Zentraler Informatikdienst

Linux: Encrypt data

For:  employees

This user guide will help you to secure data of your Linux computer on servers of the University of Vienna in an encrypted way.

To increase data security, IBM Storage Protect offers the option of data encryption. By default, 128 bit AES encryption is used, optionally you can increase this to 256 bit. Enabled data encryption does not affect the amount of data transferred to and from the backup servers.

Note

To encrypt the files, you must enter an encryption password. If the password is lost, the encrypted data cannot be recovered. There is also no possibility on the server side to read out or reset the password.

Adjusting basic configuration

To adjust the basic configuration to enable encryption (with the option to 256 bit AES encryption):

  1. As root user switch to the directory of the backup software and edit the file dsm.sys:
    sudo su -
    cd /opt/tivoli/tsm/client/ba/bin
    vi dsm.sys
  2. The necessary adjustments are marked in bold:
    SErvername BACKUPX0
      NOdename A123-RAINER.ZUFALL.UNIVIE.AC.AT
      TCPServeraddress BACKUPX0.UNIVIE.AC.AT
      TCPPort 1500
      ENCRYPTIONType AES256
      ENCRYPTKey prompt 

The possible values for the ENCRYPTKey are:

  • prompt: The encryption password must be entered for each backup and restore operation.
  • save: The encryption password is saved locally and encrypted on your computer and therefore does not have to be entered for each backup as well as restore process.

Note

For an automated backup, you must set the value save for ENCRYPTKey. See the following section.

To top

Save ENCRYPTKey for automatic backup

To be able to use automated backups via Cron tab or Scheduler, the ENCRYTP key must be saved. To do this, the root user or another authorised user must initially set the encryption password during the first backup. The password is stored under /etc/adsm/TSM.sth. The PASSWORDAccess generate option is also required.

The necessary adjustments are marked in bold:

SErvername BACKUPX0
  NOdename A123-RAINER.ZUFALL.UNIVIE.AC.AT
  TCPServeraddress BACKUPX0.UNIVIE.AC.AT
  TCPPort 1500
  PASSWORDAccess generate
  ENCRYPTIONType AES256
  ENCRYPTKey save

Selecting files for encryption

Files or folders must be explicitly selected for encryption. To do this, you must set an include.encrypt entry in the dsm.sys file or in the include/exlude list or adapt an existing entry..

Example:

  include.encrypt /home/user/folder/.../*
  include.encrypt /home/user/file1

To top