Saving Objects With Encryption

The Robot Save encryption process offers a great deal of flexibility. We recommend that you keep the following in mind as you set up an encryption strategy and select the objects that you want to encrypt.

Encryption Key Management

You must enter an encryption key before encrypted saves can run. You can change the encryption key as often or as rarely as you wish.

Note: Be aware that you must have key management procedures in place if you change your encryption key regularly. You cannot restore encrypted data without the proper key and you cannot recover a lost or forgotten encryption key.

Encryption keys do not display on the Save Encryption Key Entry panel. The panel displays blanks for the current and new encryption key values.

Robot Save stores encryption keys in an encrypted format in library RBSKEYLIB. Encryption keys are never shown to any user. If encryption is enabled on your system, RBSKEYLIB is saved encrypted automatically at the end of every save. If encryption is not enabled, RBSKEYLIB is not saved.

Encryption keys are retained in RBSKEYLIB as long as save history exists for objects that were saved with encryption. When the save history no longer exists, the key is purged from RBSKEYLIB

You can encrypt objects saved as part of an ad hoc save by using the RBSSAVxxx commands in a program or from the command line. You should be aware, however, that Robot Save does not store the encryption keys used for ad hoc saves in RBSKEYLIB. You must know the key that was used to save the data to be able to restore it.

If you are restoring objects manually from a command line at a hot site, you must know the encryption key or keys that were used to encrypt the data. If you use Robot Save guided restoration, Robot Save has a record of the encryption keys that were used and you do not need to enter them.

Encrypting Data

For backup set types 5, 6, 7, 8, 9, and A, the saves execute as always with the exception that libraries flagged for encryption are omitted from the save. After the normal save process completes, but before RBSDTALIB is saved, the libraries flagged for encryption are saved to tape. Then, the libraries RBSKEYLIB and RBSDTALIB are saved. Thus, in the case of a full system save, the libraries flagged for encryption are not saved with the other libraries, but would be on the tape after those libraries and the IFS.

When encrypting libraries saved by a type 1 (user-defined) backup set, the libraries to be encrypted are grouped and saved before any other libraries in the backup set. If you want the libraries saved in a specific order, specify a unique sequence number for each library in the backup set.

Encrypting objects using Robot Save could impact your save time. The type and amount of data saved and the encryption level you choose are all factors. We recommend that you test your proposed encryption strategy to see the performance levels you will experience on your system. Then, review your backups and set up an encryption strategy that works for you. One of the advantages of Robot Save is that you don’t need to encrypt entire libraries, but can select which data needs to be encrypted and what doesn’t. Encrypting only the objects that require encryption will help you minimize the time it takes to complete your backup.

If you have defined items to be saved with encryption and then set the encryption level to None, turning off encryption, your saves will still complete. However, be aware that the items defined to be saved using encryption will not be encrypted. Robot Save will issue a warning message that displays on the Warning Messages panel.

You can encrypt any library on your system, within encryption guidelines, including RBSPGMLIB. However, if you choose to encrypt RBSPGMLIB, and need to restore it, you must be able to access the Robot Save restore encrypted data commands (RBSRSTxxx) from one of the following: the save file created by the RBSCRTRST command, the Robot Products Installation CD, the Robot website, or another system. Note: We recommend that you do not encrypt RBSPGMLIB.

You cannot encrypt any library that cannot be saved individually with the SAVLIB command, for example, the IBM system libraries.

You can specify whether new libraries should be saved with encryption on the System Defaults panel.

You can specify default objects in a library to be saved encrypted any time the library is saved using Robot Save backup classes and sets. Note: The objects are not saved encrypted if they are saved in an object list, as part of a data set operation, using the Robot Save RBSSAVxxx commands in an ad hoc operation, or using the IBM save commands from a command line.

Objects saved with encryption are identified on the Object Archive Information panel.

The volume information panels and reports do not indicate that a volume contains encrypted data.

To encrypt IFS files, you must use an object list. Set up an object list that contains only the IFS directories you want to encrypt. To save other, nonencrypted, IFS directories, create a second object list containing those directories. Note: You cannot encrypt the entire IFS by specifying Save All IFS or IFS plus Domino databases on the Items to be Saved Within a Backup Set panel.

You also can use the RBSSAV command to encrypt specific IFS directories or individual IFS objects. Specify the path name of the directories you want to save encrypted; use the OMIT parameter to specify any objects that you do not want to save.

Note: Using the RBSSAV command is considered an ad hoc save. If you choose to use the RBSSAV command, you must remember the encryption key used to save the objects. You will need to enter the key to restore the objects.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
13.04 | 202305020318 | May 2023