MITEC 2011 Backup Encryption on IBM i - gomitec.com Presentations/Debbie... · Backup Encryption on IBM i ... Current IBM Tape Product Line for IBM i LTO Family Enterprise Family

© 2011 IBM Corporation

MITEC - June 7, 2011

Backup Encryption on IBM i

Speaker: Debbie Saugen


IBM Power Systems

2

About the SpeakerDebbie Saugen is the Technical Owner of IBM i Backup and Recovery in the

Rochester, MN Development Lab. She is also a Senior Business Recovery

Architect/Consultant with IBM Business Continuity and Resiliency Services.

Debbie ensures the Backup and Recovery Solution meets the customer's

requirements in capability and usability. She does actual Backup/Recovery

testing using the new functions, products and publications.

As a recognized expert on Backup and Recovery worldwide, Debbie enjoys

sharing her knowledge by speaking at Common, Technical Conferences,

Business Continuity and Resiliency Services Conferences, User Group

conferences and writing for various magazines, books and websites.

You can reach Debbie at [email protected].


IBM Power Systems

3

Agenda

� Why is Encryption Hot in the Marketplace Today?� Techniques for Encrypting Data� Hardware Based Backup Encryption(via LTO4/LTO5 or TS1120/TS1130)

– Aside: Tape Technology Update– Solution Overview– Tivoli Key Lifecycle Manager – Comparisons

• based on Tape Technology used (LTO4/LTO5 vs TS1120/TS1130)• based on Drives/Libraries used (Small or Enterprise Libraries)• Based on Solution Components

– BRMS and Drive-based Tape Encryption– Planning for your Encryption Project– Encryption Recovery Stories

� Software Based Backup Encryption (via BRMS)– Aside: BRMS Overview– Solution Overview and Considerations– Setting up BRMS-based encryption

� Summary


IBM Power Systems

4

Tape and Data Encryption

In the News

TAPES LOST!Privacy Commission

Contacted

In a move that could fuel efforts to change data storage practices, records management provider ABC Co has admitted losing a customer’s backup tapes and is recommending that customers begin encrypting tapes.

Although data encryption is not a new issue, it is a growing business security focus. Increased awareness of customer privacy, an increase in identity theft crimes, and more technical savvy criminals are all contributing.

New state, federal and industry regulations to protect personal data, credit card numbers, etc, are making this an issue of interest to many businesses

� Many government agencies are requiring disclosure of security breaches

– 38 states have enacted legislation requiring notification in cases of security breaches

• Source: www.Privacyrights.org

– Similar federal legislation has been proposed

• Source: http://www.epic.org/privacy/bill_track.html

� Industry organizations are also increasing scrutiny of security procedures

• Source: Payment Card Industry Security Audit Procedures Version 1

� Over 236 million data records of U.S. residents have been exposed due to security breaches since January 2005


Customer Data EXPOSED!!


IBM Power Systems

5

Tape and Data Encryption

� Many government agencies are requiring disclosure of security breaches

– 38 states have enacted legislation requiring notification in cases of security breaches


– Similar federal legislation has been proposed

• Source: http://www.epic.org/privacy/bill_track.html

� Industry organizations are also increasing scrutiny of security procedures

• Source: Payment Card Industry Security Audit Procedures Version 1

� Over 236 million data records of U.S. residents have been exposed due to security breaches since January 2005


Costs from Security Breach

Direct Costs- Fines and penalties- Customer notification

- letters- postage- hotline- credit checks

- Public Relations costs- Legal Actions

Indirect Costs- Loss of reputation- Loss of customer goodwill- Government investigations

$$

Customer Data EXPOSED!!

6

IBM Training


Techniques for Encrypting Data on IBM i

Software Based Encryption

Encrypt using middleware for

Selected Objects

(eg BRMS)

DatabaseEncrypted

Copy

Application Database

Encryption

Encrypt sensitive data directly in SQL

table columns or via application use

of cryptographic APIs

Encrypted Fields

Encrypted Data

Appl.

Hardware

Appliance Encryption

Encrypt using 3rd

party appliance between server and

tape drive

Database

Tape Drive based Hardware

Encryption

Encrypt using tape drive with built-in tape encryption

(eg LTO4/LTO5 or TS1120/TS1130)

Database

6.1 BRMS SW Encryption

LTO4/LTO5 or TS1120/TS1130


IBM Power Systems

7

Encrypting Data

via IBM Tape Drives

with Built-in Encryption


IBM Power Systems

8

(Aside)

Update on Tape Drives for IBM i

9

IBM Training


Current IBM Tape Product Line for IBM i

LTO Family Enterprise Family

TS3400

TS1130

TS3500

TS3310

TS3100

TS2340

TS3200

TS2900

� Low cost� High capacity� Fast streaming operations

� High performance� High capacity� Industrial strength� Fast streaming and

start/stop operations

TS2240

TS3500 HD (High Density)GA’d Fall 2008

TS2900 (SAS) GA’d in Dec 2008(POWER6 + i6.1)

TS1130 GA’d in Sept 2008

10

IBM Training


TS3500

TS3310

LTO Ultrium Tape Family

4Gbit (192)4 Gbit (18)4 Gbit (2)4 Gbit (1)NoNoNoFibre Drives

w fibre(+ fc 1640)

w SAS/fibre(+ fc 5900)



Yes(+ fc 5901)

NoNoLME Encryption(w Transparent LTO Encr Feat)

HH (1)

No

No

9

3572

TS2900

HH (1)

No

No

1

3580-H4S

TS2240

No (not for LTO3/4/5)

No (not for LTO4/5)

Yes (2)Yes (1)FH (1) (L43)LVD SCSI Drives

NoFH (18)HH (4)FH (2)

HH (2)FH (1)

