iCan Blog Archive

Encrypt my Backups with BRMS

by | Jun 28, 2010 | BRMS, Security | 0 comments

What is software encryption with BRMS? 

Simply said, it’s a way to encrypt your data to tape, via Backup, Recovery and Media Services (BRMS) without special hardware! A great option for those who don’t want to purchase the hardware option (tape drives that do the encryption) and only have small amounts of data to encrypt. Users who have large amounts of data that need to be encrypted should look at the hardware option for encryption.

How do you get this feature?

You must purchase the following products:

  • BRMS Advanced Functions Feature (5770-BR1 Option 2) 
    This assumes that the base BRMS product is already installed. If not, then you’ll also need 5770-BR1 Base and the MSE product 5770-SS1 Option 18, Media and Storage Extensions.
  • Encrypted Backup Enablement (5770-SS1 Option 44)

Got the products, now where do I start?

Once you have these products installed, then you have to set up your keys via the key management tools. These tools are available through commands or the Navigator for i Web console. Using these tools, you’ll need to set up and create a keystore file named Q1AKEYFILE in the BRMS user library QUSRBRM. Ensure that the file name is exactly as stated here. It’s case sensitive, so use uppercase. This will be the only file that the BRMS function will look for the encryption key. And since it resides in the BRMS user library, it will get backed up when doing a full QUSRBRM save, which should be a part of your BRMS backup strategy. 

Important!

Understanding the cryptographic key management on IBM i is extremely important. Any mismanagement of these keys could result in lost data, since the data can only be restored with these keys. If the keys were lost or corrupted, then the data on tape would be useless. Refer to cryptographic services key management to clearly understand the importance of these master keys as well as the required steps to ensure your data is truly encrypted and recoverable. 

To locate the topic in the Knowledge Center, expand Security > Cryptography .

Keystore file has been created. What’s next?

Once the keystore file has been created, then the BRMS media policy that will be used for backup needs to be set for encryption. In a BRMS media policy there are four parameters; Encrypt data, Keystore file, Keystore library, and Key record label. Simply specify *YES for Encrypt data, and fill in the keystore file information. Remember, currently BRMS only accepts one keystore file (QUSRBRM/Q1AKEYFILE) for backup and that will already be filled in for you. Trying to change it to another keystore file will cause an error. The Key record label is the one parameter you must fill in. The Key record label parameter specifies a unique identifier of a key record in a keystore file. You should have created this label when you created the keystore file. 

Below is an example of the parameters you will see in the media policy:

1Medpcy

Once you have a media policy that supports encryption, you can specify it on any of the BRMS save commands. This will then encrypt the items being saved. The SAVSAVFBRM and DUPMEDBRM also support this type of media policy. You will have the capability to encrypt save file data onto media, just by specifying a media policy that supports encryption. 

Also, if you would rather not encrypt your data during your backup, but would like to encrypt the data when you duplicate it to other media, simply specify a media policy that supports encryption on the media policy parameter on the DUPMEDBRM command. 

Additional customization in the control group

In addition to all the ways you may encrypt data, further controls have also been provided in the backup and archive control groups that allow you to enable and disable encryption for each save item. This control has been made on the Edit option for control groups. When editing your control group, there is a new Advanced backup controls display, that gives you an Encrypt column, to encrypt or not encrypt a specific entry within the control group. 

The following is an example of this new control:

2ctlg

What happens on the recovery for these encrypted saves?

The BRMS database is updated with information on encrypted saves, so the knowledge is there when a key is needed to decrypt. BRMS also relies on the user to specify what keystore file to use for decrypting on the restore. The user can rely on the keystore file that was used on the save or specify the keystore file name in the BRMS Recovery policy. Even though the original backup would have used the standard BRMS QUSRBRM/Q1AKEYFILE, there may be instances where the BRMS keystore file had to be migrated or changed, and will have a new file name. Because of those instances, BRMS wanted to ensure the user had the capability to restore the data from renamed keystore files. 

Below is an example of the Recovery policy encryption parameters:

3rcypcy

BRMS also shows the backed up items as encrypted in the WRKMEDIBRM display and also on the BRMS Recovery report.

Example screen shot of the WRKMEDIBRM display that shows encrypted backed up libraries:

4wrkmedi

BRMS Recovery report and Volume Summary report, shows what items are encrypted and what volumes on the recovery report have encrypted data. 

5rcyrpt

Notice that the Key Record Label can differ on one volume and the report lists them.

6rcyvol

Are there any restrictions with this function?

Yes, there are restrictions in what data you can encrypt and what device you can encrypt to. They include: 

  1. *IBM, *SAVSYS, *SAVSECDTA, *SAVCFG and any libraries beginning with the letter Q are not allowed to be encrypted in BRMS.
  2. Be aware of a possible performance impact when encrypting data. ***Performance metrics are available on the BRMS webpage.
  3. BRMS does not support encryption on optical or virtual optical devices.

That’s how to do software encryption with BRMS!

This is a great solution for those customers with small amounts of data that need to be encrypted since it requires no special drive, and can be used to not only physical tape drives but also virtual tape drives. For more step-by-step information on setting BRMS media polices and control groups, refer to the Software Encryption section of Chapter 7: Tailoring your backup chapter in the Backup, Recovery, and Media Services for i publication (SC41-5345). Also check out our BRMS website for updated information.

Kristi Harney wrote this blog article. Kristi is a software developer for the IBM i strategic backup product, BRMS. She has been working on the BRMS development team for 12 years and has helped educate many new and existing users of BRMS on product features and usage. Thanks, Kristi!

This blog post was originally published on IBMSystemsMag.com and is reproduced here by permission of IBM Systems Media.