Dennis forgot to mention that we discovered that there is currently no way to encrypt DB2/VM
tape backups. Please keep DB2 in mind in your solution. We decided to back up DB2 to disk (SFS)
and then use VM:Backup to back that up. But then we found out CA doesn't support industrial-
strength encryption. Phoo!
If there is an encryption solution, it should either use the hardware encryption facilities of the z9
hardware, or offboard encryption hardware.
There should also be compression. And please remember that you cannot compress encrypted
data -- compression must come first. Tape-drive compression is worthless if the encryption is on
Alan (dot) Ackerman (at) Bank of America (dot) com
On Wed, 8 Mar 2006 23:06:25 -0800, O'Brien, Dennis L <Dennis.L.Ofirstname.lastname@example.org>
>We have a requirement that media that leaves Bank premises and contains
>customer data must be encrypted with a Bank-approved algorithm. If the
>data isn't encrypted, it must be in the custody of a Bank employee while
>in transit (i.e. no FedEx). Our largest VM system uses channel-extended
>tape drives for DR backups, so it's not affected by this requirement.
>We briefly used the encryption feature in VM:Backup for DR backups of a
>smaller system, but VM:Backup uses the DES algorithm, which isn't on our
>approved list. We had to continue hand-carrying the tapes, so we turned
>off the encryption. AES is our preferred encryption algorithm, but
>Triple DES and a couple of others are also acceptable.
>"Of all tyrannies, a tyranny exercised for the good of its victims may
>be the most oppressive. It may be better to live under robber barons
>than omnipotent moral busybodies. The robber baron's cruelty may
>sometimes sleep, his cupidity may at some point be satiated; but those
>who torment us for our own good will torment us without end, for they do
>so with the approval of their own conscience."
> -- C.S. Lewis
>From: VM/ESA and z/VM Discussions [mailto:VMESA-***@LISTSERV.UARK.EDU] On
>Behalf Of Alan Altmark
>Sent: Wednesday, March 08, 2006 13:12
>Subject: Requirements for encrypting tape drives for z/VM
>[Cross-posted to VMESA-L and LINUX-390]
>Hi, Everyone. The VM Development team needs your help once again.
>Back in July of last year, IBM published a Statement of Direction for
>encrypting tape drives (Announcement 105-241). We would like to know:
>- If you currently backup or archive z/VM data, does your business
>that you encrypt said backups/archives? If so, what are you using?
>- If you are not *currently* required to encrypt them, do you expect
>requirements to be levied against you? If so, when?
>Sr. Software Engineer
>IBM z/VM Development