Backing up encrypted auxiliary storage pools
Disk encryption enables you to encrypt data stored in user auxiliary storage pools (ASPs) and independent ASPs. You back up an encrypted ASP in the same way as for an unencrypted ASP. However, if the data in the system ASP or independent ASP is lost, you need to perform additional recovery steps.
When you set up an encrypted ASP, the system generates a data key, which encrypts the data written to that storage pool and decrypts data read from that storage pool. The data keys for independent ASPs are kept with the storage pool and are protected with the ASP master key. User ASPs are protected with a data key that is stored in the Licensed Internal Code
Data is encrypted only while it resides on the ASP. When you read the data, it is decrypted. When doing a save operation, the data is decrypted as it is read for the save operation. The data is encrypted on the save media only if you are doing an encrypted backup using either an encrypting tape drive or the software solution.
You can perform an encrypted backup of data in an encrypted ASP. During the backup, the ASP data is decrypted as it is read, and gets encrypted again as it is written to the tape.
To back up the data in an encrypted ASP, use any of the following commands:
- SAVSYS command
- GO SAVE Option 21 (saves the entire system)
- GO SAVE Option 23 (saves user data)