FH (1) (S43)SAS Drives HH = half high, FH = full high

358435763573-L4U3573-L2U3580-L43/S43Machine Name

YesYesYesYes (w HH)NoPartition Capable

>620039645+323+11Max # Cartridges

TS3500TS3310TS3200TS3100TS2340

TS2340

TS2240

TS3200

TS3100TS2900

NEW!Requires POWER6

and IBM i 6.1

Although SAS drives have 2 ports, they are only supported for single system attach


IBM Power Systems

11

LTO 5 Current Tape Support

LTO 5 Tape

Library Now Also

Supported on IBM i

� TS2250 Half High LTO5 (3580-H5S or 3580-S5E) – POWER6/POWER7 Servers or POWER Blades

� TS2350 Full High LTO5 (3580-S53 or 3580-S5X) – POWER6/POWER7 Servers but NOT on Blades

� Requires IBM i 6.1.1 with MF49234 or IBM i 7.1 with MF49235

� LTO5 Supported Directly or through VIOS – Minimum VIOS level is 2.1.3.10 FP23

� LTO5 Performance on IBM i Same as LTO4

� Tape Capacity Doubled – Now 1.5TB Native

� Encryption NOT Supported on TS2250 or TS2350 – TS2250 or TS2350 are Standalone Drives

– IBM i Encryption Requires Tape Libraries for Library Managed Encryption

� BRMS Supports LTO5 TS2250 and TS2350

New


IBM Power Systems

12

LTO 5 Current Tape Support

LTO 5 Tape

Library Now Also

Supported on IBM i

� Supported Adapters– -- POWER6/POWER7

• - SAS adapters #5912(PCI-X) or #5901 (PCIe)

– IBM BladeCenter S

• IBM BladeCenter SAS Connectivity Module

• IBM BladeCenter S SAS RAID Controller Module

– IBM BladeCenter H

• IBM BladeCenter SAS Connectivity Module

– JS12 / JS22 Blades

• SAS Expansion card (CFFv) for IBM BladeCenter(7998-8250)

– JS23 / JS43 and PS700/701/702 Blades, use the following Expansion Card

• 3Gb SAS Passthrough Expansion Card (CIOv) for BladeCenter (8406-8246)

New

13

IBM Training


TS3400

TS3500

TS1130 Standalone Drive

Enterprise Tape Family

4 Gbit (for TS1120/30)4 Gbit4 GbitFibre Drives

YesYesNoLibrary Managed Encryption Capable

35843577-L5U3592-E06Machine Name

No (for TS1120/30)NoNoLVD Drives

YesYes No Partition Capable

>6200181Max # Cartridges

19221Max # drives

TS3500TS3400TS1130 Standalone

Drive based Encryption is supported for TS1120 / TS1130 drives in the TS3400 and TS3500 (and 3494), but not standalone drives

TS1130 GA’din Sept 2008

TS1130 Support• V5R3 with IOP’d fibre cards• 6.1 + POWER6 for IOPless

fibre cards


IBM Power Systems

14

Overview of Encryption Solution

on IBM Tape Drives

15

IBM Training


Encryption MethodsE

ncry

ption K

ey M

anager

Library-Managed (LME) _ _TS3500, TS3400, TS3310_ _ _

TS3200, TS3100, TS2900, 3494 ___

System-Managed (SME) . z/OS, AIX, Solaris .Windows & Linux .

Application-Managed (AME)(TSM Only)


IBM Power Systems

16

IBM i Tape Encryption on IBM Tape Drives

TKLM Server

IBM i

LTO4/LTO5 or TS1120 / TS1130 Drives

in a Tape Library

Components• Encryption Capable Tape Drive(s) – fibre TS1120/TS1130 or

fibre/SAS LTO4/LTO5• A Tape Library – TS2900/3100/3200/3310, TS3400, TS3500, 3494• Multiple Key Managers (TKLMs)• Suitable Drive / Library / TKLM at DR Site to restore

How does it Work?

• IBM i sends the backup to the tape library

• If the drive / library has encryption turned on, then the library gets the keys from the TKLM

• The drive/library write the save

• BRMS is recommended to keep encrypted / non-encrypted tapes separate

TKLM Server


IBM Power Systems

17

Tivoli Key Lifecycle Manager

(TKLM)

18

IBM Training


Tivoli Key Lifecycle Manager (TKLM) – IMPORTANT

Disaster Recovery Site

Primary Site

Run Multiple TKLMs

(so backups can still run when one is down)

Comparable DR Site Gear• Encryption Capable Drive / Library

• Access to TKLMs

Save / Synch• Copy fresh keystore to all TKLMs

each time you add/change keys

• Keep offsite backup of TKLM

Don’t Encrypt TKLM• Run TKLM on a system/LPAR where none of the saves will be

encrypted

TEST YOUR RECOVERY CAREFULLY!


IBM Power Systems

19

Tivoli Key Lifecycle Manager (TKLM)

What is TKLM?

•Follow-on to Encryption Key Manager (EKM)

•Stores / Serves keys for Encryption:•Tape: TS1120, TS1130, LTO4, LTO5•Disk: DS8000

•MUCH more user-friendly than EKM

IBM i customers usually run their TKLM on Windows because:

• They typically have good skill on Windows

• It avoids the temptation to run TKLM on a system with a production application and accidentally encrypt the keys (this would make it impossible to recover due to the chicken / egg problem

• Easy to load up a spare TKLM and store it offsite

• Easy to acquire hardware to re-build the TKLM after a big disaster

• Faster to restore / rebuild the key store on Windows vs a largerplatform

Although we can’t RUN TKLM on IBM i, we can use TKLM on another platform to encrypt our IBM i saves

What Platforms does it run on?

