BRMS provides you with the ability to encrypt your data to a tape device. This encryption solution is hardware independent, meaning no need for any encryption device. To use the encryption function, you need to have the BRMS Advanced feature (5770-BR1 Option 2) and Cryptographic Service Provider (5770-SS1 Option 44) installed on the operating system.
BRMS will not manage the keys used for encryption. The user is still responsible for key management. BRMS simply provides the interface for the user to ask for encryption, specify the keys they want to use for the encryption, and what items they want encrypted. The key information is also saved by BRMS, so for restoring, BRMS knows what key information is needed to decrypt on the restore. For more information about key management, refer to Cryptographic services key management. To locate the topic in IBM i Information Center, expand i5/OS information->Security->Cryptography.
To set up BRMS to encrypt during a backup you will need to take the following steps:
Create Media Policy Type choices, press Enter. Encrypt Data . . . . . . . . . . . *YES *NO, *YES Key store file . . . . . . . . . Q1AKEYFILE Name Key store library. . . . . . . . QUSRBRM Name Key record label . . . . . . . . TESTENCRYPT Bottom F3=Exit F5=Refresh F12=Cancel
Now that the media policy that supports encryption has been created, you can specify it on any of the BRMS save commands. This will then encrypt the items being saved. The SAVSAVFBRM and DUPMEDBRM also support this type of media policy. You will have the ability to encrypt save file data onto media, just by specifying a media policy that supports encryption. If you would rather not encrypt your data during your backup, but would like to encrypt the data when you duplicate it to another media, simply specify a media policy that supports encryption.
In addition to all the ways you may encrypt data, further controls have also been provided in the backup and archive control groups that allow you to enable and disable encryption for each save item.
The following is an example of how to set up a backup control group to support encryption:
Edit Backup Control Group Entries RCHAS400 Group . . . . . . . . . . : SAMPLE Default activity . . . . . *BKUPCY Text . . . . . . . . . . . *NONE Type information, press Enter. Backup List Parallel Private Seq Items Type Type Authorities Encrypt 10 *EXIT 20 LIBA *DEFAULT *NO *MEDPCY 30 LIBB *DEFAULT *NO *MEDPCY 40 LIBC *DEFAULT *NO *NO 50 *EXIT Bottom F3=Exit F5=Refresh F11=Display main F12=Cancel
Change Backup Control Group Attributes Group . . . . . . . . . . . . . . . . : SAMPLE Type information, press Enter. Media policy for: Full backups . . . . . . . . . . . . . ENCRYPTPCY Name, F4 for list Incremental backups . . . . . . . . . ENCRYPTPCY Name, F4 for list Backup devices . . . . . . . . . . . . . *BKUPCY Name, F4 for list Parallel device resources: Minimum resources . . . . . . . . . . *NONE 1-32, *NONE, *AVAIL Maximum resources . . . . . . . . . . 1-32, *AVAIL, *MIN Sign off interactive users . . . . . . . *BKUPCY *YES, *NO, *BKUPCY Sign off limit . . . . . . . . . . . . . *BKUPCY 0-999 minutes, *BKUPCY Default weekly activity . . . . . . . . *BKUPCY SMTWTFS(F/I), *BKUPCY Incremental type . . . . . . . . . . . . *BKUPCY *CUML, *INCR, *BKUPCY Force full backup days . . . . . . . . . *BKUPCY 0-365, *NOMAX, *BKUPCY More... F3=Exit F4=Prompt F12=Cancel
Now that you have set up your backup control group to use encryption, you can run the backup and should see the items saved with encryption. To view save history and it's encryption information do the following steps:
Work with Media Information RCHAS400 Position to Date . . . . . Type options, press Enter. 2=Change 4=Remove 5=Display 6=Work with media 7=Restore 9=Work with saved objects ... Saved Encrypted Key Store Key Store Key Record Opt Item File Library Label LIB *NO LIBCOPY *NO LIBCOPY2 *NO DLIB002 *YES Q1AKEYFILE QUSRBRM TESTENCRYPT DLIB003 *NO QUSRBRM *NO DLIB003 *NO DLIB004 *NO DLIB005 *NO DLIB002 *YES Q1AKEYFILE QUSRBRM TESTENCRYPT More... F3=Exit F5=Refresh F11=Volume identifier F12=Cancel F23=More options