

Data is encrypted only while it resides on the ASP. When you read the data, it is decrypted. When doing a save operation, the data is decrypted as it is read for the save operation. The data is encrypted on the save media only if you are doing an encrypted backup using either an encrypting tape drive or the software solution.

You can perform an encrypted backup of data in an encrypted ASP. During the backup, the ASP data is decrypted as it is read, and gets encrypted again as it is written to the tape.

To back up the data in an encrypted ASP, use any of the following commands:

  • SAVSYS command
  • GO SAVE Option 21 (saves the entire system)
  • GO SAVE Option 23 (saves user data)
Important: If you switch an encrypted independent ASP from one system to another in a cluster, you need to make sure that the ASP master key is set to the same value on both systems.