To
use encryption on the system, you must purchase an encryption license, activate the license on the
system, enable encryption, and create copies of the keys. If you have not purchased a license,
contact a customer representative to purchase an encryption license.To use encryption on the system, an encryption license is required for each
enclosure that supports encryption. Only certain models support encryption.
The system supports optional encryption of data at rest. This
support protects against the potential exposure of sensitive user data and user metadata that is
stored on discarded, lost, or stolen storage devices. If you add a new control enclosure to a system that has encryption
already enabled, the control enclosure must also be licensed.
Accessing an encrypted system
Planning for encryption involves purchasing a licensed function and
then activating and enabling the function on the system. The system supports two methods of configuring
encryption. You can use USB flash drives that contain encryption keys
or use a centralized key server to create and manage keys. Both of
these methods can be enabled at the same time to provide redundancy.
To
encrypt data that is stored on drives, the control enclosure on which
they are connected must contain an active license and be configured
to use encryption.When encryption is activated and
enabled on the system, valid encryption keys must be present on the
system when the system unlocks the drives or the user generates a
new key. If USB encryption is enabled on
the system, the encryption key must be stored on USB flash drives
that contain a copy of the key that was generated when encryption
was enabled. If key server
encryption is enabled on the system, the key is retrieved from the
key server.
If you are using
encryption to protect data that is copied to cloud storage, the cloud
account is always synchronized with the system encryption settings.
If both USB flash drives and key servers are configured, the cloud account that is created
supports both of these methods. If just one encryption method is configured
and the other is disabled, the cloud account supports encryption with
the remaining configured encryption method. To ensure that the cloud
account supports encryption, one or both methods must be configured
with active keys when the cloud account is created.
If a cloud account is
created with one encryption method, you can configure the second method
later, but the cloud account must be online while the configuration
occurs. After the second method is configured, the cloud account will
support both key providers.
Before you activate and enable encryption,
you must determine the method of accessing key information during
times when the system requires an encryption key to be present. The
system requires an encryption key to be present during the following
operations:
- System power-on
- System restart
- User initiated rekey operations
- System recovery
- Removal or replacement of self-encrypting drives
Several factors must be considered
when planning for encryption.
- The correct hardware model is installed.
- Physical security of the system
- Need and benefit
of manually accessing encryption keys when the system requires
- Availability of
key data
- Encryption license is purchased,
activated, and enabled on the system
- If you are using IBM Security Key
Lifecycle Manager to create and manage keys, ensure that you are using
version 2.7.0 or later that supports multiple master key servers which
automatically replicate keys to all configured key servers. The system
also supports one master (primary) key server and secondary key servers;
however, replication is a manual process and during rekey operations,
keys are not available until replication is completed.
- If you are using
Gemalto SafeNet KeySecure key servers to create and manage keys, determine
whether the system needs a user name and password to authenticate
to the KeySecure key servers. If you plan to use a user name and
password to authenticate the system to these key servers, you must
configure user credentials for authentication in the KeySecure interface.
For KeySecure versions of 8.10 and up, administrators can configure
a user name and password to authenticate the system when it connects.
Before version KeySecure 8.10, the use of a password is optional.
Encryption using USB
flash drives
You can use USB flash drives to enable encryption
and copy a key to the system. You must create system encryption keys
and write those keys to all USB flash drives.
Two options are available
for accessing key information on USB flash drives:
- USB flash drives are left inserted in the system at all
times
- If
you want the system to restart automatically, a USB flash drive must
be left inserted in all the canisters on the system. When you
power on, all canisters then have access to the encryption key. This method requires
that the physical environment where the system is located is secure.
If the location is secure, it prevents an unauthorized person from
making copies of the encryption keys, stealing the system, or accessing
data that is stored on the system. If a USB flash drive that contains valid encryption keys is left
inserted in both of the two canisters, the system always has access
to the encryption keys and the user data on the drives is always accessible.
- USB flash drives are not left inserted into the system
except as required
- For the most secure operation, do not keep
the USB flash drives inserted into the canisters on the system. However,
this method requires that you manually insert the USB flash drives
that contain copies of the encryption key in the canisters during
operations that the system requires an encryption key to be present.
USB flash drives that contain the keys must be stored securely to
prevent theft or loss. During operations that the system requires
an encryption key to be present, the USB flash drives must be inserted
manually into each canister so data can be accessed. After the system completes unlocking the drives, the USB flash drives
must be removed and stored securely to prevent theft or loss.
Encryption using key
servers
A key server is
a centralized system that generates, stores, and sends encryption
keys to the system. If the key server provider supports replication
of keys among multiple key servers, you can specify up to four key
servers that connect to the system over both a public network or a
separate private network. The system supports IBM Security Key Lifecycle Manager or Gemalto SafeNet KeySecure key servers to handle key management
on the system. Both of these supported key server management applications
create and manage cryptographic keys for the system and provide access
to these keys through a certificate. Only one type of key server management
application can be enabled on the system at a time. Authentication
takes place when certificates are exchanged between the system and
the key server. Certificates must be managed closely because expired
certificates can cause system outages. Key servers must be installed
and configured before they are defined on the system.
IBM Security Key Lifecycle Manager key servers support Key Management Interoperability Protocol (KMIP),
which is a standard for encryption of stored data and management of
cryptographic keys.
The
system supports different types of key server configurations on
IBM Security Key Lifecycle Manager. The following configurations are supported:
- One primary (master) key server and several secondary key servers: IBM Security Key Lifecycle Manager key servers designate one master or primary key server, which can
have up to three secondary key servers (also known as clones) defined.
These additional key servers support more paths when it delivers keys
to the system; however, during rekeying only the path to the primary
key server is used. When the system is rekeyed, secondary key servers
are unavailable until the primary key server replicates the new keys
to these secondary key servers. The amount of time it takes to replicate
the key to a secondary key server depends on the amount of key and
certificate information that is being replicated. Each replication
to a secondary key server can take some time. Replication must complete
before keys can be used on the system. You can either schedule automatic
replication or complete it manually with IBM Security Key Lifecycle Manager. During replication, key servers are not available to distribute
keys or accept new keys. The total time that it takes for a replication
to complete on the IBM Security Key Lifecycle Manager depends on the number of key servers that are configured as clones. If replication is triggered manually, the
IBM Security Key Lifecycle Manager issues a completion message when the replication completes. Verify that all key servers contain replicated key and certificate
information before keys are used on the system.
- Multiple master key servers: Key servers can be configured in
a multi-master configuration where each key server has the ability
to create new encryption keys. In this instance, any server can be
set as the primary key server. The primary key server is the key server
that the system uses when you create any new key server encryption
keys. If multi-master mode is enabled on the IBM Security Key Lifecycle
Manager, the key is immediately replicated to the other key servers
in the configuration.
For more information
about the supported versions, see the IBM Security Key Lifecycle Manager
IBM Knowledge Center.
When you create key server objects on the system for IBM Security Key Lifecycle Manager key servers, you must create a device group, in addition to name,
IP address, port and certificate information. The
device group is a collection of security credentials
(including keys and groups of keys) that allows for restricted management
of subsets of devices within a larger pool. The system must be defined on the key server to the
SPECTRUM_VIRT device group if you are using
the default settings. If the
SPECTRUM_VIRT device group does not exist on
the key server, it must be created based on the GPFS device family.
If you are configuring multiple key servers, the SPECTRUM_VIRT device group must be defined on the primary and all additional key
servers.
Gemalto SafeNet KeySecure key servers also
supports KMIP and creates keys on demand, and then shares them with
the other clustered servers, providing redundant access. The system
supports different types of configurations on KeySecure key server.
The following configurations are supported:
- KeySecure key servers use an active-active model, where there
are multiple key servers to provide redundancy. One KeySecure key
server must be specified as the primary key server. The primary key
server is the key server that the system uses when you create any
new encryption keys. The key is immediately replicated to the other
key servers in the KeySecure cluster. All of the KeySecure key servers
that are defined on the system can be used to retrieve keys. Although
it is possible to configure a single key server instance with KeySecure,
two key servers are recommended to ensure availability of keys if
one key server experiences an outage.
- The system supports up to four key servers with KeySecure. If
the system is accessing multiple key servers, they need to belong
to the same cluster of KeySecure key servers.
Encryption technology
Data encryption is protected by the Advanced Encryption Standard
(AES) algorithm that uses a 256-bit symmetric encryption key in XTS
mode, as defined in the IEEE 1619-2007 standard and NIST Special Publication
800-38E as XTS-AES-256. That data encryption key is itself protected
by a 256-bit AES key wrap of a key derived from the access key stored
on the USB flash drive. The wrapped key is stored in the system in
non-volatile form.
Note: The Lenovo Storage V5030 Encryption Enablement feature
and the Encryption USB Drive Pack feature are not available in the
following countries: