In order to perform an encrypted transfer of files, you have to enter
in the configuration file (dsm.sys/dsm.opt) (suitably replace dateiname_oder_muster).The file name can, as the include-exclude-list, contain wildcards. Make sure to note that a corresponding INCLUDE-parameter has to be in place for the INCLUDE.ENCRYPTION-parameter to apply. All files, to which an INCLUDE- and an INCLUDE.ENCRYPTION-statement applies, will be transferred in encrypted form.
By default, a 56-bit-DES encryption is used. Aside from this encryption, a stronger and faster 128-bit-AES encryption can be used as of TSM client version 5.3. The encryption method can be shiftet from 56-bit-DES to 128-bit-AES in the configuration file 'dsm.sys/dsm.opt' by entering
In order to encrypt the files, it is required to enter a key (encryption password). In the event of loss of the key, the encrypted files can no longer be restored. It is not possible to reset or readout the key on server side.
After activating the encryption, an encryption password has to be set before the next automatic backup. In order to do so, a file, that has not yet been backed up and activated for the encryption, has to be manually (per TSM-GUI or command line) backed up. In this process, you are asked to enter an encryption password which will automatically be saved on the local system (in encrypted form). Subsequently, after restarting the TSM scheduler, the encryption should also work for the automtaic backup.
Using the graphical user interface means that TSM will create the encryption rules for you, but you have to specify every file individually. Therefore you may not find this method practicable if you wish to encrypt a large number of files. Run TSM as appropriate to your operating system (via the Start menu on Windows, or via TSM Tools for Administrators on a Mac), and go Edit > Preferences > Include-Exclude (tab). There you should select Category 'Backup', Type Include.Encryption, browse to the file that you want to encrypt, and then click Add.
Since version 7.1.1 TSM also supports AES256 (where AES128 is still the default setting).
For more information: