In releases IBM i 6.1 and later, it is possible to do encrypted backups using software encryption with BRMS.
To set up the environment, it is necessary to create a master key, create a key store file, generate a key store file entry, and then create or change a media policy that will use the environment created.
To create all the above from green screen, you can do the following:
- Add master key part:
ADDMSTPART MSTKEY(1) PASSPHRASE
(put your Passphrase here) - Set master key:
SETMSTKEY MSTKEY(1)
NOTE: It is possible to check master key (KVV) with command CHKMSTKVV MSTKEY(1) VERSION(*CURRENT)
- Create keystore file:
CRTCKMKSF KEYSTORE(QUSRBRM/Q1AKEYFILE) MSTKEY(1) AUT(*LIBCRTAUT)
NOTES:
- As indicated in Backup, Recovery, and Media Services for i5/OS, SC41-5345-06, the only valid key store file is Q1AKEYFILE, and it must exist in library QUSRBRM. This ensures that when saving media information using your control group or the SAVMEDIBRM command, the key file is also saved.
Then generate keystore file entry:
GENCKMKSFE KEYSTORE(QUSRBRM/Q1AKEYFILE) RCDLBL(BRMSTEST) KEYTYPE(*AES) KEYSIZE(32)
NOTES:
- Record label (RCDLBL) must be in capital letters; otherwise, the save will end with message CPF670A - Incorrect encryption key information specified.
- The type of AES (128, 192, or 256 bits) is controlled by the options selected when the key store file is created (KEYSIZE) :
- 16 = 128 bit
- 24 = 192 bit
- 32 = 256 bit
Create Media Policy specifying the following parameters:
Encrypt Data . . . . . . . . . : *YES Key store file . . . . . . . . : Q1AKEYFILE Key store library. . . . . . . : QUSRBRM Key record label . . . . . . . : BRMSTEST
These above steps are the minimum steps required to set up the encryption environment. If you will use a control group, it is also necessary to specify that an encrypted save should be performed. To do that, edit the control group and press F11 two times to see the encrypt parameter for each entry specified.
Additional Information:
Using the command WRKMEDIBRM
followed by F11 three times, it is possible to see if the backup was performed using software encryption or not.
CPF670A with condition code 4 will be received if 57xxSS1 option 44 - Encrypted Backup Enablement is not installed.