Using BRMS to Encrypt Data

When using BRMS to save data encrypted, additional software is required. To use the software encryption function, you need to have the BRMS Advanced feature (5770-BR1 Option 2) and Encrypted Backup Enablement (57xx-SS1 Option 44) installed on the operating system.

This information was incorrectly stated in the BRMS manual, SC41-5345-06. The following was stated:
"BRMS provides you with the ability to encrypt your data to a tape device. This encryption solution is hardware independent, meaning no need for any encryption device. To use the encryption function, you need to have the BRMS Advanced feature (5761-BR1 Option 2) and Cryptographic Service Provider or Encrypted Backup Enablement (5761-SS1 Option 35) installed on the operating system. " This is incorrect. The manual lists Cryptographic Service Provider (5761-SS1 Option 35) and it should list Encrypted Backup Enablement (5761-SS1 Option 44) as the correct requirement. Option 35 is not required.

Backup, Recovery, and Media Services (BRMS) provides you with the ability to encrypt your data to a tape device. This encryption solution is hardware independent, meaning that you do not need to use an encrypting tape drive or other type of encryption device to encrypt the backup data. Only user data can be encrypted with BRMS. IBM system software including BRMS software and data cannot be encrypted.

BRMS uses cryptographic services to perform the encrypted backup. When you begin a backup, the BRMS interface asks you for the keys to use for encryption, and what items you want encrypted. You provide the name of the keystore file and the key label. BRMS saves the key information so that it knows what key information is needed to restore data. The Tape Management exit program calls BRMS before each file is written. If encryption is requested, the Tape Management exit program determines if the data is to be encrypted, and which keystore file and record label to use. The Tape Management exit program does not verify what data is being encrypted.

Note: Currently, you cannot perform software encryption using native save commands. However, you can use native save/restore commands to back up cryptographic services master keys and keystore files. Restores can be performed using BRMS or native restore commands provided the master keys and keystore files are available on the target system. To use native restore commands, you must create the QTADECRYPT data area and have the Encrypted Backup Enablement (5770-SS1 Option 44) installed.

Considerations for Using the Software Encryption Method

If you are using the software encryption method for a backup, you should consider the following:

1.	*ALLOBJ or *SAVSYS special authority or *ALL authority is required for each file and directory to be saved.
2.	You might need more tapes for the save operation because encrypted data does not compress or compact as well as non-encrypted data.
3.	Be aware of a possible performance impact when encrypting data.
4.	*IBM, *SAVSYS, *SAVSECDTA, *SAVCFG and any other libraries beginning with the letter Q or # (or the equivalent of # for non-2924 languages) are not allowed to be encrypted in BRMS.
5.	You cannot encrypt BRMS-related data; for example, QBRM, QUSRBRM, QMSE, and QUSRSYS.
6.	BRMS does not support encryption to save files, on optical or virtual optical devices.
7.	The encryption keys used for encrypting the data must be available for the life of the tape.
8.	You cannot encrypt a cryptographic services keystore file that contains the encryption key used for encrypting the tape data. If you restore the keystore file onto target system, you must set up the same Save Restore Key and Master Key used by the source system to allow restoring of user encrypted data from the tape.
9.	The encryption keys used for restoring the data must be available on the restore system. -- If the cryptographic services keystore file is sent to another system, the master key that is associated with the keystore must be the same on the other system. -- You can export individual encryption keys from a keystore and import these keys into a keystore on another system. This keystore file is then protected with the master key.
10.	If the master key for a keystore is changed, you must translate the keystores. If this step is not done and the master key is changed a second time, an encrypted save that uses that keystores will fail.
11.	MASTER KEYS: You can use the SAVSYS command to save the current master keys. For system recovery, the master key can be restored on the same system or another system through one of two methods: either by entering the original PassPhrase using the load and set commands or by a Restore and Initialize (Option 2 - scratch) install of the LIC (Licensed Internal Code). The master keys will not be restored if only the LIC Restore (Option 1 - slip install) is performed without Initializing the Load Source Disk. Note: If the SAVRST master key is set to anything other than default you MUST know the passphrase of the SAVRST master key to restore the master keys to another system using this media. The SAVRST master key is NOT saved with the SAVSYS. For more information see note 4.
12.	Encrypting large amounts of data during a save/restore operation affects system performance and availability. Consider doing encryption and decryption during off-peak hours. If you are using a high availability solution, you can switch to the backup system while performing the encrypted backup to avoid affecting users.
13.	You cannot perform an encrypted save to a previous operating system release that does not support encrypted backups.
14.	BRM4403 - Encryption has been disabled for backup item. will be posted for all backup items that cannot be saved encrypted.

Notes:

1.	Setup instructions can be found in the TECHDOC N1018617, How to Set up Encryption Environment to Perform Software Encryption. or TECHDOC N1011928, How to Set up BRMS Software Encryption Using iSeries Navigator.
2.	You can use DUPMEDBRM to duplicate un-encrypted data to be encrypted. You may also use DUPMEDBRM to duplicate encrypted data to non-encrypted.
3 5.	For more information on managing master key, refer to the following links: V7R2M0 Managing Master Keys V7R3M0 Managing Master Keys Slipping LIC from DVD will not affect the Encryption Keys.