Skip to content

TSM Backup Client Encryption

Security Guidelines

If you store or process restricted data you need to make sure this data is encrypted when it is backed up.  This document explains how to configure the TSM clients to encrypt their backup traffic.

Please contact the storage team before making these changes to avoid problems.

The recommended versions of TSM:

  • Client:  TSM 5.5.x or later
  • Server:  TSM 5.5.x or later

TSM Client Encryption Setup

  1. Set up client options (dsm.sys for unix/linix/macos and dsm.opt for all others):
    ENCryptkey save

    <TYPE> ==> AES128 or DES56

    There is an ENCryptkey Generate setting but the storage group does not recommend using this since this is a relatively new function and it is unknown if it has any issues.

  2. The include/exclude list will determine what is to be encrypted and their retention.

    In this example all files will be encrypted and bound with management class named MGMTCLASS. Management classes are the retention policies defined on the TSM Server and will have a unique name. The default management class is used if nothing is stated in the include option.

    If it is unclear what management class is to be used here then please contact the Storage Group for assistance before proceeding.

         These are placed in the dsm.sys for unix/linix/macos and dsm.opt for all others or an include/exclude
    file for all platforms. :

    This option will be in the form:
    include.encrypt <filespec>

    For example for backup:
    include.backup "*" MGMTCLASS
    include.encrypt "*"

    Then all files will be encrypted and bound with mgmtclass called MGMTCLASS.
    MGMTCLASS are the retention policies defined on the TSM Server.
    The default mgmtclass is used if nothing is stated in the include option.

    If compression is also needed then (this may futher slow down the backup process):
    include.backup "*" MGMTCLASS
    include.encrypt "*"
    include.compression "*"
    COMPRESSAlways No

    The include/exclude can be defined at the file level and is bottom up processing.
    If archives are also done for this system then include.archive statements are also needed
    to encrypted archives.
  3. Once setup is complete run backup of one file for the encryption key to be prompted and saved. Encryption key can be up to 63 bytes in length with the following characters:

         Character 	Description
    AÐZ Any letter; A through Z, upper or lower case
    0Ð9 Any number; 0 through 9
    + Plus
    . Period
    _ Underscore
    - Hyphen
    & Ampersand
  4. When the encryption has been tested and verifed then start the TSM Scheduler.

         If you want to verify the encryption key set "ENCryptkey     prompt" and then restore. 
    and/or restore to another system with "ENCryptkey prompt".


  • If the encryption keys are lost the data will not be recoverable.
  • Even though the TSM.PWD file will save the encryption key, it is recommend that these key are also saved
    in at a different location. Windows system saves the key and password in the registry.
  • If you use multiple keys then this can slow down restore the way incremental backups are done in TSM.
  • Depending on how much data is to be encrypted this may put a heavy load on the system during backups.
  • If there is already data backed up this process only encrypts future backups.
  • It is strongly recommended that you contact the storage group with any questions before you start.

Need More Information?

Contact the Storage Group if you have any additional questions about the storage or backup service:

External Resources

Last modified: 06/03/2014 04:30:31 PM