•Windows Server 2003 & 2008•AIX 5.3, AIX 6.1 or later•Red Hat Enterprise Linux 4 & 5 •SuSE Linux Enterprise Server 9 &10•Solaris 9&10 SPARC•z/OS Version 1 Release 9 &10

See Notespage

for details

20

IBM Training


TKLM – Supported Platforms - Notes

Tivoli Key Lifecycle Manager Platforms Supported

Supported with initial TKLM release:

• AIX 5.3 64-bit• AIX 6.1 64-bit• Red Hat Enterprise Linux 4 32-bit• Solaris 10 SPARC 64-bit• SuSE Linux Enterprise Server 9 32-bit• SuSE Linux Enterprise Server 10 32-bit• Windows Server 2003 32-bit

Supported with TKLM Fix Pack 1 installed:

(Fix Pack 1 came out in late April 2009)

• Red Hat Enterprise Linux 5 32-bit• Red Hat Enterprise Linux 5 64-bit (32-bit mode)• Solaris 9 SPARC 64-bit• SuSE Linux Enterprise Server 10 64-bit (32-bit mode)• Windows Server 2003 64-bit (32-bit mode). Requires

both new installation image and Fix Pack 1 • Windows Server 2008 32-bit. Requires both new

installation image and Fix Pack 1 • Windows Server 2008 64-bit (32-bit mode). Requires

both new installation image and Fix Pack 1

TKLM Hardware Requirements

Typical ValueMinimum ValueSystem Component

4 GB2 GBSystem Memory (RAM)

For Linux and Windows:3.0 GHz dual processorsFor AIX and Sun Solaris:1.5 GHz (4-way)

For Linux and Windows:2.66 GHz single processorFor AIX and Sun Solaris:1.5 GHz (2-way)

Processor Speed

20 GB10 GBDisk space free for product and pre-requisite products such as DB2 Database and keystore files

� All file systems must be writeable� Minimum Values: These values enable a basic use of TKLM� Typical Values: You might need to use larger values that are appropriate for your production

environment. The most critical requirements are to provide adequate system memory, and free disk space and swap space. Processor speed is less important

1.5 GB1.5 GBDisk space free in /home directory for DB2 Database

3.5 GB3.5 GBDisk space free in /opt

500 MB500 MBDisk space free in /tmp or C:\temp

For Linux and Windows:3.0 GHz dual processorsFor AIX and Sun Solaris:1.5 GHz (4-way)

For Linux and Windows:2.66 GHz single processorFor AIX and Sun Solaris:1.5 GHz (2-way)

Processor Speed

TKLM is tested for x86 Linux, but not yet for POWER Linux


IBM Power Systems

21

TKLM: Advantages over EKM

Much Nicer Interface

•GUI Install Wizard

•Web GUI Interface

•Simple backup of TKLM data via GUI

New Functions

•Automated key rollover

•Notification of expired certificates

•Able to force a unique key for each LTO tape

Easier to Order/Use

•IBM Java RunTime Environment (IBM JRE) is included with the product: no need to buy TPC/BE

•Easy to include Support on the order

•Better documentation via Info Center


IBM Power Systems

22

What’s New in TKLM V2.0

Page 22

� Key Management Interoperability Protocol – KMIP V1.0 Support Extends TKLM to non-IBM Devices

� Emulex Encrypting HBAs� Brocade Encrypting Switch� Around 30 companies participating in the OASIS TC

� Role Based Access Control� Can define multiple administrators with different permissions� Can define different administrators for different groups of devices� Can restrict what devices can get which keys

� New Ease of Use Features� Pending auto – new option to capture device registration request and hold for

administrative action� Works for devices and certificates

� Improved silent install

� New Options for Disaster Recovery� Flag to not serve a key until it has been backed up� New scripts for automating keystore backup/restore

New

23

IBM Training


TKLM: Pricing and Licensing

TKLM Server License includes:

•1 Production Copy of TKLM

•Multiple non-production copies of TKLM

•First 2 tape drive or disk resource activations

$3,000 US

TKLM “Resource Value Units” (RVU’s):

•Authorization to add 1 more tape drive to drive table

•Or ability to encrypt 1 more TB of disk

$750 US

each

Primary Site Secondary Site

6 drives 4 drives

TKLM A

TKLM B

TKLM C

TKLM D

A single TKLM server license with 8 tape drive RVUs (+ 2 base RVUS)

could be used as follows (simultaneously):

• Load it onto TKLM A and have both tape libraries point at it as their main Key Manager with 10 drives in the drive table

• Load it onto TKLM B and have both libraries point at it as their backup Key Manager. TKLM B will be used automatically if TKLM A is unavailable

• Load it onto TKLM C and TKLM D to use in case of a disaster. The Libraries will have to be switched to point at these key managers when needed

• Load it onto 2 laptops to store offsite in case of a serious disaster

• Use TKLM C and TKLM D 2-3 times a year for 2-3 days each time for disaster recovery testing, even while TKLM A and TKLM B are serving keys

• If the secondary site is a cold site (eg drives are only used in a disaster), then 4 RVUs (+ 2 base) are enough

TKLM offers volume discounts. Check the announcement letter for details

If the customer would like to run each tape library from a local TKLM, then he will need 2

TKLM server licenses (2+2 base RVU’s) and 6 extra drive RVU’s


IBM Power Systems

24

Notes - TKLM: Feature Codes

eConfig/AAS

• 5608-A91 Initial Server License with 2 tape/disk activations + 1 yr SW Maintenance• 5608-A92 1-yr SW Maintenance Renewal without a lapse (20% of purchase price)• 5608-A95 1-yr SW Maintenance Renewal following a lapse (60% of purchase price)

• 5608-A93 – initial license with 3-year maintenance• 5608-A96 – subsequent 3-year maintenance without a lapse• 5608-A94 – subsequent 3-year maintenance following a lapse

For each product above (except 5608-A92):• Fc 0005 is the server license• Fc 0003 is the tape or disk resource activation

For 5608-A92:• Fc 0009 is the server license maintenance for the 1st yr• Fc 0001 is the tape or disk resource activation maintenance for the 1st yr

• Fc 0011 is the server license maintenance for subsequent years• Fc 0003 is the tape or disk resource activation maintenance for subsequent yrs

From TKLM Announcement Letter - 209-020 dated January 13/09

Passport Advantage

• D0887LL - TKLM server license with 2 tape/disk activations + 1 yr SW maintenance• E06JMLL - TKLM server license – 1 yr maintenance renewal• D0888LL - TKLM server license – 1 yr maintenance renewal after a lapse

• D05EULL – Storage resource allocation including 1 yr SW maintenance• E05EULL - Storage resource allocation - 1 yr SW maintenance renewal (no lapse)• D05EVLL - Storage resource allocation - 1 yr SW maintenance renewal (no lapse)

• BJ0QUML – copy of code on CD for folks who don’t want to download it

The feature code #’s in the announcement letter are truncated so it is difficult to

differentiate them, hence we have included them here. Please see the announcement

letter for additional information.

