How to Encrypt Files for Backup

1. Introduction

If you would like to send your files to the HFS in an encrypted format, then they need to be selected for encryption using one of the following two sets of instructions. Note that the TSM encryption password, like the TSM password itself, has a maximum length of 63 characters and is case insensitive: valid characters are [a-zA-Z0-9+.-_&] i.e. any letter a-z upper or lower case, any number 0-9, plus, period, underscore, hyphen, ampersand.

Please note that, if you use the automatic scheduled backups, you must restart the TSM scheduler after making any configuration changes to TSM. If you do not do this then the change(s) that you have made will not be honoured on the scheduled backups. After making any change, please see our instructions for restarting the scheduler for Windows, Mac, Linux and Solaris. Alternatively, restarting your machine will have the same effect as restarting the TSM scheduler.

2. Encryption type

The default encryption type is 128-bit AES. This may be changed to 56-bit DES or, on TSM 7.1.3 or higher, to 256-bit AES. To change this setting, go to Edit > Client Preferences > Authorization (tab). If you prefer to edit the TSM configuration file directly, then you will need to edit dsm.sys (Mac, Linux) or dsm.opt (Windows) and add the option encryptiontype followed by either DES56 or AES256.

3. Graphical User Interface (GUI)

Using the graphical user interface means that TSM will create the encryption rules for you, but you have to specify every file individually. Therefore you may not find this method practicable if you wish to encrypt a large number of files. Run TSM as appropriate to your operating system (via the Start menu on Windows, or via TSM Tools for Administrators on a Mac), and go Edit > Preferences > Include-Exclude (tab). There you should select Category 'Backup', Type Include.Encryption, browse to the file that you want to encrypt, and then click Add.

Please see the following sections for how to encrypt groups of files.

4. Editing configuration files

Files can also be encrypted by adding lines to the TSM configuration file. The location of the configuration file is platform-specific and can be looked up in our list of TSM configuration files.

  • At the end of the file, add lines specifying the files that you want to encrypt, beginning with include.encrypt - for example, to select the file c:\data\encryptthis.txt for encryption, add:
    include.encrypt c:\data\encryptthis.txt                     
  • To encrypt a file whose name or location has spaces in it, enclose it fully in quotation marks, as below:
    include.encrypt "C:\My Documents\data\encryptthis.txt"                     

5. Further principles

More complicated and powerful rules can be written to select files for encryption, as detailed in the next two sections. The third section below explains the further options that can affect how the encryption is performed.

5.1. Wildcards

Wildcards allow groups of files to be selected for encryption all at once. Those available are ... (to substitute for directory names), * (for parts of filenames) and ? (for single characters of filenames). The basic syntax for using these characters may be gleaned from the following examples, which illustrate some of the possibilities offered. The principles are similar to those used for excluding files from backup (on which please see the page on how to exclude files and folders from backup).

  • To encrypt multiple files with a common component in their name, use the * and ? wildcards. The * matches any number of any character, and the ? matches any single character. Note that the * and ? wildcards do not work with directory names. Thus to select for encryption any files whose names begin "encrypt" in the C:\data folder use
    include.encrypt  C:\data\encrypt*                        

    To encrypt a whole folder of files, use * to stand for every file - for instance, to encrypt every file within C:\data, no matter what its name, use

    include.encrypt  C:\data\*                        

    This will only select for encryption the files directly within C:\data - not any of the sub-folders (or their files) that might be within C:\data. For example, the contents of a folder C:\data\moredata would not be selected for encryption using the above rule. See the next item for how to do this.

  • To select numerous directories for encryption use the ... wildcard. Thus to encrypt all the subdirectories and files that are within C:\data, use
    include.encrypt C:\data\...\*                        

    Another use of this type of wildcard would be for encrypting files in a sub-directory no matter where it is located on C: - for example, to encrypt the files within a directory called personal wherever it is on C:, use

    include.encrypt  C:\...\personal\*                        
  • To encrypt any files whose names begin with a variable single character then followed by _test.txt in the C:\data directory, use ?, as in
    include.encrypt  C:\data\?_test.txt                        
  • If, however, you have a hundred directories called data00, data01, data02 and so on up to data99 on the C: drive, then you cannot do either of the following:
    include.encrypt C:\data*\*
    include.encrypt C:\data??\*                        

    as the * and ? wildcards cannot be used in directory names or paths. To encrypt the contents of these directories, the user should move them to a unique directory under C:, for example C:\data, and then select that directory, as in the example already cited above:

    include.encrypt  C:\allmydatafolders\...\*                        

5.2. exclude.encrypt

There is also a second option, exclude.encrypt, which can be combined with include.encrypt and one or more of the wildcards. It is important to note in what follows that the list of includes and excludes is processed bottom up.

  • For instance, the following will encrypt all of the directory C:\data except the file donotencryptthis.txt:
    exclude.encrypt c:\data\donotencryptthis.txt
    include.encrypt c:\data\*                           
  • To exclude the contents of a directory from encryption, but include the contents of all its sub-directories, use:
    include.encrypt  C:\data\...\*
    exclude.encrypt  C:\data\*                           

    This will exclude any file in the C:\data directory but will include for encryption any file in any subdirectory under C:\data. Note that the order is important: the exclude.encrypt directive must follow the include.encrypt directive in the configuration file - otherwise, the former (the exclude rule) will be ignored.

5.3. Other options

In the TSM GUI, in Edit > Client Preferences > Authorization (tab), there are two encryption settings:

  • The option Encryption Key Password denotes where the encryption key is saved - for more information on this see Encrypting backups using Versions 5.5 (and later) of the TSM Client.
  • The Encryption Type is set by default to 128-bit AES. Users of TSM 7.1.3 or higher can change this to the stronger 256-bit AES. 56-bit DES is also available.

5.4. Interaction with other include-exclude rules

If you are using further rules in dsm.opt to exclude data from backup, note that these are independent of the encryption rules. For example, if you are excluding everything from backup bar certain files (as per our section on how to exclude everything from backup except a specific directory/folder), and additionally you wish to encrypt those files, then you will need both include.encrypt and include rules:

include.encrypt  C:\data\...\*
exclude  C:\...\*    
include C:\data\...\*                     

Without the line include C:\data\...\*, all files would be excluded from backup - include.encrypt does not include files for backup, but only for encryption.

Written by IT Services. Latest revision 17 May 2017