HPE Community
Operating System - OpenVMS
1752796 Members
5749 Online
108789 Solutions
New Discussion юеВ

Re: Encryption Questions

 
SOLVED
Go to solution
The Brit
Honored Contributor

тАО09-14-2009 03:51 AM

тАО09-14-2009 03:51 AM

Encryption Questions

I notice that when defining Keys for use with backups, the keys are stored in the "Key Storage Table" as logicals, and that the logicals can be Process, Job, Group or System level logicals.

I have three main questions.

1. Does this mean that a backup tape must be restored (and decrypted) on the same node that backed it up??

2. How do the Keys survive across system boots?? Are they stored in a file somewhere??

3. If the answer to Q1 is "yes", then is it likely that there will be a "/Cluster" option in a future release??

thanks.

Dave.
0 Kudos
7 REPLIES 7
Hoff
Honored Contributor

тАО09-14-2009 05:02 AM

тАО09-14-2009 05:02 AM

Solution

Re: Encryption Questions

1: No. If the key is known, the data can be decrypted. That sort of thing would greatly reduce the ability to decrypt data during DT recovery.

2: Loaded keys do not "survive" reboot. Required keys need to be reloaded upon each reboot. "The key is available for use until the system is rebooted" (or until cleared).

3: Ask HP.

Here's the (old) read of the topic:

http://h71000.www7.hp.com/doc/82final/6477/6477pro.pdf
0 Kudos
Andy Bustamante
Honored Contributor

тАО09-14-2009 08:39 AM

тАО09-14-2009 08:39 AM

Re: Encryption Questions

We use a keys.com to define encryption keys. You'll need to save your key(s) for worst case scenario. The logicals are disabled in an encrypted state and don't appear in plain text.

Your alternative is a manual process to define keys on following reboot. Define the the process and define who will access the key file.

Would anyone else use Encryption in Save_Set_Manager?

Andy Bustamante
If you don't have time to do it right, when will you have time to do it over? Reach me at first_name + "." + last_name at sysmanager net
0 Kudos
The Brit
Honored Contributor

тАО09-14-2009 09:36 AM

тАО09-14-2009 09:36 AM

Re: Encryption Questions

Andy,
would you be prepared to share the "keys.com" script?, either here, or privately. I can be contacted at;

baxterd at TESSCO dot com.

Thanks

Dave.
0 Kudos
Andy Bustamante
Honored Contributor

тАО09-14-2009 01:30 PM

тАО09-14-2009 01:30 PM

Re: Encryption Questions

I'm putting up an obviously sanitized example. Depending on system, we either call keys.com from systartup_vms.com, or from a captive operator menu which submits encrypted backup jobs. Depending on the system we directly create encrypted backups or use save_set_manager to copy save sets then create encrypted copies of save_set(s) on disk.

Don't forget to include your key(s) in off site planning and work out recovery.

Andy
If you don't have time to do it right, when will you have time to do it over? Reach me at first_name + "." + last_name at sysmanager net
0 Kudos
Hoff
Honored Contributor

тАО09-14-2009 01:46 PM

тАО09-14-2009 01:46 PM

Re: Encryption Questions

It's just a DCL wrapper around a wad of ENCRYPT /CREATE_KEY commands, really.

That DCL might be loaded in from external media, or decrypted from disk storage or otherwise.

I might look to use a USB key disk here (or a removable storage brick) that's connected and mounted and accessed only during a typical sequenced bootstrap. With a clone located offsite.
0 Kudos
The Brit
Honored Contributor

тАО09-14-2009 01:51 PM

тАО09-14-2009 01:51 PM

Re: Encryption Questions

Thanks Andy, Steve,

Thank you both for your help. I think I can figure it out from here. (But dont worry, if I cant, I'll be back)

Dave.
0 Kudos
The Brit
Honored Contributor

тАО09-14-2009 01:51 PM

тАО09-14-2009 01:51 PM

Re: Encryption Questions

See above.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.