Help/Systems recently enhanced Robot/SAVE to allow encryption directly to a physical or virtual tape device. This new feature can significantly reduce your DASD requirements when you are encrypting objects in large libraries. It is available with Release 11 Modification level 27.
In the past, the only way that Robot/SAVE could encrypt data was to save the entire library to a save file (SAVF) and then encrypt the objects you had selected for encryption as it wrote them to tape.
The new encrypt-direct-to-tape option eliminates the need to save data to a SAVF first. When Robot/SAVE backs up the objects you want encrypted, it automatically encrypts the entire library, not just the individual objects. As a result, Robot/SAVE now requires much less DASD to perform encryption. In our testing, we found that this resulted in enhanced performance. (Performance results depend on system configuration.)
To use the new feature, you must change the Robot/SAVE Defaults Setup (RBS900). Under “Encryption Defaults,” change “Direct to Tape Encryption” to Y (Yes). That’s all you need to do if you are currently using encryption!
Be aware that when you use the IBM DSPTAP command on an encrypted tape the original library name displays, but the objects do not. Depending on which version of the OS you are running, one of the following messages displays:
- If you are using V5R4, the DSPTAP command shows the file label and the message, “File is not a Save/Restore file.”
- If you are using V6R1, the DSPTAP command shows the file label and the message, “Data encrypted or not save data.”
If you are not currently encrypting your backup data, you may be interested in these facts about encryption:
- Encrypting data takes time and can increase your backup window:
- This is true for most hardware and software encryption solutions. You need to think about what you really need to encrypt. What files are you required to protect? Consider privacy laws (such as HIPAA, PCI, and more) and the privacy of customers and employees when evaluating what you need to encrypt. Encrypting unnecessary objects (application programs, query definitions, SQL packages, QSYS objects, and so on) adds to backup time and serves no useful purpose.
- The level of encryption you select affects speed. The stronger the encryption, the slower the save/restore time.
- Not all software encryption solutions are the same:
- Some solutions are faster than others. Encryption solutions typically take from 2 to 100 times longer than a regular save. Robot/SAVE performs better than typical methods of software encryption. Encrypting your data using Robot/SAVE extends your backup only 2 to 10 times.
- Some solutions require you to write code. They give you just the encryption/decryption process. Robot/SAVE manages your entire encryption environment including:
-Ease-of-use. You don’t have to remember a process to recover data; Robot/SAVE handles it automatically.
-Tape tracking. Robot/SAVE tracks which tapes contain encrypted objects and which tapes you used last Thursday (or last month).
-Restore tracking. Robot/SAVE lets you know when files are restored to your system.
-Security. Robot/SAVE can secure who is allowed to change an encryption key (password).
- Some encryption solutions require you, or a piece of hardware, to manage encryption keys (passwords). Robot/SAVE manages these keys for you. Select an object to restore and Robot/SAVE applies the necessary key. If you use Robot/SAVE for restoration, you don’t have to remember which encryption key you used when you saved an object.
- Certain factors can affect backup times when using encryption, including:
- Processor type
- Memory allocated to your save job
- Run priority
- System activity
- Level of encryption. Robot/SAVE provides four levels of encryption (you select the level required to protect your data).
- Low (Help/Systems proprietary algorithm)
- Medium (DES 56-bit encryption)
- High128 (AES 128-bit encryption)
- High256 (AES 256-bit encryption)
Contributed by Sara Williams, Research Technical Consultant
