The default setting for ENCryptkey is "Save" which in Windows will store the 
encryption key in the registry.
   
  Lets say I have a file server where C:\ is the OS and D:\ is all my file 
data. I then use include.encrypt D:\...\* so that only the data on D:\ is 
encrypted.
   
  Then I perform a full server recovery using C:\ and systemstate. I'm would 
assume that the restored registry will now have the encryption key in it. As a 
result I would not be prompted for the encryption key when I then try to 
restore the D:\.
   
  I realize that this approach effectively means that someone could get our 
tapes, restore the TSM database, restore a server and then restore our data. 
However, if the reason for using encryption was so that the data would not be 
readable on the tape should a single tape fall into the wrong hands then this 
may be an approach that would help reduce the risk of loosing the encrypt key 
itself.
   
  Now, before I get flamed I realize full well that key management when using 
encryption is paramount.  I'm just trying to wrap my mind around all the 
options here.
   
  For those of you who have begun implementing encryption into your backup 
strategy what have you done for key management.  I know questions like this 
have been posted in the past but I want to see if there are any new ideas.
   
   

                
---------------------------------
Do you Yahoo!?
 Get on board. You're invited to try the new Yahoo! Mail.