Some customers may have bigger discounts on AAS or Passport Advantage,

which will dictate how they order

Passport Advantage synchs up the maintenance agreements in the 2nd year so

they are payable at the same time for all products which may draw a customer to

this ordering method


IBM Power Systems

25

TKLM V2.0 Pricing Changes

Page 25

� No Tape Drive Activations Included for New Customers

� TKLM V1.0 customers get 2 tape drive activations

� Customers with TKLM Maintenance get TKLM V2.0 Free

� RVU Definition Changes

� RVU used to be 1 Drive = 1 RVU

� Now 1 Drive w/1TB Cartridge = 1 RVU

� Hence, 3592 w/700GB Media = .7 RVU

New


IBM Power Systems

26

Tape Drive Based Encryption Reminders

Things to Remember� Hardware Required

• LTO4/LTO5 or TS1120/TS1130 tape drives• Fibre or SAS (not SCSI)• Drives must reside in a tape library

(although it’s OK to run in sequential mode)• For LTO4/LTO5, library must have the transparent LTO encryption feature• LTO4/LTO5 media for LTO4/LTO5, or any TS1120/TS1130 formatted media• Comparable gear at your recovery site

� Software Required• Tivoli Key Lifecycle Manager Software + hardware to run it on

� Key Manager reminders• Don’t encrypt your Key Manager• Have multiple Key Managers at your home site and DR site• Save your Key Manager and send a copy offsite anytime your keys change

� Other Reminders• Choose TS3500/3494 over other libraries since they can turn encryption on/off based on volser• Include ALMS on a TS3500 order so encrypted/non-encrypted drives can share a TS3500

partition• IBM Rochester Lab Services Available to help with install/setup (contact Mark Even in

Rochester)


IBM Power Systems

27

Tape Encryption Comparisons

•Smaller libraries vs TS3500/3494

•LTO4/LTO5 vs TS1120/TS1120


IBM Power Systems

28

Comparison of Tape Encryption Among Drives / Libraries

• Turn Encryption on/off via tape GUI interface

• All drives in a library partition have the same setting for encryption

Small LTO4/LTO5 Libraries

Small TS1120/30 Library

TS2900/TS3100/TS3200/

TS3310 LibrariesTS3400 Library

• Turn Encryption on/off via tape GUI interface

• All drives in a library partition have the same setting for encryption

Drive 001 - ON

Drive 002 - OFF

Tape GUI

Drive 001 - ON

Drive 002 - OFF

Tape GUI

Enterprise Libraries

TS3500 with LTO4/LTO5/ TS1120/30

or 3494 with TS1120/TS1130

• Encryption can be controlled by volume serial number (“Barcode Encryption

Policy” = “BEP”)

• With ALMS, TS3500 can have a mixture of encrypted / non-encrypted drives

Vol 3

Vol 6

Vol 2

Vol 5

Vol 1

Vol 4


IBM Power Systems

29

Comparison of Solution Components for LTO4 vs TS1120/30

TS1120 / TS1130LTO4/LTO5

TS1120/30 MediaLTO4/LTO5 media onlyMedia

Multiple TKLMs (SW + HW to run it on)Multiple TKLMs (SW + HW to run it on)Key Manager

Not required

(function is included in drive price)

TS2900: fc 5901 ($1,250 US)

TS3100/TS3200: fc 5900 ($2,500 US)

TS3310: fc 5900 ($5,000 US)

TS3500: fc 1604 ($12,000 US)

Transparent LTO Encryption feature for LME and SME

TS3400 or TS3500 or 3494TS2900, TS3100, TS3200, TS3310, TS3500Tape Library

Fibre TS1120/30 (3592E) drives

with fc 5592 ($5K) or fc 9592 (nc)

Fibre or SAS LTO4/LTO5 drives only

(*NOT* LVD SCSI drives)

Encryption Capable Drive

Note: TS1120/30 use a special media density for encrypted tapes called

FMT3592A2E/A3E.

LTO4/LTO5 does not have a special density.


IBM Power Systems

30

Notes: Encryption Intermix Rules with/without ALMS

The intent of this document is to explain and clarify the impact of Advanced Library Management System (ALMS) when implementing encryption on an IBM System Storage TS3500 Tape Library. The following are several terms and definitions that are necessary to be familiar with when referring to ALMS and encryption on a TS3500 tape library.

Terms and Definitions

1) Encryption capable versus encryption enabled.

Encryption capable refers to a drives ability to convert data into a cipher that ensures data security. For example, all IBM LTO 4 drives are encryption capable while not all IBM 3592 E05 drives are encryption capable (ie drives bought before the TS1120 encryption announcement need to add the fc 5592 encryption feature to make them encryption-capable)To perform encryption, the drive must be made "encryption-enabled" by your selection of one of three methods of encryptionmanagement

2) Encryption management methodLibrary managed encryption (LME) – Library acts as the proxy to the EKM (supported on System i)System managed encryption (SME) – IBM device drivers act as the proxy for open. For zSeriesthe key proxy is via zOS IOS for in band or via the drive Control unit for out of band connectivity. Application managed encryption (AME) - Key management is performed by TSM.

