Title: Native Encryption of Backup Data with IBM BRMS (5770BRX): Advanced Software-Based Protection for IBM i

Preface: The Imperative of Encrypting Data on Tape

In the digital age, data is one of the most valuable assets for any organization. Its loss or, worse, theft, can have devastating consequences: economic damage, loss of reputation, legal sanctions, and a breach of customer trust. Tape backups, while a fundamental component of disaster recovery strategies, represent a potential weak link if not adequately protected. A lost tape, one stolen during transit, or improperly disposed of, can fall into the wrong hands, exposing sensitive data. Encrypting backup data on tape is therefore not an option, but an essential necessity to mitigate these risks, ensure regulatory compliance (e.g., GDPR), and protect business integrity. In this article, when I mention the 5770BRX program product, I am referring to both 5770BR1 and 5770BR2, the new version of the BRMS to which I will dedicate a future article.

Introduction: IBM BRMS and the Challenge of Backup Security

IBM Backup, Recovery, and Media Services for i (BRMS), licensed product 5770BRX, is IBM's strategic solution for centralized and automated management of backup and recovery operations on IBM i platforms. Beyond its robust features for scheduling, media management, and recovery automation, BRMS offers a crucial, often underestimated capability: native backup data encryption.

While many encryption solutions for backups rely on dedicated hardware devices (such as LTO tape drives with encryption capabilities or external appliances), BRMS distinguishes itself by its ability to perform encryption directly at the software level, using the native encryption algorithms of the IBM i operating system.

Native Software-Based Encryption: The Unique Advantage of BRMS

The distinctive feature of BRMS in the context of backup data encryption lies in its purely software-based implementation, which leverages the cryptographic APIs (Application Programming Interfaces) integrated into the IBM i operating system. This approach offers several advantages:

1. Hardware Independence: There is no need to purchase specific tape drives with hardware encryption capabilities. BRMS can encrypt data on any IBM i-supported tape drive, offering greater flexibility and potential cost savings on infrastructure.
2. Deep Integration: Being a native IBM solution, encryption is deeply integrated with the operating system and BRMS logic. Encryption key management is handled via a secure keystore file (*SWF - Software Keystore File), managed within the IBM i environment.
3. Use of Standard and Robust Algorithms: BRMS supports industry-standard encryption algorithms, such as AES (Advanced Encryption Standard) with 128, 192, or 256-bit keys. These algorithms are widely recognized for their robustness and reliability.
4. Granular Control: Encryption can be enabled at the BRMS control group level, allowing selective decisions on which data requires cryptographic protection.

It is crucial to emphasize that, while other solutions might manage hardware encryption offered by tape drives, BRMS is the unique product that implements backup data encryption entirely via software, leveraging IBM i's native encryption algorithms. This means the encryption process occurs on the IBM i system's CPU before data is written to tape.

Configuring Encryption in BRMS

To enable software encryption in BRMS, you need to:

1. Have the 5770SS1 Option 47 "IBM i LPP Encrypted Backup Enablement" product installed.
2. Create a Keystore File (*SWF) using the CRTCKMKSF (Create Cryptographic Key Management Keystore File) command or use the default one provided by BRMS (e.g., QUSRBRM/Q1AKEYFILE).
3. Generate or import encryption keys into the keystore.
4. Associate the desired keystore and key with the BRMS control group you intend to encrypt. This association is done in the control group properties, specifying the keystore name and key label.

Once configured, BRMS will use the specified key to encrypt all data saved through that control group. During a restore operation, BRMS will automatically require the same key (or the keystore passphrase) to decrypt the data.

Supported Encryption Algorithms

BRMS, through IBM i's native capabilities, primarily supports the AES (Advanced Encryption Standard) algorithm. This standard is available with various key lengths:

• AES 128-bit: Offers a good balance between security and performance.
• AES 192-bit: Higher security than AES 128-bit.
• AES 256-bit: The highest level of security, recommended for highly sensitive data.

The choice of algorithm and key length will depend on specific security requirements and tolerance for performance impact.

Impact of Encryption on System Resources and Backup Times

The implementation of software encryption, while offering significant advantages in terms of security and flexibility, is not without its impact on system performance. It is crucial to understand and plan for these effects:

1. CPU Usage:
   Encryption is a computationally intensive process. Executing encryption algorithms (like AES) for every block of data to be saved significantly engages the IBM i system's CPU. The increase in CPU utilization will be directly proportional to the amount of data to be encrypted and the complexity of the chosen algorithm (e.g., AES 256-bit is more demanding than AES 128-bit). On older systems or those with already heavily utilized CPUs, this additional load could become a limiting factor. Newer POWER processors include hardware cryptographic accelerators that can partially mitigate this impact.
2. Main Storage (RAM)  Usage:
   The impact on Main Storage (RAM)   is generally less pronounced than on the CPU. However, additional buffers might be needed to manage data during the encryption and tape writing process. This is rarely a bottleneck on modern and correctly sized IBM i systems.
3. Lengthening of Backup Times:
   The most noticeable effect for system administrators will be the lengthening of the backup window. Since the CPU must dedicate cycles to encryption, the overall throughput of the save process can decrease. The extent of this elongation depends on multiple factors:
• CPU Power: Systems with more powerful and modern CPUs will handle the load better.
• Tape Drive Speed: If the tape drive is slow, encryption might not be the primary bottleneck. If the drive is very fast, the CPU might not be able to "keep up" with encryption, slowing down the entire process.
• Amount and Type of Data: More data to encrypt means more work for the CPU. Highly compressible data, if compressed before encryption (a standard option), reduces the amount of data on which to perform encryption.
• Algorithm Strength: AES-256 will require more time than AES-128.

It is crucial to perform thorough testing in a pre-production environment to quantify the specific impact of encryption on your systems and backup windows before implementing it in production. It may be necessary to revise backup scheduling or consider hardware upgrades if times lengthen unacceptably.

Key Management Considerations

The security of an encryption system depends entirely on the security of its keys. If encryption keys are lost or compromised, encrypted data could become unrecoverable or accessible to unauthorized third parties.
With BRMS and IBM i software encryption:

• The keystore file (*SWF) must be protected with a strong passphrase.
• It is absolutely critical to perform regular backups of the keystore file and store them in a secure location, separate from the encrypted backup tapes. Losing the keystore file without a valid backup means an inability to restore encrypted data.
• Carefully control access permissions to the keystore file and key management commands.

Conclusion

The native software encryption functionality offered by IBM BRMS (5770BRX) represents a powerful and flexible solution for protecting backup data on the IBM i platform. Distinguishing itself from purely hardware-based solutions, BRMS leverages the encryption algorithms integrated into the operating system, ensuring high integration and independence from specific peripherals. Although implementing encryption carries an inevitable impact on system resources (primarily CPU) and backup times, the benefits in terms of data security, regulatory compliance, and risk mitigation often outweigh these. Proper planning, thorough testing, and rigorous key management are essential for successfully implementing this fundamental protection measure.