Encryption Defaults
Robot Save allows you to encrypt data as it is saved to tape. Encryption converts the data to an unreadable form. Decrypting the data converts it back to its original form. Data encryption protects your tape volumes in case they are lost or stolen. Encrypted data cannot be restored outside of Robot Save unless the user knows the encryption key that was used to save the data and is using the Robot Save restore commands.
You specify the items to be encrypted at the backup set level. For libraries, you can select default objects that always are saved encrypted by any backup set that saves the library. The encryption defaults you define at system setup specify the level of encryption to use when encrypting selected data and the encryption key used by Robot Save. The encryption level and encryption key also are used (unless they are overridden) when saving from a command using Robot Save encryption commands or for an ad hoc save.
Note: You must have IBM licensed program 5722AC3, Cryptographic Access Provider 128-bit for the iSeries, installed to use Robot Save encryption.
-
See About Robot Save Encryption for more information and working with Robot Save Encryption
Encryption Levels
To set up Robot Save encryption, you must specify the level of encryption (or no encryption) to use during system setup. You also define the encryption key that Robot Save will provide to the encryption algorithm. An encryption key is an 8- to 32-character password that the encryption algorithm uses to encrypt data. Robot Save allows five levels of encryption:
-
No encryption. No data is encrypted and all backups process as usual.
-
Low-level encryption. Robot Save uses an internally defined algorithm to encrypt data. This provides the fastest processing, but it is the least secure level of encryption. Low-level encryption uses a 32-character encryption key.
-
Medium-level encryption. Robot Save uses the Data Encryption Standard (DES) cryptographic algorithm for encryption. A unique 8-character key provides security for the encrypted data.
-
High-level (128-bit) encryption. Robot Save uses the Advanced Encryption Standard (AES) for data encryption. High 128 uses a 16-character encryption key.
-
High-level (256-bit) encryption. Robot Save uses the Advanced Encryption Standard (AES) for data encryption. High 256 uses a 32-character encryption key.
Encryption Key Management
Robot Save manages the keys used to encrypt data. Key management allows Robot Save to track the keys used to encrypt data and know the correct key required to restore the encrypted data. Encrypted files cannot be restored using the IBM restore commands. You can restore encrypted files only through Robot Save or by using the Robot Save restore encrypted data commands and entering the encryption key used for the data being restored.
When you install Robot Save, the encryption level is set to 0 (None) and there is no encryption key. You must enter an encryption key to set an encryption level.
You enter the encryption key during system setup. The key is encrypted and stored in the RBSKEYLIB library, which is saved in encrypted format to prevent unauthorized users from accessing the key. Encryption keys are never displayed, printed, or stored in clear text.
You can change the encryption key used to save your data as often or as rarely as you wish. We recommend that you follow your password security rules and change the encryption key on the same schedule that you change other system passwords.
To change the encryption key, you must know the current key value. If you forget the current encryption key value, you must sign on as QSECOFR to reset the key without entering the current value.
Select option 12 from the System Setup panel to display the Save Encryption Key panel.
Note: You can perform ad hoc encrypted saves and restores using Robot Save commands without entering a default encryption level and key. The commands allow you to specify the encryption level and encryption key.