3) TS1120 refers to 3592 E05s only, not the 3592 J1As. Machine type 3592 refers to both J1As and E05s.

4) Not all TS1120s are encryption capable. Non encryption capable TS1120s have serial numbers that start with S/N 13-50000.Encryption capable TS1120s have serial numbers that start with serial # 13-65000

Older pre S/N 13-65000 drives that have been MES’d with FC5592 are encryption capable.

5) All IBM LTO4 drives are encryption capable provided LTO4 cartridges are used. All IBM LTO1, LTO2 and LTO3 drives are not encryption capable.

6) Library refers to the entire physical library, logical library refers to a subset of the physical library. While a physical library can consist of only one logical library in this paper logical library will infer that multiple logical libraries are defined.


IBM Power Systems

31


TS3500 ALMS Encryption Rules

For NON ALMS TS3500 libraries we enforce homogeneous encryption rules for all 3592 and all LTO drives, separately by drive type. Drive type is defined as 3592 or LTO.

Rule 1. Environment: TS3500 Non ALMS 3592 drives only library

All 3592 drives in the entire library must be encryption capable for encryption to be enabled. The entire physical library (all logical libraries if partitioned) must consist of encryption capable 3592 E05 drives. If encryption is to be enabled, it must be enabled for all drives in the entire physical library and they need to be all managed in the same manner, ie, all LME, all SME, or all AME.

Rule 2. Environment: TS3500 Non ALMS LTO drives only library

The entire library must consist of LTO4 drives before encryption can be enabled. No LTO 1, LTO 2 or LTO3 drives are allowed in the entire physical library. If the library is partitioned, all logical libraries must have encryption enabled in the same manner, ie, all LME, all SME, or all AME.

Rule3. Environment: TS3500 Non ALMS 3592 and LTO drives mixed. Both drive types (LTO and 3592) need to be encryption enabled.

For NON ALMS TS3500 libraries we enforce homogeneous encryption rules for all 3592 and all LTO drives, separately by drive type.

If you intend to enable encryption for both LTO and 3592 then Rule 1 and Rule 2 must be adhered to with the following exception. All LTO logical libraries must be managed in the same manner, ie, LME, SME, AME and All 3592 logical libraries must be managed in the same manner, ie, LME, SME, AME,However, LTO and 3592 can be managed differently. For example, All LTO can be LME while all 3592 can be SME or all AME.

Rule3A. Environment: TS3500 Non ALMS 3592 and LTO drives mixed, but only LTO or only 3592 intend to have encryption enabled.

The rules only need to be adhered to if you intend to enable encryption for that drive type. If you intend to enable 3592 encryption only and not LTO encryption, then only Rule 1 needs to be adhered to. If you intend to enable LTO encryption only and not 3592 encryption, then only Rule 2 needs to be adhered to.

Rule 4. Environment: TS3500 ALMS enabled 3592 drives only library

With ALMS enabled all drives in the physical library do not need to be encryption capable. That is, The physical library can consist of both encryption capable and non encryption capable 3592 drives

All drives in the Logical library must be encryption capable if using LME or AME. All drives in a SME managed Logical library do NOT need to be encryption capable.


IBM Power Systems

32


Rule 5. Environment: TS3500 ALMS enabled LTO drives only library

With ALMS enabled all LTO drives in the physical library or the logical library do not need to be encryption capable for encryption to be enabled. For example, a logical library can consist of LTO4, LTO2, and LTO3, drives and yet the LTO4 drives can be encryption enabled using LME, AME or SME.

Rule5A. Environment: TS3500 ALMS enabled 3592 and LTO drives mixed.

Rules 4 and 5 only need to be adhered to if you intend to enable encryption for that drive type. If you intend to enable 3592 encryption only and not LTO encryption, then only Rule 4 applies. If you intend to enable LTO encryption only and not 3592 encryption, then only Rule 5 applies. If you intend to implement encryption on both 3592 and LTO then Rules 4 & 5 both apply.

The Bottom Line

On an existing TS3500 library W/O ALMS: Without ALMS, implementing encryption on an existing library is very inflexible and can be costly as you cannot have older technology coexist with newer encryption capable technology.On a newly ordered library W/O ALMS: Without ALMS, implementing encryption it’s harder to manage and not very flexible. This environment is useful only if you intend to implement encryption on a new library that won’t change over time. All Logical libraries will need to have the same encryption method which makes management an issue when needing to create non encrypted cartridges. On a new or existing TS3500 library with ALMS: With ALMS, implementing encryption is easily managed, flexible, and much more cost effective regardless of your library configuration. This environment is cost effective as older technology can coexist in the same physical with newer encryption capable technology without restrictions. Management is much easier as multiple encryption methods can be used within the same library. This environment is more flexible as a logical partition can consist of both old and new encryption capable technology.

On August 29, 2006, IBM announced entry and intermediate priced offerings of ALMS that mesh with existing Capacity on Demand library features. This provides full ALMS functionality for smaller libraries at a lower entry fee and lessens the impact of cost as a barrier.


IBM Power Systems

33

BRMS and Tape Encryption


IBM Power Systems

34



• In TS3500 and 3494, user needs to keep encrypted / non-encrypted media inventories in synch between BRMS and Tape Library records

• BRMS PTFs for “Encryption Awareness” on TS1120 / TS1130 drives will help

SI24932 - V5R2M0SI24933 - V5R3M0SI24934 - V5R4M0

LTO4/LTO5 does not have a special density for encrypted tapes

PTFs provide a new Media Density for TS11x0

“FMT3592A2E” or “FMT3592A3E”

Media Class for Encrypted Tapes(for TS1120 use density FMT3592A2E)

Vol 4 Vol 5 Vol 6

Media Class for Regular Tapes(for TS1120, use Density FMT3592A2)

Vol 1 Vol 2 Vol 3

Scratch Encryption Policy

Regular VolumesVol1 to Vol 3

Encrypted VolumesVol4 to Vol 6


IBM Power Systems

35

Encryption

How to get Started


IBM Power Systems

36

Encryption – Getting Started

Careful Planning is required:

• Encryption Strategy

• What data will / won’t be encrypted?

