Recovering from an encrypted backup using software encryption

Backup Recovery and Media Services (BRMS) provides you with the ability to encrypt your data to a tape device. This method is called software encryption, because you do not need to use an encryption device. The BRMS interface asks for the encryption key information and what items you want encrypted. BRMS saves the key information, so for restoring, BRMS knows what key information is needed to decrypt on the restore.

The key used to encrypt the data on tape is stored in a cryptographic services keystore file called QUSRBRM/Q1AKEYFILE. All key values in the keystore file are encrypted under a master key. If the master key is not set correctly or is missing, or if the keystore file is missing, or the key record in the keystore file is missing, you cannot recover the encrypted data off the tape.

If you are restoring the encrypted backup on another system, ensure that the keystore file QUSRBRM/Q1AKEYFILE exists. If not, perform one of the following methods:

  • Move the keystore file from the source system to the target system.
    See Distributing keys.
    1. Use the Save Object (SAVOBJ) CL command to copy the keystore file from the source system.
    2. Transfer the media to the target system.
    3. Use the Restore Object (RSTOBJ) CL command to copy the keystore file to the target system.
  • Creating a new keystore file.
    If you create the keystore file, or if it already exists, you must move the key used to encrypt the data to tape into the keystore file. For information about moving keys from a keystore file on one system to a keystore file on another system, see Distributing keys.
    Note: The master key value that encrypts the key values in QUSRBRM/Q1AKEYFILE must be identical on both systems.

If you must restore the master key (for example, the Licensed Internal Code was reinstalled, or you are restoring on another system), use one of the following methods:

  • Reload the individual passphrases and set the master key.
  • Restore the master keys from a Save System (SAVSYS) tape. In this situation, you must ensure that the save/restore master key on the target system matches the save/restore master key on the source system.

For information about using BRMS to encrypt your data to a tape device, see Software encryption using BRMS in Backup, Recovery, and Media Services for i.