Data encryption during backup or archive operations

For the strongest possible encryption, use 128-bit Advanced Encryption Standard (AES) data encryption, with the encryptiontype option.

The data that you include is stored in encrypted form, and encryption does not affect the amount of data sent or received.

The include.encrypt option is the only way to enable encryption on the Backup-Archive client. If no include.encrypt statements are used, encryption will not occur.

Encryption is not compatible with VMware virtual machine backups that use the incremental forever backup modes (MODE=IFIncremental and MODE=IFFull). If the client is configured for encryption, you cannot use incremental forever backup. However, you can use the full or incremental backup modes (MODE=Full and MODE=Incremental).

To encrypt file data, you must select an encryption key password, which Tivoli® Storage Manager uses to generate the encryption key for encrypting and decrypting the file data. You can specify whether to save the encryption key password in the Windows Registry by using the encryptkey option.

Tivoli Storage Manager client encryption allows you to enter a value of up to 63 characters in length. This encryption password needs to be confirmed when encrypting the file for backup, and also needs to be entered when performing restores of encrypted files.

While restoring an encrypted file, Tivoli Storage Manager prompts you for the key password to decrypt the file in the following cases:

• If the encryptkey option is set to Prompt.
• If the key supplied by the user does not match.
• If the encryptkey option is set to Save and the locally saved key password does not match the encrypted file.