IT Services recommends that confidential data be encrypted in transit; to determine whether you are holding confidential information, please refer to the University Information Security Team's Information Classification Scheme.
If you would like to send your files to the HFS in an encrypted format, then they need to be selected for encryption using one of the following two sets of instructions in section 3 below on encrypting your backups.
If you have already sent data to the HFS unencrypted and now wish it to be encrypted, or if you wish to change the encryption type, then it will be necessary to force a resend of the relevant data. Please contact the HFS Team on firstname.lastname@example.org for advice.
Please note that, if you wish for files sent during automated overnight scheduled backups to be encrypted, you must restart the backup scheduler after making any configuration changes. If you do not do this then the change(s) that you have made will not be honoured on the scheduled backups. After making any change, please see our instructions for restarting the scheduler for Windows, Mac, Linux or Solaris. Alternatively, restarting your machine will have the same effect as restarting the TSM scheduler.
2. Initial considerations
Two settings pertain to encryption in TSM/Spectrum Protect.
2.1. Encryption type
The default encryption type is 128-bit AES. This may be changed, on TSM 7.1.3 or higher, to the stronger 256-bit AES, in one of two ways: either in the Graphical User interface in
Client Preferences >
Authorization (tab); or by adding the option
encryptiontype AES256 to dsm.sys (Mac, Linux) or dsm.opt (Windows) (for file locations please see our list of TSM configuration files). If you are running an old version of TSM and wish to upgrade in order to use 256-bit encryption, please download the latest version from our page on downloading the HFS backup client software.
2.2. Encryption Key Password
The encryption key password setting denotes whether and where the encryption key is saved. By default this is set to
Generate encryption key password, which means that that the key is automatically generated and stored in encrypted form on the HFS server. For more information on this option see our page on storing the encryption key.
Note that the TSM/Spectrum Protect encryption password, like the password itself, has a maximum length of 63 characters and is case insensitive: valid characters are
[a-zA-Z0-9+.-_&] i.e. any letter a-z upper or lower case, any number 0-9, plus, period, underscore, hyphen, ampersand.
3.1 Encrypting your files using the graphical user interface
The graphical user interface offers an easy way to encrypt files individually. Run TSM/Spectrum Protect as appropriate to your operating system (via the Start menu on Windows, or via TSM Tools for Administrators on a Mac), and go
Include-Exclude (tab). There you should select the
Category 'Backup' or 'Archive' (for almost all users this will be the former), select the
Include.Encryption, browse to the file that you want to encrypt, and then click
If you wish to encrypt a group of files, then you can edit the rule before the final step of clicking on
OK, using the principles outlined in section 4.1 below on wildcards. For example, you can create a rule to encrypt a file
c:\data\encryptthis.txt as follows:
but you can alter this rule to encrypt the entire contents of
c:\data by changing it to:
3.2. Encrypting your files by editing the configuration file
- At the end of the file, add lines specifying the files that you want to encrypt, beginning with
include.encrypt- for example, to select the file
c:\data\encryptthis.txtfor encryption, add:
- To encrypt a file whose name or location has spaces in it, enclose it fully in quotation marks, as below:
include.encrypt "C:\My Documents\data\encryptthis.txt"
For how to encrypt a group of files, see section 4.1 below on wildcards.
4. Further principles
More complicated and powerful rules can be written to select files for encryption, as detailed in the next two sections.
Wildcards allow groups of files to be selected for encryption simultaneously. Those available are
... (to substitute for zero or more directory names),
* (for parts of filenames) and
? (for single characters of filenames). The basic syntax for using these characters may be gleaned from the following examples, which illustrate some of the possibilities offered. The principles are similar to those used for excluding files from backup (on which please see our page on how to exclude files and folders from backup).
- To encrypt multiple files with a common component in their name, use the
*matches any number of any character, and the
?matches any single character. Note that the
?wildcards do not alone represent a folder name. Thus to select for encryption any files whose names begin "encrypt" in the
To encrypt a whole folder of files, use
*to stand for every file - for instance, to encrypt every file within
C:\data, no matter what its name, use
This will only select for encryption the files directly within
C:\data- not any of the sub-folders (or their files) that might be within
C:\data. For example, the contents of a folder
C:\data\moredatawould not be selected for encryption using the above rule. See the next item for how to do this.
- To select numerous directories for encryption use the
...wildcard. Thus to encrypt all the subdirectories and files that are within
Another use of this type of wildcard would be for encrypting files in a sub-directory no matter where it is located on
C:- for example, to encrypt the files within a directory called
personalwherever it is on
- To encrypt any files whose names begin with a variable single character then followed by
?, as in
- If you wish to encrypt the contents of, for example, 100 directories called data00, data01, data02 and so on up to data99 on the C: drive, then you can do either of the following:
include.encrypt C:\data*\* include.encrypt C:\data??\*
There is also a second option,
exclude.encrypt, which can be combined with
include.encrypt and one or more of the wildcards. It is important to note in what follows that the list of includes and excludes is processed bottom up.
- For instance, the following will encrypt all of the directory
C:\data(but not its subdirectories) except the file
exclude.encrypt c:\data\donotencryptthis.txt include.encrypt c:\data\*
- To exclude the contents of a directory from encryption, but include the contents of all its sub-directories, use:
include.encrypt C:\data\...\* exclude.encrypt C:\data\*
This will exclude any file in the
C:\datadirectory but will include for encryption any file in any subdirectory under
C:\data. Note that the order is important: the
exclude.encryptdirective must follow the
include.encryptdirective in the configuration file - otherwise, the former (the exclude rule) will be ignored.
4.3. Interaction with other include-exclude rules
If you are using further rules in dsm.opt to exclude data from backup, note that these are independent of the encryption rules. For example, if you are excluding everything from backup bar certain files (as per our section on how to exclude everything from backup except a specific directory/folder), and additionally you wish to encrypt those files, then you will need both
include.encrypt C:\data\...\* exclude C:\...\* include C:\data\...\*
Without the line
include C:\data\...\*, all files would be excluded from backup:
include.encrypt does not include files for backup, but only for encryption.
5. Verifying that files have been encrypted
5.1. Manual backup
After a manual backup made using the graphical user interface, the on-screen backup report will state how many files were encrypted, and the encryption type used; for example:
Encrypted (256-bit AES): 3
After a manual backup made using the command line interface, the on-screen backup report will will give the same information, in a slightly different format:
Total number of objects encrypted: 3 Data encryption type: 256-bit AES
5.2. Scheduled backup
The number of files that that has been sent encrypted is recorded in the overnight scheduled backup log file, dsmsched.log (for file locations please see our list of TSM log files). The information is logged in the following way:
07-03-2018 19:30:48 Total number of objects encrypted: 3 07-03-2018 19:30:48 Data encryption type: 256-bit AES