Setting Up BRMS to Use Software-based Encryption

Owned by Kathy Kurth
Last updated: Oct 23, 2023 by Peter Lafler
2 min read
Setting up software-based encryption in your BRMS network

In releases IBM i 6.1 and later, it is possible to do encrypted backups using software encryption with BRMS.

To set up the environment, it is necessary to create a master key, create a key store file, generate a key store file entry, and then create or change a media policy that will use the environment created.

To create all the above from green screen, you can do the following:

  • Add master key part: ADDMSTPART MSTKEY(1) PASSPHRASE (put your Passphrase here)
  • Set master key: SETMSTKEY MSTKEY(1)

    NOTE: It is possible to check master key (KVV) with command CHKMSTKVV MSTKEY(1) VERSION(*CURRENT)

  • Create keystore file: CRTCKMKSF KEYSTORE(QUSRBRM/Q1AKEYFILE) MSTKEY(1) AUT(*LIBCRTAUT)

    NOTES:

  1. Only the AES key type is supported for tape encryption.
  2. As indicated in Backup, Recovery, and Media Services for i5/OS, SC41-5345-06, the only valid key store file is Q1AKEYFILE, and it must exist in library QUSRBRM.  This ensures that when saving media information using your control group or the SAVMEDIBRM command, the key file is also saved.

Then generate keystore file entry:  

GENCKMKSFE KEYSTORE(QUSRBRM/Q1AKEYFILE) RCDLBL(BRMSTEST) KEYTYPE(*AES) KEYSIZE(32)

    NOTES:

  1. Record label (RCDLBL) must be in capital letters; otherwise, the save will end with message CPF670A - Incorrect encryption key information specified.
  2. The type of AES (128, 192, or 256 bits) is controlled by the options selected when the key store file is created (KEYSIZE):
    • 16 = 128 bit 
    • 24 = 192 bit
    • 32 = 256 bit

Create Media Policy specifying the following parameters:   

Encrypt Data . . . . . . . . . : *YES
Key store file . . . . . . . . : Q1AKEYFILE
Key store library. . . . . . . : QUSRBRM
Key record label . . . . . . . : BRMSTEST


These above steps are the minimum steps required to set up the encryption environment.  If you will use a control group, it is also necessary to specify that an encrypted save should be performed.  To do that, edit the control group and press F11 two times to see the encrypt parameter for each entry specified.

Additional Information:  

Using the command WRKMEDIBRM followed by F11 three times, it is possible to see if the backup was performed using software encryption or not.
CPF670A with condition code 4 will be received if 57xxSS1 option 44 - Encrypted Backup Enablement is not installed.

Privacy Policy | Cookie Policy | Impressum
From time to time, this website may contain technical inaccuracies and we do not warrant the accuracy of any posted information.
Copyright © Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners.