Admin Alert: Four Ways To Encrypt i5/OS Backups,
May 13, 2009 Joe Hertvik
Backup media encryption is becoming a rapidly growing concern for companies that are dealing with ever increasing regulatory, legal, compliance, and identity theft prevention requirements. This issue and next, I’ll look at four techniques that i5/OS users have for encrypting backups for greater protection and to satisfy auditors and government agencies. I’ll explore what technologies are available, as well as the advantages and disadvantages of using each technology.
What To Encrypt?
Your first encryption decision involves specifying what you need to encrypt. In general, one or more of the following items need to be encrypted as they are saved to media for off-site storage.
Before you work on the mechanics of encrypting your backups, you’ll need to determine exactly what systems and data should be encrypted in your backups.
The Path to Encrypted Backups
You generally have four options to encrypt backup media from your i5/OS systems.
This week, I’ll discuss some software encryption solutions. Next week, I’ll discuss hardware encryption.
Software Encryption Through BRMS
Starting with i5/OS V6R1, IBM’s Backup Recovery and Media Services (BRMS) licensed program product supports backup encryption to a media device. To do this, you must have the following products or features installed on your System i or Power i box.
I won’t go into all the details on how to perform encrypt backups with BRMS, but there’s an excellent online presentation describing this process from IBM’s System and Technology Group Lab Services. The presentation is called “Safeguarding Your Backup Data With i5/OS B6R1 Encryption” and it covers many of the ins and outs of software encryption through BRMS. The IBM Backup, Recovery, and Media Services for i5/OS manual (SC41-5345-06) also contains information on software encryption using BRMS.
With BRMS under i5/OS V6R1, you can produce encrypted backups to tape drives and libraries, as well as to virtual tape drives. However, you cannot perform an encrypted backup to save files or other media devices, such as optical media.
BRMS encrypted backups may also suffer from the following liabilities:
Software Encryption Through a Third-Party Product
There are other third-party i5/OS packages besides BRMS that allow you to perform software encryption before writing files out to backup media. Here’s a partial list of vendors who provide i5/OS encryption products and services.
Similar to BRMS, many of these products encrypt data before backing it up, but you may also run into similar configuration and performance issues as with BRMS (including having to purchase products and training; reconfiguring custom backup programs; and increased backup times). Here are some additional items you may encounter when using one of these products:
The nice thing about using a third-party package rather than BRMS is that most of these packages are available on i5/OS V5R4 (and possibly below, check with the vendor). You need to be on i5/OS V6R1 to perform encrypted backups using BRMS. This makes third-party packages an attractive alternative for people who will not be upgrading to V6R1 in the foreseeable future.
Software Encryption vs. Hardware Encryption, Round 1
Software encryption has one big advantage over hardware encryption. With software encryption, all objects are encrypted before they are written to media. This means that you will not have to update your backup media drives or media cassettes (such as tapes) to add encryption capabilities, as you would have to if you use certain forms of tape drive encryption (which I’ll discuss next week). With hardware device encryption, you may have to start using a different media format (such as LTO 4 tapes) to encrypt your backup data. So a big advantage with software encryption is that you can continue to use your existing media format types and media devices while adding encrypted backup capabilities.
Coming Soon. . .
Next week, I’ll shift gears and take a look at some of the hardware-based encryption strategies you can use for encrypted backups.