With application-managed encryption, the application provides the key password to the API (using key DSM_ENCRYPT_USER) and it is the application's responsibility to manage the key password.
include.encrypt /.../* (UNIX)
include.encrypt *\...\* (Windows)
To encrypt the object /FS1/DB2/FULL, set:
include.encrypt /FS1/DB2/FULL
After a send of an object, the dsmEndSendObjEx specifies whether an object was encrypted and which method was used. Possible values in the encryptionType field:
The following table lists the API encryption types, prerequisites, and functions available.
Type | Prerequisite | Function available |
---|---|---|
ENCRYPTIONTYPE | None | Set the ENCRYPTIONTYPE in the option string that is passed to the API in the dsmInitEx call on Windows. ENCRYPTIONTYPE=AES128 by default. |
EncryptKey=save | None | API and backup-archive |
EncryptKey=prompt | None | API and backup-archive |
EncryptKey=generate | None | API and backup-archive |
EnableClientEncryptKey | None | API only |
Table 2 shows how both Authorized Users and non-Authorized Users can encrypt or decrypt data during a backup or restore operation, depending on the value that is specified for the passwordaccess option. The TSM.PWD file must exist to perform the following authorized-user and non-authorized-user operations. The authorized user creates the TSM.PWD file and sets the encryptkey option to save and the passwordaccess option to generate.
Operation | passwordaccess option | encryptkey option | Result |
---|---|---|---|
Authorized user backup | generate | save | Data encrypted. |
generate | prompt | Data encrypted if encryptionPasswordP contains an encryption password. | |
prompt | save | Data encrypted if encryptionPasswordP contains an encryption password. | |
prompt | prompt | Data encrypted if encryptionPasswordP contains an encryption password. | |
Authorized user restore | generate | save | Data encrypted. |
generate | prompt | Data encrypted if encryptionPasswordP contains an encryption password. | |
prompt | save | Data encrypted if encryptionPasswordP contains an encryption password. | |
prompt | prompt | Data encrypted if encryptionPasswordP contains an encryption password. | |
Non-authorized user backup | generate | save | Data encrypted. |
generate | prompt | Data encrypted if encryptionPasswordP contains an encryption password. | |
prompt | save | Data encrypted if encryptionPasswordP contains an encryption password. | |
prompt | prompt | Data encrypted if encryptionPasswordP contains an encryption password. | |
Non-authorized user restore | generate | save | Data encrypted. |
generate | prompt | Data encrypted if encryptionPasswordP contains an encryption password. | |
prompt | save | data encrypted if encryptionPasswordP contains an encryption password. | |
prompt | prompt | Data encrypted if encryptionPasswordP contains an encryption password. |