Library, Object and File Encryption

NOTE:
BRMS customers: Powertech Encryption for IBM i’s backup encryption commands can be incorporated into IBM’s BRMS package. Contact Fortra for the BRMS integration instructions.

Users can choose between the encryption algorithms of AES128, AES192 and AES256.

Symmetric Keys or Passwords can be used to protect the encrypted data.

Commands are also provided for restoring and decrypting libraries, objects and files that were encrypted using Powertech Encryption for IBM i’s encryption commands.

Powertech Encryption for IBM i’s encryption and decryption commands can be entered on the IBM i command line, placed in CL programs, incorporated in BRMS and used in job schedulers on the IBM i.  

Testing Restores of Encrypted Backups

It is critical that you periodically test the restoration of your encrypted backups. Test the restoration process when any of the following conditions occur:

  1. When you initially use Powertech Encryption for IBM i’s ENCxxx commands.
  2. If you change any parameter settings on the ENCxxx commands.
  3. If you change the key or password used on the ENCxxx commands. 
  4. If you upgrade the IBM i operating system.
  5. If you upgrade the Powertech Encryption for IBM i product to a new version.
  6. If you receive any patches or bug fixes for the Powertech Encryption for IBM i product.

Restoring Encrypted Objects Requirements

WARNING: Fortra will not be able to recover your organization's encrypted data if the password or key is lost.

Passwords

If a password is used for encryption on the ENCxxx commands, keep a copy of the password for disaster recovery purposes. You will need this password to decrypt the data when performing a restore operation with the DECxxx commands.

Record this password in your disaster recovery documentation and/or company safe. At least two people in your organization should know the password value.

Keys

If a key is used for encryption on the ENCxxx commands, back up the key store containing the key, and back up the master key used to encrypt the Key Store. The Key Store and master key need to be available on the system before performing a restore operation with the DECxxx commands. The user profile performing the restore operation must have object authority to the keystore object and DECxxx command, or *ALLOBJ special authority. You do not need to configure the user profile performing a restore operation as a Powertech Encryption IBM i security officer.

Maintain the passphrases needed to recreate a master key in a safe location. See Key Backup and Recovery for more information.

Common Questions about Backup Encryption

Can I encrypt and save Document Library Objects (DLO) ?

Yes. You need to first save DLO into a Save file using IBM’s SAVDLO command with the DEV(*SAVF) parameter option. Then you can use Powertech Encryption for IBM i’s ENCSAVOBJ (Encrypt Object) command to encrypt/save the Save file to a backup device.

How can I minimize the backup window time?

Listed below are several tips on how you can reduce the amount of time for the encrypted backup processes.

  1. You should only encrypt those libraries or objects that contain sensitive data. There is no need to encrypt IBM libraries (e.g. QSYS) or other libraries that do not contain confidential data.
  2. The ENCSAVLIB and ENCSAVOBJ commands provided in Powertech Encryption for IBM i allow you to save libraries and objects while active. This allows your users to continue to work in a library while it is being saved.
  3. If you have sufficient disk space, you can save each library (that requires encryption) into its own Save File object using IBM’s SAVLIB command. When it is convenient, you can then encrypt and save those Save File objects to the backup device using Powertech Encryption for IBM i’s ENCSAVOBJ (Encrypt Object) command.

Where can Powertech Encryption for IBM i's encryption commands be used?

The encryption commands can be run from the IBM i command line, CL programs, incorporated in BRMS, or placed in Job Scheduler. If your organization utilizes BRMS, you can contact Fortra for the BRMS integration instructions.

We normally perform a complete backup of our system from IBM’s backup menu. How can we still do a complete backup while encrypting certain user libraries?

Instead of using IBM’s backup menu to run a full backup, you can instead write a CL program that performs a full backup using a combination of IBM’s backup commands (to save system libraries and non-sensitive libraries) and Powertech Encryption for IBM i’s backup commands (to encrypt and save sensitive user libraries).

Review the source member named BACKUPALL in the source file CRYPTO/QCLSRC for an example of how to perform a full “partially encrypted” backup.

How would I perform a complete restore onto our Disaster Recovery machine?

This depends on the version of Powertech Encryption you have installed. Please follow the correct instructions below for your installed version.

During a disaster recovery for Powertech Encryption v3.57 or earlier:

  1. Restore IBM’s system libraries, user profiles, authorities and configurations that were saved with the SAVSYS.
  2. Restore any unencrypted user libraries that were saved with IBM’s SAVLIB command. For example: RSTLIB SAVLIB(*NONSYS) DEV(TAP01)
  3. Restore the Powertech Encryption for IBM i licensed program. You may be required to run: RSTLICPGM(4CRYPTO) DEV(TAP01).
  4. Restore or recreate the master keys.
  5. Restore the keystores (if keys are used to protect your backups).
  6. Restore any previously encrypted libraries or objects using Powertech Encryption for IBM i’s DECRSTLIB or DECRSTOBJ commands.
  7. Restore any previously encrypted IFS files using Powertech Encryption for IBM i’s DECSTMF command.

During a disaster recovery for Powertech Encryption v3.58 or later:

  1. Restore IBM’s system libraries, user profiles, authorities and configurations that were saved with the SAVSYS.
  2. Restore any unencrypted user libraries that were saved with IBM’s SAVLIB command. For example: RSTLIB SAVLIB(*NONSYS) DEV(TAP01)
  3. Restore or recreate the master keys.
  4. Restore the keystores (if keys are used to protect your backups).
  5. Restore any previously encrypted libraries or objects using Powertech Encryption for IBM i’s DECRSTLIB or DECRSTOBJ commands.
  6. Restore any previously encrypted IFS files using Powertech Encryption for IBM i’s DECSTMF command.

See the source member named RESTOREALL in the source file CRYPTO/QCLSRC for an example of a complete restore.

Related Topics