Software Encryption using BRMS

BRMS provides you with the ability to encrypt your data to a tape device. This encryption solution is hardware independent, meaning no need for any encryption device. To use the encryption function, you need to have the BRMS Advanced feature (5770-BR1 Option 2) and Cryptographic Service Provider (5770-SS1 Option 44) installed on the operating system.

BRMS will not manage the keys used for encryption. The user is still responsible for key management. BRMS simply provides the interface for the user to ask for encryption, specify the keys they want to use for the encryption, and what items they want encrypted. The key information is also saved by BRMS, so for restoring, BRMS knows what key information is needed to decrypt on the restore. For more information about key management, refer to Cryptographic services key management. To locate the topic in IBM i Information Center, expand i5/OS information->Security->Cryptography.

To set up BRMS to encrypt during a backup you will need to take the following steps:

Set up a media policy in BRMS that supports encryption. Type WRKPCYBRM *MED, and press Enter.
Take option 1 and create a media policy. For this example we will create one called ENCRYPTPCY.

Page down to the last screen, the Encrypt Data Section.

                           Create Media Policy                                 
                                                                               
                                                                               
Type choices, press Enter.                                                     
                                                                               
  Encrypt Data . . . . . . . . . . .   *YES        *NO, *YES                   
    Key store file . . . . . . . . .   Q1AKEYFILE  Name                        
    Key store library. . . . . . . .   QUSRBRM     Name                        
    Key record label . . . . . . . .   TESTENCRYPT                             
                                                                               
                                                                               
                                                                               
                                                                               
                                                                               
                                                                               
                                                                               
                                                                               
                                                                               
                                                                               
                                                                               
                                                                               
                                                                         Bottom
 F3=Exit   F5=Refresh   F12=Cancel

The following encryption parameters are displayed:
- The Encrypt data parameter specifies that an encrypted save should be performed.
- The Keystore file parameter specifies a database file that stores the operational keys that are used for encryption or decryption.
  
  Note:
  
  The only valid keystore file is Q1AKEYFILE and it must exist in library QUSRBRM. This ensures that when saving media information via your control group or the SAVMEDIBRM command, the key file is also saved. The Q1AKEYFILE keystore file must exist in library QUSRBRM prior to any save or restore operation that requires encryption or decryption. Key values in the keystore file are encrypted under a master key. When moving the Q1AKEYFILE keystore file to another system, you must ensure that the master key is set correctly. To create this keystore file, refer to Creating a new keystore file. To locate the topic in IBM i Information Center, expand i5/OS information->Security->Cryptography.
- The Keystore library parameter specifies the name of the library containing the keystore file. The only valid library for this parameter is QUSRBRM, any other library entered will cause an error.
- The Key record label parameter specifies a unique identifier of a key record in a keystore file.
Review and change the remaining media policy parameters, and press Enter to create the media policy.

Now that the media policy that supports encryption has been created, you can specify it on any of the BRMS save commands. This will then encrypt the items being saved. The SAVSAVFBRM and DUPMEDBRM also support this type of media policy. You will have the ability to encrypt save file data onto media, just by specifying a media policy that supports encryption. If you would rather not encrypt your data during your backup, but would like to encrypt the data when you duplicate it to another media, simply specify a media policy that supports encryption.

In addition to all the ways you may encrypt data, further controls have also been provided in the backup and archive control groups that allow you to enable and disable encryption for each save item.

The following is an example of how to set up a backup control group to support encryption:

Type WRKCTLGBRM *BKU, and press Enter.
Type option 1 (Create) or option 2 (Edit) and press Enter.

Press F11 two times, to bring up the Advanced backup controls display.

