Admin Alert: Four Ways To Encrypt i5/OS Backups,
Published: May 13, 2009
by Joe Hertvik
Backup media encryption is becoming a rapidly growing concern for companies that are dealing with ever increasing regulatory, legal, compliance, and identity theft prevention requirements. This issue and next, I'll look at four techniques that i5/OS users have for encrypting backups for greater protection and to satisfy auditors and government agencies. I'll explore what technologies are available, as well as the advantages and disadvantages of using each technology.
What To Encrypt?
Your first encryption decision involves specifying what you need to encrypt. In general, one or more of the following items need to be encrypted as they are saved to media for off-site storage.
- Production partition user data--Generally a no-brainer as the production partition contains live information involving your business and (perhaps) your customer's personal information.
- Capacity BackUp (CBU) system data--If you're running a CBU and it's replicating all the data on your production system to within a minute or two of creation, you should also look at encrypting CBU user data saves before the media moves off site. If the data can be retrieved from a production box's non-encrypted backup, it can also be retrieved from a CPU backup. Plus if you ever plan on restoring encrypted information from a production box to the CBU (or vice versa), both boxes should have the same encryption capabilities.
- Development partition data--Some people argue that development system data should be locked down tighter than production data. Why? Because many organizations rebuild their development environment by restoring production data to the test partition and security may be more lax on a development system. So while a development system isn't a production system per se, there may be enough slightly outdated live data on it to cause a number of legal, regulatory, compliance, and identity theft issues if its data falls into the wrong hands. And if you're performing encrypted backups on your production system, your development partition may need to decrypt backed up data in order to repopulate itself from encrypted production backup media.
- Operating system information--Generally, you shouldn't attempt to perform an encrypted backup on operating system data or on IBM i5/OS libraries ('Q' libraries). This is because it will be difficult or impossible to rebuild your base operating system from encrypted backups if a disaster occurs. In addition, operating system data generally doesn't present a security risk if it falls into the wrong hands, so it's usually more efficient to only back up sensitive production data.
Before you work on the mechanics of encrypting your backups, you'll need to determine exactly what systems and data should be encrypted in your backups.
The Path to Encrypted Backups
You generally have four options to encrypt backup media from your i5/OS systems.
- Software encryption through IBM's Backup Recovery and Media Services (BRMS) licensed program (i5/OS V6R1 only)
- Software encryption through a third-party product
- Hardware encryption through tape drive capabilities
- Hardware encryption through an in-line encryption backup solution
This week, I'll discuss some software encryption solutions. Next week, I'll discuss hardware encryption.
Software Encryption Through BRMS
Starting with i5/OS V6R1, IBM's Backup Recovery and Media Services (BRMS) licensed program product supports backup encryption to a media device. To do this, you must have the following products or features installed on your System i or Power i box.
- i5/OS V6R1
- Media and Storage Extensions (5761-SS1, Option 18)
- Cryptographic Service Provider (5761-SS1, Option 35)
- Encrypted Backup Enablement (5761-SS1, Option 44)
- BRMS Advanced Feature licensed program (5761-BR1, Option 2)
- IBM Systems Director Navigator for i5/OS
I won't go into all the details on how to perform encrypt backups with BRMS, but there's an excellent online presentation describing this process from IBM's System and Technology Group Lab Services. The presentation is called "Safeguarding Your Backup Data With i5/OS B6R1 Encryption" and it covers many of the ins and outs of software encryption through BRMS. The IBM Backup, Recovery, and Media Services for i5/OS manual (SC41-5345-06) also contains information on software encryption using BRMS.
With BRMS under i5/OS V6R1, you can produce encrypted backups to tape drives and libraries, as well as to virtual tape drives. However, you cannot perform an encrypted backup to save files or other media devices, such as optical media.
BRMS encrypted backups may also suffer from the following liabilities:
- You will have to convert your backup strategy to BRMS, if you're currently using a homegrown strategy. There may be additional costs to purchase BRMS for your system and to train your operations staff on how to use the product.
- SAVSYS and SAVSYSINF backups should not be encrypted. If these backups are encrypted, you won't be able to restore parts of your operating system. BRMS also will not encrypt any libraries that start with the letter 'Q'.
- Encrypted data does not compact well, which increases the size of the backup data on your media. According to IBM, BRMS encryption will cause you to lose some data compaction capabilities, which may force you to use extra media when backing up.
- BRMS backup encryption will degrade backup times. Because of the loss of compaction capabilities and data encryption, encrypted backups can take longer to perform than a standard non-encrypted backup, particularly when backing up large files. So your backup window will become larger. Encrypted backups may also use a higher percentage of system CPU.
Software Encryption Through a Third-Party Product
There are other third-party i5/OS packages besides BRMS that allow you to perform software encryption before writing files out to backup media. Here's a partial list of vendors who provide i5/OS encryption products and services.
Similar to BRMS, many of these products encrypt data before backing it up, but you may also run into similar configuration and performance issues as with BRMS (including having to purchase products and training; reconfiguring custom backup programs; and increased backup times). Here are some additional items you may encounter when using one of these products:
- Because products may use their own save commands for encryption, rather than IBM commands, you may not be able to run an i5/OS full system backup (GO SAVE, option 21) to produce an encrypted backup. If that's the case, check with the vendor and they may provide a substitute routine for performing a full system encrypted backup.
- Check with your software vendor to make sure that you can perform an encrypted backup for any IFS data files and folders that may contain sensitive data.
- In a disaster-recovery situation, where you are reloading your system to a different machine, restoration is a two-stage process. You first have to restore your operating system and reload and reconfigure your encryption software from media before restoring the rest of your encrypted data from media. As I mentioned before, your operating system and IBM libraries should not be backed up to encrypted media for this reason. However, that also means that you will not want to perform encrypted backups to the objects that contain your third-party encryption software.
The nice thing about using a third-party package rather than BRMS is that most of these packages are available on i5/OS V5R4 (and possibly below, check with the vendor). You need to be on i5/OS V6R1 to perform encrypted backups using BRMS. This makes third-party packages an attractive alternative for people who will not be upgrading to V6R1 in the foreseeable future.
Software Encryption vs. Hardware Encryption, Round 1
Software encryption has one big advantage over hardware encryption. With software encryption, all objects are encrypted before they are written to media. This means that you will not have to update your backup media drives or media cassettes (such as tapes) to add encryption capabilities, as you would have to if you use certain forms of tape drive encryption (which I'll discuss next week). With hardware device encryption, you may have to start using a different media format (such as LTO 4 tapes) to encrypt your backup data. So a big advantage with software encryption is that you can continue to use your existing media format types and media devices while adding encrypted backup capabilities.
Coming Soon. . .
Next week, I'll shift gears and take a look at some of the hardware-based encryption strategies you can use for encrypted backups.
Post this story to del.icio.us
Post this story to Digg
Post this story to Slashdot