How to encrypt files for backup and archive

IT Services recommends that confidential data be encrypted in transit.

If you would like to send your files to the HFS in an encrypted format, then they need to be selected for encryption using one of the sets of instructions in encrypting your backups.

If you have already sent data to the HFS unencrypted and now wish it to be encrypted, or if you wish to change the encryption type, then it will be necessary to force a resend of the relevant data.  Please contact the HFS Team on for advice.

Please note that if you use automatic scheduled backups, after making any configuration changes you must restart either your machine or the backup scheduler for the changes to be honoured on the scheduled backups (see restarting the scheduler for WindowsMacLinux or Solaris),

Expand All

Two settings pertain to encryption in TSM/Spectrum Protect.

Encryption type

The default encryption type is 128-bit AES.  On TSM 7.1.3 or higher this may be changed to the stronger 256-bit AES:

For the Graphical user interface (GUI):

  1. Run the TSM/Spectrum Protect GUI.
  2. Select Edit > Client Preferences > Authorization tab.
  3. Change the encryption type.

For the command line:

  1. Edit the configuration file dsm.opt in Windows, dsm.sys on a Mac or Linux.
  2. Add the option encryptiontype AES256.

If you are running an old version of TSM you may wish to upgrade in order to use 256-bit encryption.

Encryption Key Password

The encryption key password setting denotes whether and where the encryption key is saved.

By default the setting is set to Generate encryption key password, which means that the key is automatically generated and stored in encrypted form on the HFS server.  For more information on this option see our page on storing the encryption key.

Note that the TSM/Spectrum Protect encryption password, like the password itself, has a maximum length of 63 characters and is case insensitive.  Valid characters are any upper or lower case letter a-z, any number 0-9, plus, period, underscore, hyphen, ampersand.  [a-zA-Z0-9+.-_&]

Encrypting your files using the graphical user interface

The graphical user interface (GUI) offers an easy way to encrypt files individually.

  1. Run TSM/Spectrum Protect as appropriate to your operating system
  2. Select Edit > Preferences > Include-Exclude tab
  3. Select the Category 'Backup' or 'Archive' (for almost all users this will be the former)
  4. Select the Type as Include.Encryption, then select the file that you want to encrypt

To encrypt a group of files, you can edit the rule using wildcards before the final step of clicking on OK.  For example if your rule is as follows:

include.encrypt c:\data\encryptthis.txt

You can alter this to encrypt the entire contents of c:\data by changing it to:

include.encrypt c:\data\...\*

Encrypting your files by editing the configuration file

Files can also be encrypted by adding lines to the configuration file dsm.opt in Windows, dsm.sys on a Mac or Linux.

A file whose location or filename has spaces in it must be enclosed quotation marks, as follows:

include.encrypt "C:\My Documents\data\encryptthis.txt"

You can also encrypt a group of files using wildcards.

More complicated and powerful rules can be written to select files for encryption.


Wildcards allow groups of files to be selected for encryption simultaneously.  Those available are:

... substitute for zero or more directory names
* match parts of filenames
? match single characters of filenames


The basic syntax for using these characters may be gleaned from the following examples, which illustrate some of the possibilities offered.

The principles are similar to those used for excluding files from backup.

  • To encrypt multiple files with a common component in their name, use the * and ? wildcards.  The * matches any number of any character, and the ? matches any single character.  Note that the * and ? wildcards do not alone represent a folder name.  For example, to select for encryption any files whose names begin "encrypt" in the C:\data folder:
include.encrypt C:\data\encrypt*
  • To encrypt a whole folder of files, use * to stand for every file.  For instance, to encrypt every file within C:\data, no matter what its name:
include.encrypt C:\data\*

This will only select for encryption the files directly within C:\data, not any of the sub-folders, or their files, that might be within C:\data.

  • To select numerous directories for encryption use the ... wildcard.  Thus, to encrypt all the subdirectories and files that are within C:\data:
    include.encrypt C:\data\...\*                        

    Another use of this type of wildcard would be for encrypting files in a sub-directory no matter where it is located on C:.  For example, to encrypt the files within a directory called personal wherever it is on C:

    include.encrypt C:\...\personal\*                        
  • To encrypt any files whose names begin with a variable single character then followed by _test.txt in the C:\data directory, use ?, as in:
    include.encrypt C:\data\?_test.txt                        
  • If you wish to encrypt the contents of, for example, 100 directories called data00, data01, data02 and so on up to data99 on the C: drive, then you can do either of the following:
    include.encrypt C:\data*\*        
    include.encrypt C:\data??\*


The second option is to use exclude.encrypt, which can be combined with include.encrypt and one or more of the wildcards.  It is important to note that the list of includes and excludes is processed bottom up.

  • The following example will encrypt all of the directory C:\data (but not its subdirectories), except the file donotencryptthis.txt:
exclude.encrypt c:\data\donotencryptthis.txt
include.encrypt c:\data\*
  • To exclude the contents of a directory from encryption, but include the contents of all its subdirectories, use:
include.encrypt  C:\data\...\*
exclude.encrypt  C:\data\*

This will exclude any file in the C:\data directory but will include for encryption any file in any subdirectory under C:\data.

Note that the order is important.  The exclude.encrypt directive must follow the include.encrypt directive in the configuration file, otherwise the former (exclude) rule will be ignored.

Interaction with other include-exclude rules

If you are using further rules in the configuration file to exclude data from backup, note that these are independent of the encryption rules.  For example, if you are excluding everything from backup bar certain files (as per how to exclude everything from backup except a specific directory/folder), and wish to encrypt those files, then you will need both include.encrypt and include rules:

include.encrypt  C:\data\...\*
exclude  C:\...\*
include C:\data\...\*

Without the line include C:\data\...\*, all files would be excluded from backup.  include.encrypt does not include files for backup, but only for encryption.

Manual backup

After a manual backup made using the graphical user interface, the on-screen backup report will state how many files were encrypted, and the encryption type used.  For example:

Encrypted (256-bit AES): 3

After a manual backup made using the command line interface, the on-screen backup report will will give the same information, in a slightly different format:

Total number of objects encrypted:            3
Data encryption type:               256-bit AES

Scheduled backup

The number of files that that has been sent encrypted is recorded in the overnight scheduled backup log file, dsmsched.log. The information is logged in the following way:

07-03-2018 19:30:48 Total number of objects encrypted:            3
07-03-2018 19:30:48 Data encryption type:               256-bit AES

Get support

Local IT support provide your first line of on-the-spot help



Common requests and fault reports can be logged using self-service




The central Service Desk is available 24x7 on +44 1865 6 12345


If you do not have an SSO account you can use this form to contact the Service Desk