About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Troubleshooting
Problem
This document explains that when using BRMS to encrypt data, additional software is required
Resolving The Problem
When using BRMS to save data encrypted, additional software is required. To use the software encryption function, you need to have the BRMS Advanced feature (5770-BR1 Option 2) and Encrypted Backup Enablement (57xx-SS1 Option 44) installed on the system.
Backup, Recovery, and Media Services (BRMS) provides you with the ability to encrypt your data to a tape device. This encryption solution is hardware independent, meaning that you do not need to use an encrypting tape drive or other type of encryption device to encrypt the backup data. Only user data can be encrypted with BRMS. IBM system software including BRMS software and data cannot be encrypted.
Notes:
Backup, Recovery, and Media Services (BRMS) provides you with the ability to encrypt your data to a tape device. This encryption solution is hardware independent, meaning that you do not need to use an encrypting tape drive or other type of encryption device to encrypt the backup data. Only user data can be encrypted with BRMS. IBM system software including BRMS software and data cannot be encrypted.
BRMS uses cryptographic services to perform the encrypted backup. When you begin a backup, the BRMS interface asks you for the keys to use for encryption, and what items you want encrypted. You provide the name of the keystore file and the key label. BRMS saves the key information so that it knows what key information is needed to restore data. The Tape Management exit program calls BRMS before each file is written. If encryption is requested, the Tape Management exit program determines if the data is to be encrypted, and which keystore file and record label to use. The Tape Management exit program does not verify what data is being encrypted.
Note: Currently, you cannot perform software encryption using native save commands. However, you can use native save/restore commands to back up cryptographic services master keys and keystore files. Restores can be performed using BRMS or native restore commands provided the master keys and keystore files are available on the target system. To use native restore commands, you must create the QTADECRYPT data area and have the Encrypted Backup Enablement (5770-SS1 Option 44) installed.
Considerations for Using the Software Encryption Method
If you are using the software encryption method for a backup, you should consider the following:
Considerations for Using the Software Encryption Method
If you are using the software encryption method for a backup, you should consider the following:
| 1. | *ALLOBJ or *SAVSYS special authority or *ALL authority is required for each file and directory to be saved. |
| 2. | You might need more tapes for the save operation because encrypted data does not compress or compact as well as non-encrypted data. |
| 3. | Be aware of a possible performance impact when encrypting data. |
| 4. | *IBM, *SAVSYS, *SAVSECDTA, *SAVCFG and any other libraries beginning with the letter Q or # (or the equivalent of # for non-2924 languages) are not allowed to be encrypted in BRMS. |
| 5. | You cannot encrypt BRMS-related data; for example, QBRM, QUSRBRM, QMSE, and QUSRSYS. |
| 6. | BRMS does not support encryption to save files, on optical or virtual optical devices. |
| 7. | The encryption keys used for encrypting the data must be available for the life of the tape. |
| 8. | You cannot encrypt a cryptographic services keystore file that contains the encryption key used for encrypting the tape data. If you restore the keystore file onto target system, you must set up the same Save Restore Key and Master Key used by the source system to allow restoring of user encrypted data from the tape. |
| 9. | The encryption keys used for restoring the data must be available on the restore system. -- If the cryptographic services keystore file is sent to another system, the master key that is associated with the keystore must be the same on the other system. -- You can export individual encryption keys from a keystore and import these keys into a keystore on another system. This keystore file is then protected with the master key. |
| 10. | If the master key for a keystore is changed, you must translate the keystores. If this step is not done and the master key is changed a second time, an encrypted save that uses that keystores will fail. |
| 11. | MASTER KEYS: You can use the SAVSYS command to save the current master keys. For system recovery, the master key can be restored on the same system or another system through one of two methods: either by entering the original PassPhrase using the load and set commands or by a Restore and Initialize (Option 2 - scratch) install of the LIC (Licensed Internal Code). The master keys will not be restored if only the LIC Restore (Option 1 - slip install) is performed without Initializing the Load Source Disk. Note: If the SAVRST master key is set to anything other than default you MUST know the passphrase of the SAVRST master key to restore the master keys to another system using this media. The SAVRST master key is NOT saved with the SAVSYS. For more information see note 4. |
| 12. | Encrypting large amounts of data during a save/restore operation affects system performance and availability. Consider doing encryption and decryption during off-peak hours. If you are using a high availability solution, you can switch to the backup system while performing the encrypted backup to avoid affecting users. |
| 13. | You cannot perform an encrypted save to a previous operating system release that does not support encrypted backups. |
| 14. |
BRM4403 - Encryption has been disabled for backup item. will be posted for all backup items that cannot be saved encrypted. |
| 1. | Setup instructions can be found in document, How to Set up Encryption Environment to Perform Software Encryption. |
| 2. | You can use DUPMEDBRM to duplicate un-encrypted data to be encrypted. You may also use DUPMEDBRM to duplicate encrypted data to non-encrypted. |
| 3. |
For more information on managing master key, refer to Managing master keys - IBM Documentation
|
| 4. | Slipping LIC from DVD will not affect the Encryption Keys. |
Additional information can be found in the BRMS wiki:
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CM3AAM","label":"BRMS encryption"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0;and future releases"}]
Historical Number
472285893
Was this topic helpful?
Document Information
More support for:
IBM i
Component:
BRMS encryption
Software version:
7.1.0 and future releases
Operating system(s):
IBM i
Document number:
643389
Modified date:
15 November 2024
UID
nas8N1018803
Manage My Notification Subscriptions
