I occasionally hear TSM customers and sales reps tell me that TSM’s tape format is so proprietary that even a TSM server can’t read it if it doesn’t have the database for it. In other words, some people believe that TSM tapes don’t need to be encrypted because if you someone got ahold of them, they couldn’t read them without the TSM database. This is such a common belief that I have a TSM field manual from 2005 that says “There is no way to restore TSM backups (except for client backup sets) without the database.” I would say that sentence would be correct if you added the phrase “in TSM” right after the phrase “TSM backups.” I know of four different ways to read TSM tapes without using TSM at all. Click read more to see what they are.
I’m not picking on TSM, here. Everybody else’s tapes can be read without their catalog, too. It’s just that I hear way too often that TSM customers don’t need encryption because you can’t read TSM tapes without the database. So I wanted to set the record straight.
TSM’s tape format is indeed proprietary. IBM doesn’t publish the format and they often tout this as a feature, as I mentioned in the summary paragraph. That just means that someone would have to do some hard work to read it. Well, two commercial products and one open source product have done just that.
This product is a disk targets for backups that performs deduplication. In order to do that, it actually deciphers the backups sent to it. In other words, it takes the backup stream and turns it back into the files that comprise that stream. It then compares those files for dedupe purposes. (They’re also looking at adding full text search.)
This is an open-source product that can perform file-based restores from a TSM tape without using TSM at all.
IBM has a service for “salvaging” data off TSM tapes whose database entries are gone. They don’t guarantee success, but the mere fact that they CAN demonstrates finally that TSM tapes can be read without the database.
Translation: if you don’t want them to be read, use encryption.
----- Signature and Disclaimer -----
Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Architect at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.