                     Edit Backup Control Group Entries               RCHAS400  
                                                                               
 Group . . . . . . . . . . : SAMPLE                                            
 Default activity  . . . . . *BKUPCY                                           
 Text  . . . . . . . . . . . *NONE                                             
                                                                               
 Type information, press Enter.                                                
                                                                               
                                                                               
      Backup     List Parallel    Private                                      
 Seq  Items      Type Type        Authorities   Encrypt                        
                                                                               
   10 *EXIT                                                                    
   20 LIBA            *DEFAULT    *NO           *MEDPCY                        
   30 LIBB            *DEFAULT    *NO           *MEDPCY                        
   40 LIBC            *DEFAULT    *NO           *NO                            
   50 *EXIT                                                                    
                                                                               
                                                                               
                                                                               
                                                                         Bottom
                                                                               
 F3=Exit   F5=Refresh   F11=Display main   F12=Cancel

To encrypt a specific Backup item, type in *MEDPCY under the Encrypt column. And if you desire to not encrypt a specific item, then type in *NO under the same column.
Review and change the remaining parameters in the backup control group, press F3 to exit and option 1 to save the backup control group.
Now you should be at the Work with Backup Control Groups display, type an 8 next to the backup control group that you just created/updated.

Under the Media policy for parameter group, make sure you are using a media policy that supports encryption. In this screen, the media policy ENCRYPTPCY is being used.

                        Change Backup Control Group Attributes                  
                                                                                
 Group  . . . . . . . . . . . . . . . . : SAMPLE                                
                                                                                
 Type information, press Enter.                                                 
                                                                                
 Media policy for:                                                              
   Full backups . . . . . . . . . . . . . ENCRYPTPCY  Name, F4 for list         
   Incremental backups  . . . . . . . . . ENCRYPTPCY  Name, F4 for list         
 Backup devices . . . . . . . . . . . . . *BKUPCY     Name, F4 for list         
                                                                                
                                                                                
                                                                                
 Parallel device resources:                                                     
   Minimum resources  . . . . . . . . . . *NONE       1-32, *NONE, *AVAIL       
   Maximum resources  . . . . . . . . . .             1-32, *AVAIL, *MIN        
 Sign off interactive users . . . . . . . *BKUPCY     *YES, *NO, *BKUPCY        
 Sign off limit . . . . . . . . . . . . . *BKUPCY     0-999 minutes, *BKUPCY    
 Default weekly activity  . . . . . . . . *BKUPCY     SMTWTFS(F/I), *BKUPCY     
 Incremental type . . . . . . . . . . . . *BKUPCY     *CUML, *INCR, *BKUPCY     
 Force full backup days . . . . . . . . . *BKUPCY     0-365, *NOMAX, *BKUPCY    
                                                                        More... 
 F3=Exit   F4=Prompt   F12=Cancel

Review and change the remaining parameters and press Enter to exit and save.

Now that you have set up your backup control group to use encryption, you can run the backup and should see the items saved with encryption. To view save history and it's encryption information do the following steps:

Type WRKMEDIBRM on command line and press Enter.

Press F11 three times to the Encryption information display.

                        Work with Media Information                  RCHAS400  
                                                                               
 Position to Date . . . . .                                                    
                                                                               
 Type options, press Enter.                                                    
   2=Change   4=Remove   5=Display   6=Work with media   7=Restore             
   9=Work with saved objects   ...                                             
                                                                               
    Saved     Encrypted Key Store  Key Store   Key Record                      
Opt Item                File       Library     Label                           
    LIB        *NO                                                             
    LIBCOPY    *NO                                                             
    LIBCOPY2   *NO                                                             
    DLIB002    *YES     Q1AKEYFILE QUSRBRM     TESTENCRYPT                     
    DLIB003    *NO                                                             
    QUSRBRM    *NO                                                             
    DLIB003    *NO                                                             
    DLIB004    *NO                                                             
    DLIB005    *NO                                                             
    DLIB002    *YES     Q1AKEYFILE QUSRBRM     TESTENCRYPT                     
                                                                        More...
 F3=Exit   F5=Refresh   F11=Volume identifier  F12=Cancel                      
 F23=More options

Notes:

*IBM, *SAVSYS, *SAVSECDTA, *SAVCFG and any libraries beginning with the letter Q are not allowed to be encrypted in BRMS.
Be aware of a possible performance impact when encrypting data.
BRMS does not support encryption on optical or virtual optical devices.

Attention: It is extremely important that you understand Cryptographic services key management. Master keys, which are used to encrypt the key that BRMS uses, can have an effect on being able to recover your data. Refer to Cryptographic services key management to clearly understand the importance of these master keys as well as the required steps to ensure your data is truly encrypted and recoverable. To locate the topic in IBM i Information Center, expand i5/OS information->Security->Cryptography.

[ Top of Page | Previous Page | Next Page | Contents | Index ]