07-23-2008 02:38 AM
We were notified that we are now required to encrypt every piece of media that leaves our site. We usually do an Image backup of our system disk's shadow disk. Regarding a standalone backup, I have read that it will not understand the /ECRYPT qualifier with the BACKUP command.
Can anyone guide me in taking encrypted backups?
07-23-2008 03:13 AM
Or reboot with a special VMS systemdisk for backup purposes.
To restore after a desaster you need a running VMS system (either install one from CD on a 2nd disk or have a preinstalled disk available).
07-23-2008 05:18 AM
In one site I was in, they addressed this problem (and tape encryption in general) by using hardware encryption.
In another site, they specifically addressed the system disk issue by making the system disk as static as possible (moving authorization files, proxy files, dump files, page/swap files, data files, applications, and all other sensitive data) off the system disk and then getting a special exemption from the auditors.
07-23-2008 05:29 AM
You'll also want to mention what OpenVMS version (V8.2 and later have the license for encryption, and V8.3 and later include encryption). Prior to V8.2, encryption is a separately-licensed and separately-installed product.
If you're referring to Standalone BACKUP, that implies this is OpenVMS VAX or OpenVMS Alpha prior to V6.1. OpenVMS Alpha V6.1 and later and OpenVMS I64 do not use Standalone BACKUP.
You can: Acquire a tape drive device that encrypts. Depending on the support for the drive and how you load the key, this may be the easiest approach. (This also offloads the encryption off the host.)
You can: use a second and parallel system disk, and boot from that, and use the full capabilities of OpenVMS on that disk to BACKUP the primary system disk. In practice, you can often use one of your shadowset members of your existing system disk, split off from the shadowset. Or you can use a custom-built clean install. This allows access to the encryption product and its capabilities.
Or you can call in some help, and somebody to look at your hardware and software and how you store and manage your data. And to help you set up procedures that meet the intent of the data protection requirements.