9Reservoir Vault Encryption

UPSTREAM Reservoir supports much of the same encryption techniques added to UPSTREAM z/OS v3.5.0. 

UPSTREAM Encryption takes a vault tape and modifies the data in such a way that it is difficult or impossible to read it without the key.  The key is stored (encrypted) in the local database so that restores are easy.  However, at a disaster site, if you do not have the database with the key in it, several additional techniques have been used which allow access to the data.

Reservoir Encryption uses the AES standard levels of encryption for vaulted tapes.  Note that the lowest level of encryption supported by this facility is AES 128. 

Encryption is a separately licensed product - see your Innovation Data Processing Sales Representative about obtaining licensing for this facility.

To enable encryption in vaulting, in the Director Vault/Migrate/Copy tab, in the Operation Frame, press the Encryption button:

image2021-4-27_13-37-9.png

  • Use EncryptionCheck this box to have the vault encrypted.
  • AES Type/Strength:  This is the level of encryption.  The higher the level, the stronger the encryption, but the longer the encryption will take.  Options are 128 bits, 192 bits, and 256 bits.

  • Password Type.  This is how the key used to encrypt the key that is stored on the tape.  If you have the database generated when the vault is generated, you do not need to worry about this feature - all tapes can be restored, whether they are encrypted or not.  However, if you are concerned about whether the database may be available, options are:

    • Public/Private:  This is a very secure method where the automatically generated random cipher key is encrypted with the public key and stored on the tape.  If you lose the database and the data must be decrypted, you will need the private key to get the decryption key to do the restore.  The public and private keys are generated with the CreateKeys program (below) and the public key must be store in the file public.key in the Reservoir work path.  If you need to use the private key to regen the tape, then it must be stored in the work path as private.key.
    • Master:  This is the method that UPSTREAM z/OS uses.  The automatically generated random cipher key for the encrypted data on tape is encrypted with the master.key file stored in the Reservoir work path and written to the tape.  Thus to regen this tape, you must have the master.key file in the Reservoir work path.
    • Cipher:  The key is not stored on the tape.  You specify the key to use to encrypt the backup as a string of hex numbers (like a1b2f501...). For 128-bit encryption you specify 16 hex numbers, for 192-bit - 24 hex numbers, for 256-bit - 32 hex numbers.  To regen the backup you will need to specify this exact key again. If there are more than one backup file on that tape, specify all cipher keys used separated by semicolons.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*