Search Google Appliance

Home >> HFS >> Need Help Using the HFS? >> Storing the Encryption Key

Storing the Encryption Key

1. Introduction

TSM/Spectrum Protect offers three different methods for handling the encryption key. For instructions on how to encrypt your data backups to the HFS, please see our page on how to encrypt files for backup.

2. The encryptkey setting

  • Encryptkey generate: HFS installations of TSM/Spectrum Protect have had this set as the default since TSM 5.5. It specifies that the key is automatically generated when the client begins to back up or archive; that key is then used to encrypt files meeting the encryption criteria. The key is stored in encrypted form on the HFS server and is used to automatically decrypt files on restoral or retrieval operations. Thus, the key is handled 'transparently' to the user and cannot be lost.
  • Encryptkey prompt: If you set the encryptkey option to prompt, TSM/Spectrum Protect prompts for the encryption password for each backup, archive, and restore session. The key is not saved anywhere on the local client machine or on the server. Thus, if the key is lost, the data cannot be decrypted.
  • Encryptkey save: If you set the encryptkey option to save, you are only prompted the first time that you perform a backup or archive operation. The password is stored (in encrypted form itself) in the TSM/Spectrum Protect password file (Mac, Linux, Solaris) or the registry (Windows). Thereafter, the software does not prompt for the password, but continues to use this key to encrypt data which qualifies for the encryption process. If the encryption key (in the password file/registry) is lost or overwritten then the user will be prompted for the encryption key when next attempting a backup, archive or restore of data qualifying for encryption. If you cannot recall this key, the data cannot be decrypted.

3. Moving from a prompted or saved key to a generated key

Complications may arise if you have encrypted data using a prompted or saved key and moved to a generated one.

3.1. If the TSM client is now using the encryptkey generate setting, what happens when restoring a file encrypted by a saved key?

If the TSM/Spectrum Protect password file/registry entry exists, it appears that the software will be happy to restore and decrypt the file (regardless of whether the encryptkey option is set to generate or save). If the TSM password file/registry entry has been lost (or passwordaccess is set to prompt) then the client will prompt for the key.

3.2. If the client is now using the encryptkey generate setting, what happens when restoring a file encrypted by a prompted key?

The TSM/Spectrum Protect client prompts for the key. Where a file has been saved with two different keys, use the latest key to restore the latest version.

If you are restoring the earliest (i.e. inactive) version of an encrypted file, encrypted using two different keys, you need to use the first key. However, this only works with the encryptkey option set to prompt. If the option is set to generate, the client appears to only be able to prompt and restore the latest version of the file.

Written by IT Services. Latest revision 29 March 2018