https://community.hpe.com/t5/operating-system-openvms/encryption-questions/m-p/5198831#M96226 Thanks Andy, Steve,<BR /><BR />Thank you both for your help. I think I can figure it out from here. (But dont worry, if I cant, I'll be back)<BR /><BR />Dave. Mon, 14 Sep 2009 20:51:05 GMT The Brit 2009-09-14T20:51:05Z https://community.hpe.com/t5/operating-system-openvms/encryption-questions/m-p/5198825#M96220 I notice that when defining Keys for use with backups, the keys are stored in the "Key Storage Table" as logicals, and that the logicals can be Process, Job, Group or System level logicals.<BR /><BR /> I have three main questions.<BR /><BR />1. Does this mean that a backup tape must be restored (and decrypted) on the same node that backed it up??<BR /><BR />2. How do the Keys survive across system boots?? Are they stored in a file somewhere??<BR /><BR />3. If the answer to Q1 is "yes", then is it likely that there will be a "/Cluster" option in a future release??<BR /><BR />thanks.<BR /><BR />Dave.<BR /> Mon, 14 Sep 2009 10:51:01 GMT https://community.hpe.com/t5/operating-system-openvms/encryption-questions/m-p/5198825#M96220 The Brit 2009-09-14T10:51:01Z https://community.hpe.com/t5/operating-system-openvms/encryption-questions/m-p/5198826#M96221 1: No. If the key is known, the data can be decrypted. That sort of thing would greatly reduce the ability to decrypt data during DT recovery.<BR /><BR />2: Loaded keys do not "survive" reboot. Required keys need to be reloaded upon each reboot. "The key is available for use until the system is rebooted" (or until cleared).<BR /><BR />3: Ask HP.<BR /><BR />Here's the (old) read of the topic:<BR /><BR /><A href="http://h71000.www7.hp.com/doc/82final/6477/6477pro.pdf" target="_blank">http://h71000.www7.hp.com/doc/82final/6477/6477pro.pdf</A> Mon, 14 Sep 2009 12:02:07 GMT https://community.hpe.com/t5/operating-system-openvms/encryption-questions/m-p/5198826#M96221 Hoff 2009-09-14T12:02:07Z https://community.hpe.com/t5/operating-system-openvms/encryption-questions/m-p/5198827#M96222 We use a keys.com to define encryption keys. You'll need to save your key(s) for worst case scenario. The logicals are disabled in an encrypted state and don't appear in plain text. <BR /><BR />Your alternative is a manual process to define keys on following reboot. Define the the process and define who will access the key file. <BR /><BR />Would anyone else use Encryption in Save_Set_Manager? <BR /><BR />Andy Bustamante Mon, 14 Sep 2009 15:39:29 GMT https://community.hpe.com/t5/operating-system-openvms/encryption-questions/m-p/5198827#M96222 Andy Bustamante 2009-09-14T15:39:29Z https://community.hpe.com/t5/operating-system-openvms/encryption-questions/m-p/5198828#M96223 Andy,<BR /> would you be prepared to share the "keys.com" script?, either here, or privately. I can be contacted at; <BR /><BR />baxterd at TESSCO dot com.<BR /><BR />Thanks<BR /><BR />Dave. Mon, 14 Sep 2009 16:36:15 GMT https://community.hpe.com/t5/operating-system-openvms/encryption-questions/m-p/5198828#M96223 The Brit 2009-09-14T16:36:15Z https://community.hpe.com/t5/operating-system-openvms/encryption-questions/m-p/5198829#M96224 I'm putting up an obviously sanitized example. Depending on system, we either call keys.com from systartup_vms.com, or from a captive operator menu which submits encrypted backup jobs. Depending on the system we directly create encrypted backups or use save_set_manager to copy save sets then create encrypted copies of save_set(s) on disk. <BR /><BR />Don't forget to include your key(s) in off site planning and work out recovery.<BR /><BR />Andy Mon, 14 Sep 2009 20:30:44 GMT https://community.hpe.com/t5/operating-system-openvms/encryption-questions/m-p/5198829#M96224 Andy Bustamante 2009-09-14T20:30:44Z https://community.hpe.com/t5/operating-system-openvms/encryption-questions/m-p/5198830#M96225 It's just a DCL wrapper around a wad of ENCRYPT /CREATE_KEY commands, really. <BR /><BR />That DCL might be loaded in from external media, or decrypted from disk storage or otherwise.<BR /><BR />I might look to use a USB key disk here (or a removable storage brick) that's connected and mounted and accessed only during a typical sequenced bootstrap. With a clone located offsite. Mon, 14 Sep 2009 20:46:53 GMT https://community.hpe.com/t5/operating-system-openvms/encryption-questions/m-p/5198830#M96225 Hoff 2009-09-14T20:46:53Z https://community.hpe.com/t5/operating-system-openvms/encryption-questions/m-p/5198831#M96226 Thanks Andy, Steve,<BR /><BR />Thank you both for your help. I think I can figure it out from here. (But dont worry, if I cant, I'll be back)<BR /><BR />Dave. Mon, 14 Sep 2009 20:51:05 GMT https://community.hpe.com/t5/operating-system-openvms/encryption-questions/m-p/5198831#M96226 The Brit 2009-09-14T20:51:05Z https://community.hpe.com/t5/operating-system-openvms/encryption-questions/m-p/5198832#M96227 See above. Mon, 14 Sep 2009 20:51:50 GMT https://community.hpe.com/t5/operating-system-openvms/encryption-questions/m-p/5198832#M96227 The Brit 2009-09-14T20:51:50Z