IBM Support

Data encryption considerations for cloud-container storage pools in IBM Spectrum Protect

Question & Answer


Question

What are the performance and security considerations for the encryption of data that is written to a cloud-container storage pool?

Answer

It is important to safeguard data that is sent to a cloud computing system that is located off premises. For this reason, you can encrypt a cloud-container storage pool. If you enable encryption, the server encrypts data before the data is written to the storage pool. If you are planning to store data in an off-premises cloud computing system, you should understand how the server encrypts data, and consider the performance and data protection implications of data encryption.

The server uses the AES256-GCM cryptographic algorithm, which helps to support data integrity and confidentiality.

You cannot encrypt traditional device-class storage pools. You can encrypt only container storage pools. This technote focuses on off-premises cloud-container storage pools, because data that is stored outside your network presents greater security concerns.

Data privacy considerations

The security of sensitive data is always a concern. For cloud-container storage pools that are off premises, encryption of data is enabled by default.

To guard against threats, you can define a cloud-container storage pool to be encrypted. When you do, the server encrypts data before it is sent to the storage pool. After data is retrieved from the storage pool, the server decrypts the data. Your data is protected from eavesdropping and unauthorized access when it is outside your network because it can be understood only when it is back on premises.

Performance considerations

Encrypting and decrypting data is compute-intensive. Encryption and decryption of data require processor resources. If you encrypt storage pool data, the encryption process can significantly affect performance. Keep the following considerations in mind:

  • Encryption is important for off-premises cloud-container storage pools, but is also available for on-premises cloud-container storage pools. Because of the performance impact, consider whether encryption is needed for on-premises cloud-container storage pools.
  • Be aware of scheduled operations that require the server to encrypt or decrypt data, and plan for the increased processor usage. In particular, be aware that replication between an encrypted storage pool and a non-encrypted storage pool requires more processing. If possible, schedule such replication to occur outside of the normal backup windows.

Creating the master encryption key

Data encryption and decryption are handled automatically by the server and do not require any user action apart from some initial configuration. To encrypt data for container storage pools, the server uses a master encryption key.

  • For IBM Spectrum Protect 8.1.2 and later: The master encryption key is automatically generated when you start the server if the master encryption key does not previously exist. The master encryption key is itself encrypted, and is stored in a key database, dsmkeydb.kdb. The password for accessing the key database is stored in an associated stash file, dsmkeydb.sth.

  • For versions earlier than 8.1.2: The master encryption key is created when the server password is set. The master encryption key is itself encrypted, and is stored as part of the server password file, dsmserv.pwd. The server does not define an encrypted cloud-container storage pool unless the server password is already set.

    Tip: If you are upgrading a server from a version that is earlier than 8.1.2 to version 8.1.2 or later, the master key from the dsmserv.pwd file is converted to the new format.

    To check whether the server master encryption key was created, and to create it if necessary, complete the following steps:

    1. To determine whether the server password is set, issue the QUERY STATUS command: 
      query status
      In the command output, check the value of the Server Password Set field. 
                         Server Name: CRICKET
Server host name or IP address: 192.0.2.0
    Server TCP/IP port number: 1500
                  Crossdefine: Off
          Server Password Set: Yes
Server Installation Date/Time: 08/24/2015 11:48:31 AM
     Server Restart Date/Time: 08/25/2015 08:45:49 AM
...
    2. If the server password was not set, issue the SET SERVERPASSWORD command: 
      set serverpassword password

Protecting the master encryption key

To decrypt data that was sent to encrypted cloud-container storage pools, the master encryption key is required. For this reason, it is important that the following files are protected. If the following files are lost or corrupted, the server cannot access the master encryption key to decrypt the data. Ensure that you keep a copy of the following files in a secure location.

  • For version 8.1.2 and later: The following files must be protected to ensure that you can decrypt data:

    dsmkeydb.kdb
    This file is the key database file that contains the master encryption key.
    dsmkeydb.sth
    This file is the password stash file that the server uses to access the dsmkeydb.kdb key database file.

  • For versions earlier than 8.1.2: The following file must be protected to ensure that you can decrypt data:

    dsmserv.pwd
    This file is the server password file.

To ensure that you can recover from the loss of, depending on your server version, the dsmkeydb files or the dsmserv.pwd file, you must back up the master encryption key as part of a scheduled or manual database backup. You can protect the backup copy of the master encryption key by securing the database backup with a password. This same password is required to restore the master encryption key from the database backup.

The server does not define an encrypted cloud-container storage pool unless the defaults for database backups are defined to include the master encryption key.

Determining if database backups are configured

A server is configured for database backups if a default device class for backups is set for the server. You can determine whether server database backups are configured, and if the backups are configured to include the master encryption key, by using the Operations Center or by issuing the QUERY DB command.

  • To check whether database backups are configured by using the Operations Center, complete the following steps:
    1. On the Operations Center menu bar, click Servers.
    2. On the Servers page, select the server and click Details.
    3. On the Details page, click the Properties tab.

    The Database Backup and Recovery area shows whether a default device class is set for database backups. It also shows if backups are configured to include the master encryption key.

  • To check whether database backups are configured by using the QUERY DB command, issue the following command: 
    query db format=detailed
    In the command output, the Full Device Class Name field shows whether a default device class is set for database backups. The Protect Master Encryption Key field shows if backups are configured to include the master encryption key. The output is similar to the following example: 
                        Database Name: TSMDB1
  Total Space of File System (MB): 5,110
    Space Used on File System(MB): 1,408
       Space Used by Database(MB): 1,376
        Free Space Available (MB): 3,702
                      Total Pages: 110,596
                     Usable Pages: 109,820
                       Used Pages: 51,776
                       Free Pages: 58,044
            Buffer Pool Hit Ratio: 97.8
            Total Buffer Requests: 363,672
                   Sort Overflows: 0
          Package Cache Hit Ratio: 47.1
     Last Database Reorganization: 11/11/2021 04:50:31 PM
           Full Device Class Name: FILE
Number of Database Backup Streams: 1
     Incrementals Since Last Full: 0
   Last Complete Backup Date/Time:
        Compress Database Backups: No
         Encrypt Database Backups: No
    Protect Master Encryption Key: Yes
     Database Backup Password Set: Yes
  Servermon Total Used Space (MB): 0

Configuring database backups

If server database backups are not configured, you can configure them by using the SET DBRECOVERY command. To configure database backups by using the SET DBRECOVERY command, issue the following command:


set dbrecovery device_class_name protectkeys=yes password=password
Important: Store the password in a secure location. You cannot recover the master encryption key without this password.

Creating an encrypted cloud-container storage pool

You can create a cloud-container storage pool by using the Operations Center or the DEFINE STGPOOL command. Because encryption is most important for off-premises pools, these instructions assume that the cloud storage is located off-premises.

To add the storage pool by using the Operations Center, complete the following steps:

  1. On the Operations Center menu bar, click Storage > Storage Pools.
  2. On the Storage Pools page, click + Storage Pool.
  3. Complete the steps in the Add Storage Pool wizard.

    On the Type page, select Off-premises cloud. The Add Storage Pool wizard configures off-premises cloud-container storage pools to be encrypted.

    Tip: You can also use the Add Storage Pool wizard to create an on-premises cloud-container storage pool. Because of the performance impact, however, encrypt on-premises pools only if necessary.

    If database backups are not configured to include the master encryption key, the wizard displays a Protect Encryption Keys page. Specify a password to protect the master encryption key.

    Important: Store the password in a secure location. You cannot recover the master encryption key without this password.

To add a storage pool by using the DEFINE STGPOOL command, issue the DEFINE STGPOOL command with the STGTYPE=CLOUD parameter. Other parameters specify the type of cloud computing system, and the URL, user ID, and password for accessing the cloud. Depending on the type of cloud computing system, other parameters might be required. Refer to the IBM Spectrum Protect documentation for more information on the full syntax of the DEFINE STGPOOL command.

define stgpool poolname stgtype=cloud
cloudtype=cloud_system_type cloudurl=cloud_url
identity=cloud_identity password=cloud_password

The default is to define an off-premises cloud, and the default for an off-premises cloud is to encrypt data. But you can also explicitly specify these properties by using the CLOUDLOCATION and ENCRYPT parameters.

define stgpool poolname stgtype=cloud
cloudtype=cloud_system_type cloudurl=cloud_url
identity=cloud_identity password=cloud_password
cloudlocation=offpremise encrypt=yes

Tip: To create an on-premises cloud container storage pool, specify the CLOUDLOCATION=ONPREMISE parameter. For versions earlier than 8.1.13, the default is to not encrypt on-premises cloud-container storage pools, so you must also specify the ENCRYPT=YES parameter. Because of the performance impact, however, encrypt on-premises pools only if necessary.

Changing encryption for a cloud-container storage pool

You can update the encryption setting for a cloud-container storage pool by using the Operations Center or the UPDATE STGPOOL command. Changing the setting does not affect data that is already stored in the pool. Changing the setting affects only new data that is written to the pool.

To update the encryption setting by using the Operations Center, complete the following steps:

  1. On the Operations Center menu bar, click Storage > Storage Pools.
  2. On the Storage Pools page, select a cloud-container storage pool and click Details.
  3. On the Details page, click the Properties tab.

    The Cloud area shows the cloud-related properties of the storage pool.

  4. In the Cloud area, click the Unlock icon so you can edit the cloud-related properties.
  5. From the Data encryption list, select Yes or No.
  6. Click Save.

To update the encryption setting by using the UPDATE STGPOOL command, issue the command with the ENCRYPT parameter. You can specify ENCRYPT=YES or ENCRYPT=NO.


update stgpool poolname encrypt=yes

When you change the encryption setting, the change does not affect data that was previously written to the storage pool. The updated setting applies only to data that is written after the change.

Restoring a master encryption key from a database backup

If the file that contains the master encryption key is lost or corrupted, the server can no longer encrypt new data or decrypt existing data for the encrypted cloud-container storage pools. During initialization, if the server cannot access the master encryption key, it returns one of the following errors depending on your server version.

  • For version 8.1.2 and later: If the server cannot access the master encryption key, and encrypted pools are defined to the server, the server makes the pools unavailable. For each storage pool, one of the following messages is returned:

    ANR2251S The ACCESS setting for storage
pool poolname was changed from
access to UNAVAILABLE. The pool
is enabled for encryption, but the
master encryption key for the
server is not available.


ANR2252S The ACCESS setting for storage
pool poolname was changed from
access to UNAVAILABLE. The pool
is enabled for encryption, but the
master encryption key for the
server was reset.

  • For versions earlier than 8.1.2: If the server cannot access the master encryption key, one of the following messages is returned:

    ANR2261W The server password file, dsmserv.pwd, was not found. A
new master encryption key will be created and stored in a new pass
word file.

ANR2264E Corruption detected reading from the server password file,
dsmserv.pwd.  The master encryption key cannot be read.

ANR2097E Unable to retrieve the master encryption key from the server
password file, dsmserv.pwd.

    If encrypted pools are defined to the server, the server makes them unavailable. Client nodes can no longer read from or write to these storage pools. For each storage pool, one of the following messages is returned.

    ANR2251S The ACCESS setting for storage pool pool_name
was changed from READWRITE to UNAVAILABLE.  The pool is enabled for
encryption, but the master encryption key for the server is not
available.

ANR2252S The ACCESS setting for storage pool pool_name 
was changed from access to UNAVAILABLE. The pool is enabled for
encryption, but the master encryption key for the server was reset.

You are not able to set an encrypted pool's access mode back to READWRITE until you restore the master encryption key from a database backup. To restore a master encryption key and to make the encrypted pools available again, complete the following steps:

  1. Halt the server, and use the DSMSERV RESTORE DB server utility to restore the master encryption key from the database backup. To restore only the master key and not the database, specify the RESTOREKEYS=ONLY parameter.

    • For versions earlier than 8.1.8: Specify the password on the command line as shown in the following example:

      
dsmserv restore db restorekeys=only password=password

    • For version 8.1.8 and later: Specify the PROMPT=YES parameter on the command line. When you issue the command, it prompts you for the password:

      
dsmserv restore db restorekeys=only prompt=yes

    The password that you specify must be the same password that was used when the database was backed up. By using the SET DBRECOVERY command, or by specifying a password when you define the pool by using the Operations Center, you set the default password for recovering the master encryption key. However, you can also override this default by specifying a password on the BACKUP DB command. If you are restoring from a full plus incremental database backup, specify the password that was used for the incremental backup.

    If the restore operation is successful, the server returns the following message:

    
ANR1742I The server master encryption key was restored successfully.
  2. Restart the server, and change the access state of the encrypted cloud-container storage pools so they are available again. You can change the access state of a storage pool by using the Operations Center or the UPDATE STGPOOL command.

    To change the access state by using the Operations Center, complete the following steps

    1. On the Operations Center menu bar, click Storage > Storage Pools
    2. On the Storage Pools page, select a cloud-container storage pool and click Details.
    3. On the Details page, click the Properties tab.
    4. From the Access list, select READWRITE
    5. Click Save.

    To change the access state by using the UPDATE STGPOOL command, issue the command with the ACCESS=READWRITE parameter.

    
update stgpool poolname access=readwrite

[{"Type":"MASTER","Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEQVQ","label":"IBM Spectrum Protect"},"ARM Category":[{"code":"a8m3p000000hAaSAAU","label":"Server-\u003EContainer"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"All Versions"}]

Document Information

Modified date:
13 December 2021

UID

swg21963635

Page Feedback