IBM Support

IBM Tivoli Storage Manager may overwrite the encryption keys resulting in data loss.

Flashes (Alerts)


Abstract

This flash describes an important problem that affects IBM Tivoli Storage Manager Server versions 5.4.2.1 and above using HP Ultrium 4 Tape Drives with Application Managed Encryption (DRIVEENCRYPTION=ON). If a device has previously been configured to use encryption and then modified to perform no encryption (DRIVEENCRYPTION=ALLOW or DRIVEENCRYPTION=OFF), TSM may overwrite the encryption keys stored in the database, resulting in data loss. This issue is addressed by APAR IC57974.

Content

When using TSM 5.4.2.1 and above with HP Ultrium 4 Tape Drives and Application Managed Encryption (DRIVEENCRYPTION=ON), the problem will be encountered if the drives are later modified to perform no encryption (DRIVEENCRYPTION=ALLOW or DRIVEENCRYPTION=OFF). Any attempt to access a previously encrypted volume will result in the volume's encryption key being overwritten in the TSM database.

Without the volume's encryption key, the data on the volume will not have ability to be decrypted, and thus, the data will be unrecoverable.

NOTE: If volumes with deleted encryption keys exist, there may be database backups that have stored these encryption keys. If the encryption key is available on a database backup, the data on these volumes can be recovered with assistance from IBM service.

How To Identify affected volumes

  • Search activity log for ANR8507W message associated with all the encrypted volumes in the library.
  • Search for ANR8302E error associated with the same encrypted volume while reading data from the volume. Sense data will have KEY=07 and ASC/ASCQ =74/03.

Affected Products
  • Tivoli Storage Manager versions 5.4.2.1, 5.5.0 and above when using HP Ultrium 4 tape drives with Application Managed Encryption.
  • Only HP Ultrium 4 Tape Drives are affected.

Environments NOT Affected
  • IBM Ultrium 4 drives with Application Managed Encryption method are NOT affected by this problem.
  • No other methods of encryption are affected.

Recommendation
Install TSM Server version 5.4.4.1, 5.5.1.1 or higher, which contains the fix IC57974
  • 5.5.1.1 is targeted to be available at the end of September 2008
  • 5.4.4.1 is targeted to be available at the end of November 2008.

Before the upgrade is completed:
  • Set all volumes to UNAVAILABLE that were created at the 5.4.2.1 and above levels with HP Ultrium 4 tape drives, using Application Managed Encryption

After the upgrade:
  • Create a database backup of the TSM Server database
  • Move the data to new volumes (e.g. with the MOVE DATA command).

This process will move data from encrypted Volume to non-encrypted volumes without overwriting key for the encrypted volumes in TSM database.

WHO TO CALL IF YOU HAVE QUESTIONS ABOUT THIS PROBLEM
After reviewing this document, if you have additional questions, contact IBM technical support for further assistance. Be sure to say that you are calling about APAR IC57974

[{"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.4;5.5.0","Edition":"Enterprise","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
25 September 2022

UID

swg21317983

Page Feedback