• Which encryption techniques should be used? (eg drive-based, BRMS SW based, etc)

• What other companies need to exchange data with us?

• Key Management Strategy

• Which Platform should run the TKLM? Where should it be located?

• What keys are required and how often will they change?

• What is the HA and DR Strategy for our keys?

• Should we use enterprise-wide keys, or segment by platform or ??

• etc

The IBM Services Organization has offerings to help you get started as quickly and smoothly as possible – ask your rep or BP to contact Mark Even or Frank Kriss


IBM Power Systems

37

Encryption

Recovery Stories


IBM Power Systems

38

BRMS Software-based

Tape Encryption


IBM Power Systems

39

BRMS Functions

BackupApplication #1Lib 1Lib 2

Application #2Lib ALib B

• Libraries, objects, IFS, spoolfiles

• Tape, Virtual Tape, SAVF, TSM

• Full, Incremental, Cumulative

• Save-while-Active, Parallel, Domino

• Duplicate tapes

• Did last night’s backup run OK?

Tape Library Support

Network Feature

• Shared Scratch Pool

• Combined Reporting

• Cross-system restores

• Cross-system duplications

Media Management

• What is on tape XYZ?

• What tapes are in location DEF?

• What tapes have errors?

• What tapes go offsite today?

• What tape has the latest copy of object JKL?

IBM Cartridge System Tape

Enhanced Capacity IBM Cartridge System Tape

Enhanced Capacity

RecoveryVolumes

RequiredProgressRecovery

Steps

• List of ASPs to be created

• List of tapes required

• List of steps to recover

• On-Line Progress Report

• Mark tapes as “available” in the library

• Select scratch tape for the save

• Eject tapes headed offsite

Advanced Feature

• Hierarchical Storage Management (HSM)

• BRMS user defined system name

• BRMS Software-based encryption

IBM Cartridge System Tape

Enhanced Capacity

For encryption, also purchase IBM i option #44 – Encrypted Backup Enablement

40

IBM Training


Change Media Policy

Media policy . . . . . . . . . . : ENCRYPT

Type choices, press Enter.

Encrypt Data . . . . . . . . . . . . *YES *NO, *YES Key store file . . . . . . . . . Q1AKEYFILE NameKey store library. . . . . . . QUSRBRM Name Key record label . . . . . . . ENCRYPTION

F3=Exit F5=Refresh F12=Cancel

BRMS 6.1 Software-based Encryption

� Benefits

– Works with any tape drive, not just LTO4/LTO5 and TS1120/TS1130

– Granular selection of Items to be encrypted

� Who for?

– Customers with a large backup window and/or a small amount of data to encrypt (due to performance – see next page)

� What to Buy (Tier priced features)

– BRMS Advanced Feature - Option 2

– IBM i Encrypted Backup Enablement - Option 44

� How do you set it up?

1.Create Master Keys for Keystore + Save/Restore

2.Create Keystore File via GUI (Security Section)

3.Update Media Policy to Indicate Keystore File

4.Update Control Group to request encryption

Edit Backup Control Group Entries CLIO

Group . . . . . . . . . . . . : LIB001

Default activity . . . . . *BKUPCY

Text . . . . . . . . . . . . . LIBRARY backup

Type information, press Enter.

Backup List Parallel Private

Seq Items Type Type Authorities Encrypt10 LIBA *DEFAULT *NO *MEDPCY20 LIBB *DEFAULT *NO *NO

F3=Exit F5=Refresh F11=Display main F12=Cancel


IBM Power Systems

41

BRMS 6.1 Software-based Encryption� Considerations

– Objects that cannot be encrypted: *SAVSYS, *SAVSECDTA, *SAVCFG, *IBM, and libraries starting with a Q

• Check for user objects residing in QGPL and QUSRSYS !!!

– Does not support save files, optical or virtual optical devices

– Careful Key Management is imperative or data could be lost

Notice impact on save/restore

performance and CPU utilization

9406-MMA 7056 4 way partition

40 GB mainstore, 324 15K 70GB DASD using 571F ioa's

0

2

4

6

8

10

12

14

1 GB Source File 12 GB User Mix 64 GB Large File 320 GB Large

File

%C

PU

Used

%CPU used during SAVLIBBRM NO Software Encryption%CPU used during SAVLIBBRM with Software Encryption%CPU used during RSTLIBBRM NO Software Encryption%CPU used during RSTLIBBRM with Software Encryption

CPU Utilization

Short bars are good

Saves may take 3* as much media

– Will require extra media since encrypted data doesn’t compress well

9406-MMA 7056 4 way partition

40 GB mainstore, 324 15K 70GB DASD using 571F ioa's

0

100

200

300

400

500

600

700

1 GB Source File 12 GB User Mix 64 GB Large File 320 GB Large

File

GB

/HR

SAVLIBBRM NO Software EncryptionSAVLIBBRM with Software EncryptionRSTLIBBRM NO Software EncryptionRSTLIBBRM with Software Encryption

Save Performance

Tall bars are good

Sa

ve

Re

sto

re

– Significant hit on Save Performance and CPU Utilization

For performance information, see the Performance Capabilities Reference Manual


IBM Power Systems

42

Performance Testing on BRMS Software Encryption

Here’s what we saw in our BRMS Encryption Performance Test on :

185-250 depending on fibre card4321203580-004 (LTO4)

Performance varies with disk configuration and processor speedIntegrated Virtual Tape

250360100TS1120

141288803580-003 (LTO3)

104144403592-01A (Gen 1)

100126353580-002 (LTO2)

4050143590-H11

185Fc 6387 (QIC SLR 100)

MB/secGB/hrMB/sec

Largefile Save

(without BRMS Encryption)

Largefile Save

(with BRMS Encryption)

Drive

System Processor Speed Impacts BRMS Encryption Performance– P5 processors -> Expect 76MB/sec (275 GB/hour) or less– P6 processors -> Expect 130MB/sec (468 GB/hour) or less << P5+ would be similar

Largefile saves are dramatically faster with drive-

based encryption or no

encryption


IBM Power Systems

43

SAVSYS

Protecting your Encryption Keys

QUSRBRM

Q1AKEYFILE

8DJK4829DAW…94ODKKey 5

93IDSIR5029DK…8DKWIKey 4

38DJWK29DKZ…93JK9SKey 3

DJRKW8FIWJ8…3KDNVKey 2

38JK398SKDM…8D9KSKey 1

The keys in Q1AKEYFILE are encrypted using one of the 8 Master Keys

IBM i Operating System

Master Keys

The Master Keys are encrypted using the SAVRST Master Key

QUSRBRMSave

Recovery Center

ASP

38KF9SR9FJS9…FJSFI38SAVRST

3J48DKSIFOD4…9DKI3998

…

1

Other Data

SAVRST Master Key


IBM Power Systems

44

Setup for Software Encryption (6.1)

� Create “Save Restore Master Key” (*SAVRST) to encrypt all the Master Keys

� Create “Master Key for BRMS Keystore File” to encrypt BRMS Encryption Keys (choose 1 of 8 general purpose Master Keys)

� Store the Master Key Passphrases in a safe place

� Create BRMS Key Store File – BRMS Requires Key Store File Named Q1AKEYFILE in QUSRBRM

� Configure BRMS for Software Encryption

� Test a simple save/restore

� Test a full system backup/recovery


IBM Power Systems

45

Create the Save Restore Master Key for the System

� Create one or more *SAVRST Master Key Parts

� Set the *SAVRST Master Key

� This can be done on the green screen or in the Navigator


IBM Power Systems

46

Create “Save Restore Master Key” for the System

� This key is used to encrypt/protect the Master Keys on the system (eg the general purpose key that will encrypt the keys for the BRMS Keystore)

� Use ADDMSTPART command to set the passphrases. This can be done multiple times if multiple people will each know part of the key

Make CERTAIN you have a plan to get all

parts of the passphrase delivered to the recovery site

otherwise the system is not recoverable


IBM Power Systems

47

Set the “Save Restore Master Key” for the System

� Once all passphrases have been input, use the SETMSTKEY command to Set Master Key


IBM Power Systems

48

Create Save Restore Master Key via Navigator

� Navigate to Security / Cryptographic Services Key Management / Master Keys and use Load Part and Set Actions

The Master Key is not yet set in the example above. A default key is in place to provide minimal protection until you set your key … it means that the master keys are not “in the clear” on your SAVSYS tape, but any IBM i system can decrypt them


IBM Power Systems

49

Create the General Purpose Master Key for the BRMS Keystore

� Choose which of the 8 general purpose master keys you’ll use

� Create the Master Key Parts

� Set the Master Key



IBM Power Systems

50

Create Master Key for BRMS Keystore

� Select 1 of the 8 general purpose master keys

� Use ADDMSTPART command to set the passphrases. This can be done

multiple times if multiple people will each know part of the key


IBM Power Systems

51

Set the Master Key for BRMS Keystore

� Once all passphrases have been input, use the SETMSTKEY command to Set Master Key


IBM Power Systems

52

Create Master Key for BRMS Keystore via Navigator

� Navigate to Security / Cryptographic Services Key Management / Master Keys and use Load Part and Set Actions


IBM Power Systems

53

Create the BRMS Keystore

� Create the BRMS Keystore

� Generate / add the keys



IBM Power Systems

54

Create BRMS Key Store File

� CRTCKMKSF Command to Create Key Store File� Name must be QUSRBRM / Q1AKEYFILE


IBM Power Systems

55

Generate/Add Keys for BRMS Key Store File

� GENCKMKSFE Command to Generate Entry (Key Record)– Key Size can be 16, 24, or 32


IBM Power Systems

56

Create BRMS Key Store Files via Navigator

� Navigate to Security / Cryptographic Services Key Management / Keystores and use Create New Keystore to Create File and New Key Record Wizard to Add AES Type Entry


IBM Power Systems

57

Configure BRMS to Use Encryption

� Create or Change Media Policy to Specify Encryption

� Specify Encryption via Backup Control Group

� Can be done on green screen or via Navigator


IBM Power Systems

58

Create or Change Media Policy for Encryption

Change Media Policy

Media policy . . . . . . . . . . : ENCRYPT

Type choices, press Enter.

Encrypt Data . . . . . . . . . . . *YES *NO, *YES Key store file . . . . . . . . . . Q1AKEYFILE Name Key store library. . . . . . . . QUSRBRM Name Key record label . . . . . . . . ENCRYPTION

Bottom F3=Exit F5=Refresh F12=Cancel


IBM Power Systems

59

Set up Control Group for Encryption

Edit Backup Control Group Entries Group . . . . . . . . . . : LIB001 Default activity . . . *BKUPCY Text . . . . . . . . . . . . LIBRARY backup

Type information, press Enter.

Backup List Parallel Private Seq Items Type Type Authorities Encrypt 10 SHANES1 *DEFAULT *NO *MEDPCY 20 AJANISCH *DEFAULT *NO *NO

Bottom F3=Exit F5=Refresh F11=Display main F12=Cancel


IBM Power Systems

60

Set up Media Policies via Navigator


IBM Power Systems

61

Set up Control Group via Navigator


IBM Power Systems

62

Checking the Reports

� WRKMEDIBRM will indicate encrypted saves

� This can be seen on the green screen or in Navigator


IBM Power Systems

63

WRKMEDIBRM Encryption History

Work with Media Information Position to Date . . . . . 2=Change 4=Remove 5=Display 6=Work with media 7=Restore 9=Work with saved objects ...

Saved Encrypted Key Store Key Store Key Record Opt Item File Library Label

TESTERDATA *NO TESTERJRN$ *NO TESTERJRN$ *NO KLD *YES Q1AKEYFILE QUSRBRM ENCRYPTION TSTR2LIB *NO

F3=Exit F5=Refresh F11=Volume identifier F12=Cancel F23=More options


IBM Power Systems

64

WRKMEDIBRM Encryption History via Navigator


IBM Power Systems

65

Recovering a System with BRMS SW Encryption

� BRMS Recovery Report Identifies Encrypted Data

� Bring along the passphrases for your Save Restore Master Key

� Set up Save/Restore Master Keys to match SAVSYS Media– Reload Passphrase(s) (ADDMSTPART Command)

• MUST KNOW THE PASSPHRASES!– Set Master Key (SETMSTKEY Command)

� Restore BRMS Keystore File Q1AKEYFILE in QUSRBRM

� Proceed with the rest of the restore as usual


IBM Power Systems

66

Duplicating Encrypted Data with BRMS

Convert Non-Unencrypted to Encrypted

Non-Encrypted

Encrypted(Key 1)

Non-Encrypted

Encrypted(Key 1)

Encrypted(Key 2)

Encrypted(Key 1)

Convert Encrypted to Non-encrypted

Convert Between Encryption Keys

DUPMEDBRM

DUPMEDBRM

DUPMEDBRM

67

IBM Training


Comparison: BRMS Software vs Tape Drive Based Encryption

Advantages• Any type of tape drive• Mix/Match encryption on 1 cartridge

Considerations• Significant increase in CPU utilization• Significant Performance Degradation• May take up to 3* as much media• Certain system libraries can’t be

encrypted

BRMS Software-based Encryption

BRMS Control Group

LibA encryptedLibB unencrypted

IBM i Encrypted Backup Enablement Keys

Any tape drive or library

i5/OS Encrypted Backup Enablement Option 44 – is also req’d

Tape Drive Hardware-based Encryption

TKLM

SAS or fibre LTO4 or fibre

TS1120/30 in a library

Considerations• Needs fibre LTO4/LTO5 or TS1120/30

in a library• Encrypt whole cartridges

Advantages• No impact on CPU utilization• Max 1% performance degradation• No increase in media required• All objects can be encrypted


IBM Power Systems

68

Summary

� Use IBM Lab Services to help with your install

� Take good care of your Encryption Keys– Don’t encrypt them

– Make sure you have a good backup of them

� Plan and Practice your Recovery carefully


IBM Power Systems

69

Glossary and Reference Material


IBM Power Systems

70

Glossary Encryption Terms and Standards

� AES - Advanced Encryption Standard� ANSI - American National Standards Institute� CCA - Common Cryptographic Architecture� CSP - crypto service provider� DES - Data Encryption Standard� DH - Diffie-Hellman key agreement� DSA - Digital Signature Algorithm� EMV - Europay, MasterCard, VISA� FIPS - Federal Information Processing Standards� HMAC - keyed-Hashing for MAC� HSM - hardware security module� IPSec - IP (Internet Protocol) Security� JCE - Java Cryptography Extension

� MAC - message authentication code� MD5 - Message Digest 5� PKCS - Public Key Cryptography Standards� PKI - public key infrastructure� PRNG - pseudo-random number generator� RC4* - RC4 compatible� RSA - Rivest, Shamir, Adleman public key algorithm� SHA-1 - Secure Hash Algorithm 1� SSL/TLS - Secure Sockets Layer / Transport Layer

Security� T-DES - Triple-DES� VPN - virtual private network


IBM Power Systems

71

Backup and Recovery; SC41-5304-09 (6.1)

Backup and Recovery; SC41-5304-10 (7.1)

Backup, Recovery and Media Services; SC41-5345-06 (6.1)

Backup, Recovery and Media Services; SC41-5345-07 (7.1)

Virtual Tape Redbook; SQ24-7164

http://www.redbooks.ibm.com/abstracts/sg247164.html

Backup, Recovery and Media Service for OS/400: A Practical Approach Redbook; SG24-4840

http://www.redbooks.ibm.com/abstracts/sg244840.html

Performance Management on System i

http://www-03.ibm.com/servers/eserver/iseries/perfmgmt/resource.html

BRMS Web Page:

http://www-03.ibm.com/servers/eserver/iseries/service/brms/

Reference Material – BRMS Software based Encryption


IBM Power Systems

72

Trademarks and DisclaimersAdobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.

ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and are used under license therefrom.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Other company, product, or service names may be trademarks or service marks of others.

Information is provided "AS IS" without warranty of any kind.

The customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.

Information concerning non-IBM products was obtained from a supplier of these products, published announcement material, or other publicly available sources and does not constitute an endorsement of such products by IBM. Sources for non-IBM list prices and performance numbers are taken from publicly available information, including vendor announcements and vendor worldwide homepages. IBM has not tested these products and cannot confirm the accuracy of performance, capability, or any other claims related to non-IBM products. Questions on the capability of non-IBM products should be addressed to the supplier of those products.

All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.

Some information addresses anticipated future capabilities. Such information is not intended as a definitive statement of a commitment to specific levels of performance, function or delivery schedules with respect to any future products. Such commitments are only made in IBM product announcements. The information is presented here to communicate IBM's current investment and development activities as a good faith effort to help with our customers' future planning.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here.

Prices are suggested U.S. list prices and are subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.

Documents

MITEC 2011 Backup Encryption on IBM i - gomitec.com Presentations/Debbie... · Backup Encryption on IBM i ... Current IBM Tape Product Line for IBM i LTO Family Enterprise Family