The introduction of Robot Save 11 brings the topic of encryption to the discussion of backup and restore operations. Understanding the basics of encryption is the first step toward setting up a good encryption strategy. This document provides an overview of encryption and answers some frequently asked questions to help you get started protecting your critical data through encryption.
Encrypting data takes time and can increase your backup window.
This is true for most hardware and software encryption solutions. You need to think about what you really need to protect using encryption. What files are you required to protect? Consider privacy laws (such as HIPAA, Visa's Cardholder Information Security Program [CISP], and more), and the privacy of customers and employees when evaluating what you need to encrypt. Encrypting unnecessary objects (application programs, query definitions, SQL packages, QSYS objects, and so on) adds to the backup time and serves no useful purpose.
The level of encryption you select affects speed. The stronger the encryption, the slower the save/restore time. If you want the fastest save and restore time, use the lowest level of encryption possible.
Not all software encryption solutions are the same.
Some are faster than others. Encryption solutions typically take from 2 to 100 times longer than a regular save. Robot Save has been benchmarked to perform better than typical methods of saving data to a save file, encrypting selected data, and then writing to tape. Encrypting your data using Robot Save will only extend your backup 2 to 10 times.
Some solutions require you to write code. They give you just the encryption/decryption process. Robot Save does much more by managing your entire encryption environment:
Ease-of-use—You don't have to remember a bunch of steps to recover data. Robot Save handles it automatically.
Tape tracking—Robot Save tracks which tapes contain encrypted objects and what tapes you used last Thursday (or last month).
Restore tracking—Robot Save lets you know when files are restored to your system.
Security—Robot Save can secure who is allowed to change an encryption key (password).
Some encryption solutions require you, or a piece of hardware, to manage encryption keys (passwords). Robot Save manages keys for you. Select an object to restore and it applies the necessary key. If you use Robot Save for restoration, you don't have to remember which encryption key you used when you saved an object.
Q: I just want to be on the safe side. Aren’t there hardware solutions that handle encrypting everything that goes to tape?
A: Everyone wants their data to be safe. But, consider the following:
Will you ever need to restore that information to another machine for testing, upgrading, or disaster recovery? If so, you’ll need more than one piece of hardware. You’ll actually need identical hardware for each of those machines.
Do you ever upgrade tape drives to take advantage of higher speeds or compression? With a hardware encryption solution, you’re stuck with that speed and that level of compression. You can never upgrade to a faster or higher-density tape without buying the entire solution again, for all your machines (for example, production, development, and disaster recovery).
Will the hardware always be compatible with IBM Power Systems (System i, iSeries, AS/400) hardware running IBM i software (OS/400, i5/OS)? Robot Save will. IBM is moving to IOP-less cards in the new hardware. Not all tape drives can be used with the new hardware.
Hardware solutions can be expensive and less flexible. You can expect to pay between $15,000 and $50,000 per unit.
Q: At a disaster recovery site, do I need to install Robot Save before I can restore anything else?
A: No. You can choose how to handle the restore.
If you encrypt only selected objects, those are the only items that require you to use Robot Save commands to decrypt the saved objects. You can still restore all other objects before handling the restore of encrypted objects.
Restoring Robot Save first allows you to restore everything through the product. You don’t even have to remember the passwords (keys) used to encrypt the data. Robot Save keeps track of all your passwords for you. Hardware solutions usually require the encryption keys to be stored in an additional card on your system before you can restore objects.
Q: I can’t afford to add any time for encryption to my backup window.
A: Robot Save can help.
First, save the objects that you want to encrypt to a save file. After that save completes, allow your users back on the system. Then, use Robot Save to encrypt the save file as it’s saved to tape. Generally, a save to disk is faster than tape. This means you could actually reduce your backup times. (Note: Saving to a save file can increase your DASD usage.)
Robot Save provides you with three options for encryption:
Encrypt everything in a library—This adds the most time to a backup and uses the most additional disk space.
Encrypt selected objects in a library—This adds less time onto a backup and uses less disk space than encrypting every object.
Encrypt a selected list of objects using an object list—This allows you to customize your backup by selecting objects from multiple libraries, decreasing the backup time needed.
Other factors that also can affect backup times:
Size of your processor
Memory allocated to your save job
Level of encryption—Robot Save provides four levels of encryption (you select the level required to protect your data).
Medium—based on DES 56-bit encryption
High128—based on AES 128-bit encryption
High256—based on AES 256-bit encryption
Still have questions? We can help. Submit a case to Technical Support.