Encrypting Data in BRMS
Information about using encryption with BRMS
Hardware Encryption
BRMS supports tape drives, that utilize hardware encryption, to encrypt save data. Because the data is encrypted by the device, this type of encryption does not require any special configuration of the BRMS product. However, the tape hardware must be configured before the backup/recovery to ensure the proper encryption/decryption of the save data. Hardware encryption will not cause performance degradation during BRMS backups.
For more information, see:
NOTES:
- Hardware encryption is only available on tape drives that specifically support it such as LTO4, LTO5, LTO6, LTO7 TS1120, TS1130, TS1140, TS1150, TS1155 or TS1160.
- Hardware encryption is only supported on tape drives that are in a tape media library with Library Managed Encryption (LME) enabled.
- Hardware encryption is not available for saves to optical drives, RDX drives, save files or Tivoli Storage Manager servers.
Software Encryption
BRMS supports using IBM i system resources to encrypt save data before it is written to physical or virtual tape. BRMS saves to tape use the Encrypt data field in a BRMS media policy to indicate whether the save software should perform encryption before the data is written to the tape media. The IBM i system must be configured before the backup/recovery to ensure the proper encryption/decryption of the save data. Since additional system resources will be required for software encryption, the save/restore performance may be impacted.
For more information, see:
BRMS offers a software-based encryption function. Here is some information about this function:
- To use this function, customers need the BRMS Advanced Feature (57xx-BR1 option 2) and i5/OS Encrypted Backup Enablement (57xx-SS1 option 44).
- The encryption offered is software-based and can write saves to any tape drive, not just the encryption-capable tape drives. If the customer has an encryption-capable tape drive, its encryption features are not used for the BRMS-based software encryption. Customers should leave the tape drive with encryption turned-off, otherwise they will double-encrypt their tapes.
- NOTE: Only the AES key type is supported for tape encryption.
- BRMS-based software encryption will likely require more tapes (possibly 3 times as much media), since encrypted data does not compact very well.
- The following objects cannot be encrypted: *SAVSYS, *SAVSECDTA, *SAVCFG, *IBM, and any libraries starting with a Q.
- IBM i and BRMS does not support software encryption when saving to save files, optical or virtual optical devices.
- Encryption is specified in the media policy and can be turned on/off by backup item in the control group.
- The customer is responsible for managing the keys via the encryption functions in the operating system. The keystore is placed in the QUSRBRM library so BRMS can back it up for you. The BRMS screens and recovery reports will indicate the key store file and key record label used for each save.
- By default, AES-128 (bits) is used for encryption. The following command can be used to determine what AES level is being used:
DSPCKMKSFE KEYSTORE(QUSRBRM/Q1AKEYFILE) RCDLBL(xxxxxxxxxxxx). The key size is specified in bytes.- The type of AES (128, 192, or 256 bits) is controlled by the options selected when the key store file is created:16 = 128 bit, 24 = 192 bit, 32 = 256 bit. this is specified in the KEYSIZE parameter on the
GENCKMKSFEcommand. - NOTE: This function is targeted at customers with a small amount of data to encrypt, or customers with a large backup window, since there is a performance impact. Customers who need encryption but require the fastest backup speeds should plan to use the encryption-capable tape hardware such as TS11xx and LTO4/LTO5/LTO6/LTO7/LTO8 instead since it has very minimal performance degradation.
- BRM4403 - Encryption has been disabled for backup item. will be posted for all backup items that cannot be saved encrypted.
Performance when doing Software Encryption with BRMS on Power 7 hardware.
NOTE: Saves that use Software Encryption on Power 8/9 may be quicker but will still be dependent on native tape drive speeds as data is not compressed/compacted when encrypted so more tapes may be required.
BRMS-based encryption (Compared with regular tape saves) | Performance | CPU Utilization |
| Source File Saves | Minimal impact | approx double |
| Usermix Saves | approx 30% degradation | approx double |
| Large File Saves | approx 50% degradation | appox 3-5* increase |
| Source File Saves | minimal impact | approx 40% increase |
| Usermix Restores | approx 25% degradation | approx 40% increase |
| Large File Restores | approx 4% degradation | approx 5-7* increase |
Performance tests were run on an i570 and an i570 MMA 4-way system with EXP24 disk and LTO3 tape
An example of setting up the master key and key store can be found in Setting Up BRMS to Use Software-based Encryption.
NOTES:
- BRMS saves to save file allow the media policy Encrypt data field to be set to *YES but the save file data will not be encrypted. The save data will only be encrypted when the save file data is written to tape media using the Save Save Files using BRM (
SAVSAVFBRM) command. - In release IBM 7.2, software encryption performance can be improved on POWER 8 by applying the following PTFs or superseding PTFs:
7.2 MF58198
Cloud backups
Using BRMS to save to cloud can be encrypted providing Version 1.2 of IBM Cloud Storage Solutions for i (5733ICC) is used.
Copyright © Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners.