Changing storage space encryption during a restore

When storage space encryption is enabled, storage spaces are restored with the same encryption state as during the back up, by default. However, you can specify to restore storage spaces as encrypted or unencrypted.

The encryption state of storage spaces on disk does not affect the encryption state of backups. Storage spaces that are encrypted on disk are decrypted before they are sent to the backup front end (on-Bar/ontape). To encrypt the backup, you can use the Integrated backup encryption feature. When you restore a storage space that was encrypted on disk before its backup, the storage space is encrypted during the restore, unless you specify to restore the space as unencrypted. Similarly, you can restore a storage space that was not encrypted on disk by specifying to encrypt the space during the restore.

You can choose to restore some or all storage spaces as encrypted or unencrypted.

The following table shows the ways you can encrypt and decrypt storage spaces during a restore with the ON-Bar or ontape utilities when storage space encryption is enabled.

Table 1. Storage space encryption options during a restore
Task Method
Encrypt or decrypt all existing storage spaces Run a full restore with the -encrypt or -decrypt option.
Encrypt or decrypt critical storage spaces Run a cold restore with the -encrypt or -decrypt option and specify the spaces with the -D option.
Encrypt or decrypt some non-critical storage spaces Run a warm restore with the -encrypt or -decrypt option and specify the spaces with the -D option.
Encrypt or decrypt all storage spaces for a tenant database (ON-Bar only) Run a tenant restore with the onbar -T command and include the -encrypt or -decrypt option.
Encrypt or decrypt storage spaces that are created by a roll-forward of logical logs Include the rollfwd_create_dbs=encrypt or rollfwd_create_dbs=decrypt option in the DISK_ENCRYPTION configuration parameter value.

When you run a full or a cold restore, new keystore and stash files are created. If you receive an error message that the restore failed because of existing keystore and stash files, follow the instructions in the message and rerun the restore.

During an external restore, storage spaces are restored to the same encryption state as during the backup. You cannot change the encryption state of storage spaces during an external restore.

When storage space encryption is not enabled, you see the following behavior:

  • If you attempt to encrypt storage spaces during a restore with the -encrypt option, the restore fails.
  • If you restore encrypted storage spaces, the storage spaces are restored as unencrypted.

Examples

The following command encrypts all existing storage spaces during a whole-system restore:

onbar -r -encrypt -w

The following command encrypts two storage spaces during a physical restore:

ontape -p -encrypt -D space1 space2 

The following command decrypts all storage spaces that belong to a tenant database:

onbar -T tenant1 -decrypt -t "08-08-2016 00:00:00" 

Copyright© 2019 HCL Technologies Limited