FDRCRYPT Off-Site Recovery

Disaster recovery

In order to do recovery of encrypted backups off-site, such as at a disaster recovery site:

• You must transport a current copy of the FDRCRYPT Encryption Keyfile to the recovery site:
  • You can use FDRDSF to create an encrypted backup of the Encryption Keyfile, using a unique AES encryption key. This backup must be run after all other backups are complete. If this backup is on tape, transport it to the recovery site separately from the backups themselves. If the backup is on DASD, you may be able to transmit it to the recovery site with e-mail or FTP. At the recovery site, you need to restore the encrypted backup, using its unique key, before you can restore any other backups recorded in it.
  • Alternately, if you have a mechanism for securely transporting the Encryption Keyfile directly to the recovery site, such as encrypted FTP, you can do so (make sure that the FTP encryption is a strong algorithm, such as AES or TDES).
• Once you have the Encryption Keyfile restored, you can restore the encrypted backups that were recorded in it. Normally this does not require any special restore JCL as long as the name of the Encryption Keyfile is set in the FDR Global Options.
• Remember that if you restore the volume containing the Encryption Keyfile as part of your recovery, this restores a back-level version of that file, so you may need to restore the Encryption Keyfile backup again after restoring that volume to bring it up to date.
• If the Encryption Keyfile is not available, or not up to date, you can use master keys to restore the backups, if master keys were specified during the backup. We recommend using master keys.
  • We recommend that the master key be stored in a secure location (such as a safe-deposit box) that can be accessed only if the Encryption Keyfile is not available.
  • We also recommend that you do not routinely use master keys for off-site restores, to avoid exposing the master key to unauthorized individuals. Use the master keys only if the Encryption Keyfile cannot be used.
• The up-to-date Encryption Keyfile must be present in order to do ABR auto-recall from encrypted Archive backups

At a disaster site, remember that you may need to restore your operating system before the full facilities of FDRCRYPT are available:

• FDR’s Stand Alone Restore (SAR) does not support encrypted backups.
• Although the “starter system” supplied by a disaster site may include FDR, it may not include FDRCRYPT. If you have a special backup of your own FDR program library, you can restore it on the starter system and authorize it.
• Even if you have FDRCRYPT on the starter system, you may not have the FDRCRYPT Encryption Keyfile available.

For all these reasons, we recommend that the backups of your system volumes should not use encryption, unless they also contain sensitive application data or other data that might compromise the integrity of your application data.

Leaving the disaster site

When you leave the disaster site, after a disaster test or a real disaster, you must be sure that all information related to your encrypted backups has been securely deleted. If you leave copies of your Encryption Keyfiles or your security system (for example, IBM RACF) database containing master keys on DASD at the disaster site, subsequent users of the site may be able to access your keys, putting your backups at risk.

Simply deleting the Encryption Keyfiles or security data, or re-initializing the DASD volumes, may not delete the data from the DASD volumes. It may be possible for a subsequent user to access the data tracks containing your keys.

You may want to consider using a product such as BMC’s FDRERASE to quickly and securely erase all the DASD volumes that were used at the disaster site.

Also, remember that if you restored the Encryption Keyfile to a DASD volume belonging to the disaster site’s starter system, you must erase and delete that Encryption Keyfile before you leave as well. You may want to do this while still running under the starter system, before IPLing your own system.

This FDRCRYFM utility job overwrites an existing Encryption Keyfile, and then delete it: