TSM Client Encryption question
2006-09-04 17:30:13
The default setting for ENCryptkey is "Save" which in Windows will store the
encryption key in the registry.
Lets say I have a file server where C:\ is the OS and D:\ is all my file
data. I then use include.encrypt D:\...\* so that only the data on D:\ is
encrypted.
Then I perform a full server recovery using C:\ and systemstate. I'm would
assume that the restored registry will now have the encryption key in it. As a
result I would not be prompted for the encryption key when I then try to
restore the D:\.
I realize that this approach effectively means that someone could get our
tapes, restore the TSM database, restore a server and then restore our data.
However, if the reason for using encryption was so that the data would not be
readable on the tape should a single tape fall into the wrong hands then this
may be an approach that would help reduce the risk of loosing the encrypt key
itself.
Now, before I get flamed I realize full well that key management when using
encryption is paramount. I'm just trying to wrap my mind around all the
options here.
For those of you who have begun implementing encryption into your backup
strategy what have you done for key management. I know questions like this
have been posted in the past but I want to see if there are any new ideas.
---------------------------------
Do you Yahoo!?
Get on board. You're invited to try the new Yahoo! Mail.
|
<Prev in Thread] |
Current Thread |
[Next in Thread> |
- TSM Client Encryption question,
TSM_User <=
|
|
|