Skip to main content

Cornell University

Encryption of Backup Data (EZ-Backup)

This article applies to: EZ-Backup

On This Page

This article describes the process of backing up encrypted files. There is a separate article describing backing up CyberAngel and TrueCrypt encrypted volumes.

This does not apply to Whole-Disk Encryption (WDE). If you use WDE, no special procedures are needed, assuming you have entered the WDE password or passphrase when booting up the drive.

Determining What to Encrypt

According to University Policy 5.10 Information Security, “The integration of information technologies in virtually every aspect of transmission and storage of institutional information requires responsible administrative, technical, and physical security practices and standards.”

As backups of files are both transmitted and stored, any files containing confidential data (as defined by policy 5.10) should be backed up in an encrypted form. In addition, files that are considered confidential by departmental or funding source policy should be backed up in an encrypted form.

Planning How to Encrypt

To encrypt files as part of an automated backup:

  • Note that files that have already been backed up require special handling (see below).
  • The EZ-Backup Team doesn’t recommend encrypting operating system and application files as the overhead required to encrypt/decrypt isn’t worth the risk of such readily available files.
  • If a FILE or a FOLDER is encrypted via a product such as Symantec File Share Encryption, then it will be backed up in the encrypted form without additional handling. Note that this does NOT include files and folders on disks protected by Whole Disk Encryption.
  • Specify which files you want to encrypt using the include.encrypt option.
  • Specify how to manage the encryption key using the Encryptkey option.
    • Note that, by University Policy 5.3, the key must be managed on the client side.
    • Note that, if you want to do scheduled backups, you need to use the SAVE or GENERATE options (TSM v5.5 and later).
  • Specify the encryption type; the default is AES128, but DES56 can be used via the encryptiontype option.

Assume for this document that:

  • the files to be encrypted are in
    • (Windows platforms) the C:\Documents and Settings\UserID\My Documents\Encrypted folder
    • (Unix platforms, including Macintosh and Linux) the /Users/Documents/Encrypted/ folder
  • the encryption key will be saved on the system (as this system runs scheduled backups)
  • the default Encryption type is used
  • In addition, these files are currently being backed up (in an unencrypted manner).

Configuring the TSM client to Encrypt

Windows

The following processing options must be added to the dsm.opt file on that system, either by editing the file or via the TSM GUI client’s Preferences Editor (Authorization Tab, Include/Exclude Tab):

EncryptionType AES128

EncryptKey Save

(If doing this edit manually, we recommend putting these statements in the top section of the file, in the section with the TCPSERVERAddr, TCPPort and NODEName specifications.)

Next, if necessary, add the appropriate INCLUDE statement to include the files in the backup (the INCLUDE.ENCRYPT statement is NOT an implicit INCLUDE statement). Such an INCLUDE statement must be properly placed.

Then, add the appropriate INCLUDE.ENCRYPT/EXCLUDE.ENCRYPT statements; for the example given above, this would be

INCLUDE.ENCRYPT "C:\Documents and Settings\UserID\My Documents\Encrypted\*"

This statement can be placed at the bottom of the existing INCLUDE/EXCLUDE list.

After making the changes to the dsm.opt file, be sure to restart the scheduler service if the system is configured for automated backup.

UNIX Platforms (including Macintosh and various Linux distributions)

The following processing options must be added to the dsm.sys file on that system, either by editing the file or via the TSM GUI client's Preferences Editor (Authorization Tab, Include/Exclude Tab):

EncryptionType AES128

EncryptKey Save

(If doing this edit manually, we recommend putting these statements in the top section of the file, in the section with the TCPSERVERAddr, TCPPort and NODEName specifications.)

(If the dsm.sys has multiple server stanzas, then these statements must be inserted into each of the stanzas for which encryption is desired).

Next, if necessary, add the appropriate INCLUDE statement to include the files in the backup (the INCLUDE.ENCRYPT statement is NOT an implicit INCLUDE statement). Such an INCLUDE statement must be properly placed.

Then, add the appropriate INCLUDE.ENCRYPT/EXCLUDE.ENCRYPT statements; for the example given above, this would be

INCLUDE.ENCRYPT "/Users/Documents/Encrypted/*"

This statement can be placed at the bottom of the existing INCLUDE/EXCLUDE list.

After making the changes to the dsm.sys file, be sure to restart the scheduler service if the system is configured for automated backup.

Performing the First Backup

There is one more step that must take place. The change to the INCLUDE.ENCRYPT statement does NOT automatically include the impacted files in the next backup. The TSM client first decides whether a file should be backed up (Are there any applicable EXCLUDE rules? Has the file changed?), and only after the TSM client has selected a file for backup does the TSM client check to see if the file should be encrypted.

So, you have to get the TSM client to include the files in the next backup so they can be properly encrypted.  3 ways to do this:

  1. Touch all the files to be encrypted - but this changes the timestamp on the files, and leaves the older versions out on the TSM server in unencrypted state (for as long as the retention of inactive versions states, usually 30 days).
  2. Delete all the versions of the files on the TSM server (using the “Utilities -> Delete Backup Data” feature of the GUI client, or the “delete ” command via the command line client - this ensures there is no unencrypted data on the TSM server, but no older versions of files could be restored).
  3. Do a “selective” backup of the files to be encrypted; such a backup selects all files that aren’t covered by an EXCLUDE rule for backup, whether or not they have changed. This results in the most recent, or active, version of the file being encrypted on the TSM server, but leaves the older versions out on the TSM server in unencrypted state (for as long as the retention of inactive versions states, usually 30 days).

Verifying the Results

To verify that the file(s) are being encrypted, issue a “query backup -detail -” command using the BackupArchive Command Line client (there is no way to view this information via the BackupArchive GUI client at this time). On Windows systems, there is a Start menu item to run the BackupArchive Command Line client in the same folder (“Tivoli Storage Manager”) as the BackupArchive GUI client. On Unix systems (including Macintosh), the BackupArchive Command Line client can be invoked from a shell session as “dsmc.” 

Continuing with the example in this document, after the backup of the files in encrypted fashion has completed, the following command could be issued from within the BackupArchive Command Line client:

query backup "C:\Documents and Settings\UserID\My Documents\Encrypted\*" -detail -traceflags=query

The resulting output shows that the files are indeed encrypted:

Size Backup DateMgmt ClassA/IFile

----

 

-----------

-----------

---

----

61,955

B

03/27/2009 07:30:18DEFAULT

A

\\mysystem\c$\Documents and Settings\UserID\My Documents\Encypted\file1

 

 

Modified: 03/25/2009 12:54:24Created: 03/27/2009 07:25:51

 

 

 

 

Compressed:YESEncryptType:IBM_56BIT_DES

 

 

237

B

03/27/2009 07:27:26DEFAULT

A

\\mysystem\c$\Documents and Settings\UserID\My Documents\Encypted\file1
07:26:23
  Compressed:YESEncryptType:IBM_128BIT_AES

Comments?

To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.