IBM DS8880 Encryption for data at rest and Transparent Cloud Tiering (DS8000 Release 8.5)

IBM DS8880 Encryption for data at rest and Transparent Cloud Tiering (DS8000 Release 8.5)

by Andreas Reinhardt, Bert Dufrasne
Released April 2019
Publisher(s): IBM Redbooks
ISBN: 9780738457567

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

-update for Release 8.5 -
IBM experts recognize the need for data protection, both from hardware or software failures, and also from physical relocation of hardware, theft, and retasking of existing hardware.

The IBM DS8880 supports encryption-capable hard disk drives (HDDs) and flash drives. These Full Disk Encryption (FDE) drive sets are used with key management services that are provided by IBM Security Key Lifecycle Manager software or Gemalto SafeNet KeySecure to allow encryption for data at rest on a DS8880. Use of encryption technology involves several considerations that are critical for you to understand to maintain the security and accessibility of encrypted data.

The IBM Security Key Lifecycle Manager software also supports Transparent Cloud Tiering (TCT) data object encryption, which is part of this publication. With TCT encryption, data is encrypted before it is transmitted to the Cloud. The data remains encrypted in cloud storage and is decrypted after it is transmitted back to the DS8000®.

This IBM Redpaper™ publication contains information that can help storage administrators plan for disk and TCT data object encryption. It also explains how to install and manage the encrypted storage and how to comply with IBM requirements for using the IBM DS8000 encrypted disk storage system.

This edition focuses on IBM Security Key Lifecycle Manager Version 3.0 which enables support Key Management Interoperability Protocol (KMIP) with the DS8000 Release 8.5 code or later and updated GUI for encryption functions. The publication also discusses support for data at rest encryption with Gemalto SafeNet KeySecure Version 8.3.2.

