Backup (to external media)

For disaster recovery purposes, it is critical to have a good plan for recreating the Master Encryption Keys (MEKs) and recovering the Key Stores, Field Encryption Registry and external files (which contain encrypted field values). Failure to do so may result in the inability to decrypt data.

WARNING: Do not backup the CRYPTO library or these *VLDL objects using Powertech Encryption for IBM i’s backup encryption (ENCxxx) commands. Only use IBM’s commands for backing up these objects.

Listed below is a summary of the objects you should back up frequently:

Powertech Encryption for IBM i CRYPTO library
CRVL001 objects type *VLDL
CRVL002 objects type *VLDL
CRPF002 object type *FILE
User created Key Store objects type *VLDL
If using external files to store your encrypted database field values, then backup those external files (default object prefix of “CRXX” type *FILE)
If using IBM i Authorization Lists to secure the Key Store objects or if they are used to secure fields in the Field Encryption Registry, then backup those Authorization Lists.

Listed below is detailed information about the objects to back up:

Backup: Powertech Encryption for IBM i library

The Powertech Encryption for IBM i product should be saved as part of your normal backup processes. This product can be saved with the command SAVLIB LIB(CRYPTO).

Backup: Master Encryption Keys (MEKs) and Policy Settings (CRVL001)

The Key Policy settings, Master Keys, Security Alert settings and Key Officers are stored in a Validation List (*VLDL) object named CRVL001, which is stored in the CRYPTO library by default.

WARNING: The passphrase parts used to load a MEK should be recorded in a safe place off of the System i. All passphrase parts will be needed to recreate a MEK in a disaster recovery situation if installing onto a different IBM i serial number.

The passphrases for a MEK are case-sensitive and must be entered in the same order.

The CRVL001 *VLDL object should be saved as part of your normal backup processes.

The values in the CRVL001 *VLDL object are encrypted with the Product Encryption Key (PEK). The PEK is partially derived from the IBM i serial number. Therefore each IBM i machine has its own unique PEK.

If the CRVL001 *VLDL object is restored onto a different IBM i serial number, then it will not be usable since the PEK will be different. In that case, the Key Policy settings, Master Keys, Security Alerts and Key Officers will need to be manually recreated (see the disaster recovery section).

Backup: Field Encryption Registry (CRVL002)

The Field Encryption Registry is stored in a Validation List (*VLDL) object named CRVL002, which is stored in the CRYPTO library by default (unless other environments were set up). CRVL002 contains important information about the fields that are registered for encryption, such as field names, pointers to Key Labels used to encrypt/decrypt data, index numbers for externally stored encrypted field data, etc.

The CRVL002 *VLDL object should be saved as part of your normal backup processes.

Backup: Last Index Numbers Used (CRPF002)

If you utilize the Field Encryption Registry and are using external files to store encrypted database field values and if the ‘last index numbers used’ are stored in the physical file option [LSTINDSTG(*PF) parm on the Registry], then the CRPF002 physical file should be saved as part of your normal backup processes. This file is stored in the CRYPTO library by default (unless other environments were set up).

Backup: External Files containing Encrypted Values (CRXX*)

If you utilize the Field Encryption Registry and are using external files to store encrypted database field values, then save those external files as part of your normal backup processes. You can find the names of those external files by executing the command of CRYPTO/WRKFLDENC and placing an option 5 next to each field entry to display.

Backup: Key Stores (*VLDL object types)

Your organization’s Data Encryption Keys (DEKs) are contained within Key Stores. The Key Stores are Validation List (*VLDL) objects. The names (and library locations) of these *VLDL objects are those names that were specified on the CRTKEYSTR (Create Key Store) command, unless they were later moved or renamed.

The Key Store *VLDL objects should be saved as part of your normal backup processes. Since each Key Store is encrypted with a Master Key (which is encrypted by a PEK), the Key Stores will be protected on your backup media from unauthorized usage.

Backup: Authorization Lists

If you use Authorization Lists to secure your Key Stores or to secure fields in the Field Registry, then save those Authorization Lists as part of your normal backup processes. The Authorization Lists can be saved using the IBM i command of SAVSECDTA or SAVSYS.

Backup: License Keys

Powertech Encryption for IBM i license keys are stored and saved in the CRYPTO library when you save a copy of the library. See instructions below for if you restore the product on the same or to a different system:

If you restore the product on the same system, you do not need a new key.
If you restore the product to a different system or another LPAR not included in your license, first contact Fortra Technical Support to get a license key for the new system. You can then add this key in the menu CRYPTO10, option 1. When you add this key prior to restoring the new system, the product continues functioning.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
4.03 | 202412020240 | December 2024