Encryption gets talked about quite a lot and an increasing number of businesses now find themselves placing it, along with a whole raft of other compliance issues, as another hot topic must-have. But what are the options for encryption and how do you go about it? And in the IBM i world, what can you encrypt?

There are two main areas where encryption arises, disk encryption and backup encryption. The first involves encrypting data ‘at rest’ on disk in either a complete file or specific fields. Backup encryption, predictably enough, involves encrypting data saved to tape cartridges.

Disk encryption is perhaps the simpler of the two. At i 6.1, data can be encrypted where it sits on the disk. There are third-party tools that allow encryption of specific fields in a file (where credit card numbers are stored, for example) but IBM’s own functionality can encrypt the whole file if needed.

However, there are a couple of issues with this in that there is a performance hit in encrypting and decrypting the data to and from disk and also that the data is decrypted when you want to read it so it does not prevent an authorised user from accessing sensitive information. It does prevent the data from being used on another system when you dispose of the old disks, though, although this is not generally an issue on IBM i boxes with their single-level storage. The chances of pulling together any meaningful data from a bunch of old disks are in monkeys-and-works-of-Shakespeare-theory territory.

Turning to tape encryption options, the options are, broadly, encryption appliances, software encryption and hardware encryption. Encryption appliances are devices that are placed between the system and the backup device to encrypt the data as it is passed to the tape. This may be a simple solution for many but does have some issues.

Firstly, the device is potentially a single point of failure and would typically reside in a one-to-one relationship with the system and drive. The appliance would also be a non-IBM device. I am not suggesting that third-party items are in some way inferior but many businesses would want to maintain an end-to-end IBM solution, especially for something as critical as encryption. Another issue may be that the tape drive tries to compress the encrypted data and typically encrypted data does not compress well (it is better to encrypt compressed data than the other way around) so cartridge usage may be increased.

Software encryption is available within IBM i 6.1 via Backup Recovery Media Services (BRMS) where BRMS manages the volumes that require encryption and keeps track of those volumes and associated keys. An additional option of the OS is required (Opt 44 – Encrypted Backup Enablement) which is priced according to software group, plus some extra PTFs to provide the necessary tape format options for encryption. Obviously, i 6.1 and BRMS are prerequisites as is a sound disaster recovery solution that can replicate the keys and restore encrypted backups.

Hardware encryption is done via the backup device and therefore overcomes a number of key issues above. i 6.1 or BRMS are not necessarily required, the solution is ‘true Blue’ end-to-end and multiple systems and drives may be included in an integrated solution such as a tape storage area network (SAN).

Only certain tape drives support native encryption: IBM LTO4 devices (Fibre or SAS, not SCSI) and IBM TS1120/1130 (3592) devices. The LTO4 options are only the upper-end devices – TS2900, 3100, 3200 and bigger libraries. The less expensive stand-alone drives do not provide the functionality. LTO4 media is also required.

As a brief history, TS11xx drives are the latest versions of what was the 3592 drive which replaced the 3590 Magstar. The 3592 was renamed the TS1120 in its second generation (also known as the 3592-E05) and these devices support encryption either as standard or as an upgrade feature (chargeable, of course) depending on their shipping date. All the latest TS1130 (3592-E06) drives have encryption as standard at no additional charge. Encryption is only available for these drives when installed in TS3400 or TS3500 (or older 3494) libraries but not when installed as stand-alone devices. In addition, the library must be specified as (or upgraded to) encryption-capable.

One important element of the hardware encryption solution is the key manager. IBM offers a couple of options, the Enterprise Key Manager (EKM) or newer Tivoli Key Lifecycle Manager (TKLM.) The TKLM is software that runs on a separate server that manages the issuing of keys to the backup devices as needed. TKLM runs under Windows, AIX, Linux or z/OS but, unfortunately, not IBM i, No doubt it could run in an AIX or LINUX partition. What is critical, though, is ensuring the key manager is replicated to another server, preferably at a remote location alongside your DR or HA system.

Obviously, recovering at your backup site from encrypted tape without any encryption keys is going to be a challenge so it is important to back up your key manager. But do not use encryption for this save. It may be obvious, but if the key manager holds the keys to your backup and you need to restore the key manager...well, you can work out the rest.

So if your business requires or, in some cases, demands encryption there are options available to you, primarily system- or library-managed encryption, but each of these have their own requirements.

System-managed requires i 6.1, BRMS and the Encrypted Backup Enablement feature. Library-managed requires certain tape libraries, features of which may be over-the-top in terms of complexity and cost for many. Furthermore, encryption is only available on the newer devices that require later operating system versions and this may be an impediment to some.

If your business sees encryption as a must-have then the solution is available that addresses it. But it is a project that is going to require some financial investment in hardware and software and in time to implement. Equally, it requires a shift in thinking at an operational level to ensure that, having expended time, energy and money on encrypting your backups, that you can actually recover your business from them.

Richard Field has worked in the IBM midrange market for over 20 years and is now a director of consultancy business Power Consulting (http://www.powerconsult.org.uk) providing technical skills around IBM Power i, in particular solution design and planning services, plus specialism in areas such as system resilience and high availability. You can contact him on 08456 435575 or mailto:Richard.field@powerconsult.org.uk