If you would like to send your files to the HFS in an encrypted format, then they need to be selected for encryption using one of the following two sets of
instructions. Note that the TSM encryption password, like the TSM password itself,
has a maximum length of 63 characters and is case
insensitive: valid characters are
[a-zA-Z0-9+.-_&] i.e. any
letter a-z upper or lower case, any number 0-9, plus, period, underscore, hyphen, ampersand.
2. Graphical User Interface (GUI)
Using the graphical user interface means that TSM will create the encryption rules for you, but you have to
specify every file individually. Therefore you may
not find this method practicable if you wish to encrypt a large number of files. Run TSM as appropriate to your
operating system (via the Start menu on Windows, or via TSM Tools for Administrators on a Mac), and go
Include-Exclude (tab). There you should select
browse to the file that you want to encrypt, and then click
Please see the following sections for how to encrypt groups of files.
3. Editing configuration files
include.encrypt- for example, to select the file
c:\data\encryptthis.txtfor encryption, add:
include.encrypt "C:\My Documents\data\encryptthis.txt"
4. Further principles
More complicated and powerful rules can be written to select files for encryption, as detailed in the next two sections. The third section below explains the further options that can affect how the encryption is performed.
...(to substitute for directory names),
*(for parts of filenames) and
?(for single characters of filenames). The basic syntax for using these characters may be gleaned from the following examples, which illustrate some of the possibilities offered. The principles are similar to those used for excluding files from backup (on which please see the page on how to exclude files and folders from backup).
*matches any number of any character, and the
?matches any single character. Note that the
?wildcards do not work with directory names. Thus to select for encryption any files whose names begin "encrypt" in the
include.encrypt C:\data\encrypt*To encrypt a whole folder of files, use
*to stand for every file - for instance, to encrypt every file within
C:\data, no matter what its name, use
include.encrypt C:\data\*This will only select for encryption the files directly within
C:\data- not any of the sub-folders (or their files) that might be within
C:\data. For example, the contents of a folder
C:\data\moredatawould not be selected for encryption using the above rule. See the next item for how to do this.
...wildcard. Thus to encrypt all the subdirectories and files that are within
include.encrypt C:\data\...\*Another use of this type of wildcard would be for encrypting files in a sub-directory no matter where it is located on
C:- for example, to encrypt the files within a directory called
personalwherever it is on
?, as in
data02and so on up to
C:drive, then you cannot do either of the following:
include.encrypt C:\data*\* include.encrypt C:\data??\*as the
?wildcards cannot be used in directory names or paths. To encrypt the contents of these directories, the user should move them to a unique directory under
C:, for example
C:\data, and then select that directory, as in the example already cited above:
There is also a second option,
exclude.encrypt, which can be combined with
include.encrypt and one or more
of the wildcards. It is important to note in what follows that the list of includes and excludes is processed bottom up.
C:\dataexcept the file
exclude.encrypt c:\data\donotencryptthis.txt include.encrypt c:\data\*
include.encrypt C:\data\...\* exclude.encrypt C:\data\*This will exclude any file in the
C:\datadirectory but will include for encryption any file in any subdirectory under
C:\data. Note that the order is important: the
exclude.encryptdirective must follow the
include.encryptdirective in the configuration file - otherwise, the former (the exclude rule) will be ignored.
4.3. Other options
Authorization(tab), there are two encryption settings:
4.4. Interaction with other include-exclude rules
If you are using further rules in dsm.opt to exclude data from backup, note that these are independent of the encryption rules. For example, if you
everything from backup bar certain files (as per our section on
how to exclude everything from backup except a specific directory/folder),
and additionally you wish to encrypt those files, then you will need both
include.encrypt C:\data\...\* exclude C:\...\* include C:\data\...\*Without the line
include C:\data\...\*, all files would be excluded from backup -
include.encryptdoes not include files for backup, but only for encryption.