Recovering from an encrypted backup using software encryption

Backup Recovery and Media Services (BRMS) provides you with the ability to encrypt your data to a tape device. This method is called software encryption, because you do not need to use an encryption device. The BRMS interface asks for the encryption key information and what items you want encrypted. BRMS saves the key information, so for restoring, BRMS knows what key information is needed to decrypt on the restore.

The key used to encrypt the data on tape is stored in a cryptographic services keystore file called QUSRBRM/Q1AKEYFILE. All key values in the keystore file are encrypted under a master key. If the master key is not set correctly or is missing, or if the keystore file is missing, or the key record in the keystore file is missing, you cannot recover the encrypted data off the tape.

If you are restoring the encrypted backup on another system, ensure that the keystore file QUSRBRM/Q1AKEYFILE exists. If not, perform one of the following methods:

If you must restore the master key (for example, the Licensed Internal Code was reinstalled, or you are restoring on another system), use one of the following methods:

  • Reload the individual passphrases and set the master key.
  • Restore the master keys from a Save System (SAVSYS) tape. In this situation, you must ensure that the save/restore master key on the target system matches the save/restore master key on the source system.

For information about using BRMS to encrypt your data to a tape device, see "Software encryption using BRMS" in Backup, Recovery, and Media Services for i5/OS.

Parent topic: Restoring encrypted backups and encrypted auxiliary storage pools
Related tasks:
Checklist 21: Recovering your entire system after a complete system loss including independent auxiliary storage pools
Related information:
Creating a new keystore file
Decrypting your data
Saving and restoring master keys
Loading and setting master keys