Encryptkey

The Tivoli® Storage Manager client supports the option to encrypt files being backed up or archived to the Tivoli Storage Manager server. This option is enabled with the include.encrypt option.

All files matching the pattern on the include.encrypt specification are encrypted before the data is sent to the server. There are three options for managing the key used to encrypt the files (prompt, save, and generate). All three options can be used with either the backup-archive client or the Tivoli Storage Manager API.

The encryption key password is case-sensitive and can be up to 63 characters in length and include the following characters:

A-Z
Any letter, A through Z, uppercase or lowercase. You cannot specify national language characters.
0-9
Any number, 0 through 9
+
Plus
.
Period
_
Underscore
-
Hyphen
&
Ampersand
Note:
  1. The Tivoli Storage Manager API has an alternate way of specifying encryptkey=generate; the previous enableclientencryptkey=yes option can also be specified to request generate encryption processing.
  2. The enableclientencryptkey=yes API option is still supported, so it is possible when using the API to specify two conflicting options. For example, enableclientencryptkey=yes and encryptkey=prompt or encryptkey=save.
  3. When conflicting values are specified, the Tivoli Storage Manager API returns an error message.
AIX operating systemsHP-UX operating systemsLinux operating systemsOracle Solaris operating systemsMac OS X operating systemsAttention: When using the prompt option, your encryption key is not saved in the Tivoli Storage Manager password file on UNIX. If you forget the key, your data cannot be recovered.
Windows operating systemsAttention: When using the prompt option, your encryption key is not saved in the Windows Registry. If you forget the key, your data cannot be recovered.

Supported Clients

This option is valid for all clients. The server can also define this option.

Options File

AIX operating systemsHP-UX operating systemsLinux operating systemsOracle Solaris operating systemsMac OS X operating systemsPlace this option in the dsm.sys file within a server stanza. You can set this option on the Authorization tab, Encryption Key Password section of the Preferences editor.

Windows operating systemsPlace this option in the client options file (dsm.opt). You can set this option on the Authorization tab, Encryption Key Password section of the Preferences editor.

Syntax

Read syntax diagramSkip visual syntax diagram
               .-save-----.   
>>-ENCRYPTKey--+----------+------------------------------------><
               +-prompt---+   
               '-generate-'   

Parameters

save
The encryption key password is saved in the Tivoli Storage Manager client's password file. A prompt is issued for an initial encryption key password, and after the initial prompt, the saved encryption key password in the password file is used for the backups and archives of files matching the include.encrypt specification. The password can be up to 63 bytes in length. The key is retrieved from the password file on restore and retrieve operations.

Windows operating systemsWhen the save option is specified for an API application, the initial key password must be provided by the application using the API in the dsmInitEx function call. The API itself does not issue a prompt to the user but relies on the application to prompt the user as necessary.

AIX operating systemsHP-UX operating systemsLinux operating systemsOracle Solaris operating systemsWhen the save option is specified for an API application (does not apply to Mac OS X), the initial key password must be provided by the application using the API in the dsmInitEx function call. The API itself does not issue a prompt to the user but relies on the application to prompt the user as necessary.

This is the default.

Note: The following restrictions apply:
  • This option can only be used when passwordaccess generate is also specified.
  • The root user or a Tivoli Storage Manager authorized user must specify the initial encryption key password.
prompt
The management of the encryption key password is provided by the user. The user is prompted for the encryption key password when the Tivoli Storage Manager client begins a backup or archive. A prompt for the same password is issued when restoring or retrieving the encrypted file. This password can be up to 63 bytes in length.

Windows operating systemsWhen the prompt option is specified for an API application, the key password must be provided by the application using the API in the dsmInitEx function call. The API itself does not issue a prompt to the user but relies on the application to prompt the user as necessary.

AIX operating systemsHP-UX operating systemsLinux operating systemsOracle Solaris operating systemsWhen the prompt option is specified for an API application (does not apply to Mac OS X), the key password must be provided by the application using the API in the dsmInitEx function call. The API itself does not issue a prompt to the user but relies on the application to prompt the user as necessary.

generate
An encryption key password is dynamically generated when the Tivoli Storage Manager client begins a backup or archive. This generated key password is used for the backups of files matching the include.encrypt specification. The generated key password, in an encrypted form, is kept on the Tivoli Storage Manager server. The key password is returned to the Tivoli Storage Manager client to enable the file to be decrypted on restore and retrieve operations.

Examples

Options file:
encryptkey prompt
Command line:
Does not apply.