Table of contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. Authors
    2. Now you can become a published author, too
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  4. Summary of changes
    1. April 2019, Eighth Edition
  5. Chapter 1. Encryption overview
    1. 1.1 Business context
      1. 1.1.1 Threats and security challenges
      2. 1.1.2 Need for data at rest encryption
      3. 1.1.3 Need for Transparent Cloud Tiering Encryption
    2. 1.2 Encryption concepts and terminology
      1. 1.2.1 Symmetric key encryption
      2. 1.2.2 Asymmetric key encryption
      3. 1.2.3 Hybrid encryption
      4. 1.2.4 Communication protocols IPP, SSL/TLS V1.2, and KMIP
    3. 1.3 Encryption challenges
    4. 1.4 Key Lifecycle Manager
      1. 1.4.1 IBM Security Key Lifecycle Manager features overview
      2. 1.4.2 New in IBM Security Key Lifecycle Manager V3.0
      3. 1.4.3 Key serving
      4. 1.4.4 How to protect IBM Security Key Lifecycle Manager data
      5. 1.4.5 IBM Security Key Lifecycle Manager for open systems
    5. 1.5 IBM Security Key Lifecycle Manager for z/OS
      1. 1.5.1 IBM Security Key Lifecycle Manager for z/OS components
      2. 1.5.2 Functions that are performed by IBM SKLM for z/OS
      3. 1.5.3 Preventing a deadlock situation
      4. 1.5.4 Installing the IBM Security Key Lifecycle Manager for z/OS and keystores
    6. 1.6 Gemalto SafeNet KeySecure
  6. Chapter 2. IBM DS8000 encryption mechanisms
    1. 2.1 DS8000 data at rest disk encryption
    2. 2.2 IBM SKLM key management for data at rest encryption
    3. 2.3 IBM SKLM Encryption key management for TCT encryption
    4. 2.4 SafeNet KeySecure key management with KMIP
    5. 2.5 Encryption deadlock
    6. 2.6 Working with a recovery key
      1. 2.6.1 Recovery key management
      2. 2.6.2 Disabling or enabling a recovery key
    7. 2.7 Dual key server support
  7. Chapter 3. Planning and guidelines for IBM DS8000 encryption
    1. 3.1 About certificates
    2. 3.2 Planning and implementation process flow
    3. 3.3 Encryption-capable DS8000 ordering and configuration
    4. 3.4 Licensing
    5. 3.5 Requirements for encrypting storage
    6. 3.6 Advice for encryption in storage environments
      1. 3.6.1 Using LDAP authentication
      2. 3.6.2 Availability
      3. 3.6.3 Encryption deadlock prevention
    7. 3.7 Multiple IBM Security Key Lifecycle Managers for redundancy
  8. Chapter 4. IBM DS8000 encryption implementation
    1. 4.1 Installing IBM SKLM V3.0 in silent mode
      1. 4.1.1 Before you start the installation
      2. 4.1.2 Silent mode installation on Linux
      3. 4.1.3 Installing Fix Pack 1 (or later) for Security Key Lifecycle Manager V3.0
    2. 4.2 WebSphere, Java and SKLM hardening
      1. 4.2.1 WebSphere Application Server hardening
      2. 4.2.2 Java hardening
      3. 4.2.3 SKLM hardening
    3. 4.3 IBM Security Key Lifecycle Manager V3.0 configuration
      1. 4.3.1 Creation of the SSL/KMIP Server Certificate
      2. 4.3.2 Backup and restore
      3. 4.3.3 Migration backup and restore operations for earlier versions of IBM Security Key Lifecycle Manager and IBM Tivoli Key Lifecycle Manager
      4. 4.3.4 Setting up remote replication between SKLM key servers
      5. 4.3.5 Setting up a Multi-Master environment with two SKLM key servers
      6. 4.3.6 Defining DS8000 in SKLM for data at rest encryption
    4. 4.4 Configuring SafeNet KeySecure for data at rest encryption
      1. 4.4.1 Configuration
    5. 4.5 SKLM configuration for TCT encryption
      1. 4.5.1 DS8000 TCT encryption communication certificate (GEN2) export
      2. 4.5.2 DS8000 TCT encryption communication certificate (GEN2) import
    6. 4.6 DS8000 GUI configuration for data at rest encryption
      1. 4.6.1 Applying the drive encryption authorization license key
      2. 4.6.2 Assigning additional storage and Security Administrators
      3. 4.6.3 Creating the recovery key
      4. 4.6.4 DS8000 enabling data at rest encryption
      5. 4.6.5 Configuring and administering encrypted arrays, ranks, and extent pools
    7. 4.7 DSCLI configuration for data at rest and TCT encryption
      1. 4.7.1 Configuring the key server connection
      2. 4.7.2 Managing the recovery keys
      3. 4.7.3 Configuring encryption key groups for data at rest and TCT encryption
      4. 4.7.4 Applying the encryption activation key
    8. 4.8 Data at rest encryption and Copy Services functions
    9. 4.9 NIST SP 800-131a requirements for key servers
      1. 4.9.1 Configuration steps for changing SKLM to use TLS 1.2
    10. 4.10 Migration from Gen-1 to a Gen-2 certificate for encryption
    11. 4.11 Using a custom generated Gen-1 or Gen-2 certificate
      1. 4.11.1 Configuring a Custom Certificate via DSGUI
      2. 4.11.2 Configuring a custom certificate via DSCLI
  9. Chapter 5. Maintaining the IBM DS8000 encryption environment
    1. 5.1 Rekeying the data key for data at rest encryption
      1. 5.1.1 Rekey the data key when using the IPP protocol
      2. 5.1.2 Rekey the data key when using the KMIP protocol
    2. 5.2 Recovery key use and maintenance
      1. 5.2.1 Validating or testing a recovery key
      2. 5.2.2 Using the recovery key in an emergency-deadlock situation (recovery action)
      3. 5.2.3 Rekeying the recovery key
      4. 5.2.4 Deleting or deconfiguring a recovery key
    3. 5.3 Recovery key state summary
  10. Related publications
    1. IBM Redbooks
    2. Other publications
    3. Online resources
    4. Help from IBM
  11. Back cover

Product information

  • Title: IBM DS8880 Encryption for data at rest and Transparent Cloud Tiering (DS8000 Release 8.5)
  • Author(s): Andreas Reinhardt, Bert Dufrasne
  • Release date: April 2019
  • Publisher(s): IBM Redbooks
  • ISBN: 9780738457567