Versions Compared

Old Version 1

changes.mady.by.user Kathy Kurth

Saved on

compared with

New Version Current

changes.mady.by.user Peter Lafler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Setting up software-based encryption in your BRMS network

In releases IBM i 6.1 and later, it is possible to do encrypted backups using software encryption with BRMS.

To set up the environment, it is necessary to create a master key, create a key store file, generate a key store file entry, and then create or change a media policy that will use the environment created.

To create all the above from green screen, you can do the following:

  • Add master key part: ADDMSTPART MSTKEY(1) PASSPHRASE (put your Passphrase here)
  • Set master key:  SETMSTKEY MSTKEY(1)

    NOTE: It is possible to check master key (KVV) with command CHKMSTKVV MSTKEY(1) VERSION(*CURRENT)

  • Create keystore file:  CRTCKMKSF CRTCKMKSF KEYSTORE(QUSRBRM/Q1AKEYFILE) MSTKEY(1) AUT(*LIBCRTAUT)

    NOTES:

  1. Only the AES key type is supported for tape encryption.
  2. As indicated in Backup, Recovery, and Media Services for i5/OS, SC41-5345-06, the only valid key store file is Q1AKEYFILE, and it must exist in library QUSRBRM.  This ensures that when saving media information using your control group or the SAVMEDIBRM command, the key file is also saved.

Then generate keystore file entry:  

GENCKMKSFE KEYSTORE(QUSRBRM/Q1AKEYFILE) RCDLBL(BRMSTEST) KEYTYPE(*AES) KEYSIZE(32)

    NOTES:

  1. Record label (RCDLBL) must be in capital letters; otherwise, the save will end with message  message CPF670A - Incorrect encryption key information specified.
  2. The type of AES (128, 192, or 256 bits)   is controlled by the options selected when the key store file is created (KEYSIZE):
    • 16 = 128 bit 
    • 24 = 192 bit
    • 32 = 256 bit

Create Media Policy specifying the following parameters:   

Encrypt Data . . . . . . . . . : *YES
Key store file . . . . . . . . : Q1AKEYFILE
Key store library. . . . . . . : QUSRBRM
Key record label . . . . . . . : BRMSTEST


These above steps are the minimum steps required to set up the encryption environment.  If you will use a control group, it is also necessary to specify that an encrypted save should be performed.  To do that, edit the control group and press F11 two times to see the encrypt parameter for each entry specified.

Additional Information:  

Using the command WRKMEDIBRM followed by F11 three times, it is possible to see if the backup was performed using software encryption or not.
CPF670A with condition code 4 will be received if 57xxSS1 option 44 - Encrypted Backup Enablement is not installed.