Planning for encryption

Planning for encryption involves purchasing a licensed function and then activating and enabling the function on the system. Either USB encryption or key server encryption can be enabled on the system. The system supports IBM Security Key Lifecycle Manager version 2.6.0 or later for enabling encryption with a key server.

To encrypt data that is stored on drives, the control enclosure on which they are connected must contain an active license and be configured to use encryption. When encryption is activated and enabled on the system, valid encryption keys must be present on the system when the system unlocks the drives or the user generates a new key. If USB encryption is enabled on the system, the encryption key must be stored on USB flash drives that contain a copy of the key that was generated when encryption was enabled. If key server encryption is enabled on the system, the key is retrieved from the key server.

Lenovo Storage V5030 supports optional encryption of data at rest. Encryption protects against the potential exposure of sensitive user data that is stored on discarded, lost, or stolen storage devices. This system requires an encryption license for each enclosure that supports encryption.

Before you activate and enable encryption, you must determine the method of accessing key information during times when the system requires an encryption key to be present. The system requires an encryption key to be present during the following operations:

System power-on
System restart
User initiated rekey operations

Several factors must be considered when planning for encryption.

The correct hardware model is installed.
Physical security of the system
Need and benefit of manually accessing encryption keys when the system requires
Availability of key data
Encryption license is purchased, activated, and enabled on the system

Key server encryption

Key servers provide useful features that make them desirable to use such as being responsible for encryption key generation, backups, and following an open standard that aids interoperability. When planning for key server encryption, the following items are important to consider.

SSL certificates: Certificates are the primary method that the key server uses to authenticate a client (for example, Lenovo Storage V series), and that the client uses to authenticate the key server in order to verify that access to the keys stored in the key server is permitted. The authentication of the client ensures that the key server does not give access to keys to any party that is not trusted. The authentication of the key server ensures that the client does not ask for sensitive keys to be stored by a party that is not trusted. A Lenovo Storage V series system requires a server certificate to allow it to communicate with the IBM Security Key Lifecycle Manager server. As part of the process of provisioning a key server, the user must export the certification authority (CA) certificate required to authenticate the key server's certificate and install it in Lenovo Storage V series. All of the IBM Security Key Lifecycle Manager key servers can be configured to use a single CA certificate (which is used for all key severs) or configured so that each individual key server has its own self-signed certificate. Furthermore, the user must install the system certificate onto each key server, and the IBM Security Key Lifecycle Manager administrator can then accept the certificate to grant Lenovo Storage V series access to the key server. Implementation of key server encryption requires that there be an external key server to generate keys and act as a repository for those keys.

Lenovo Storage V series requirements: Only one type of key server is supported at this time. Lenovo Storage V series implements the Key Management Interoperability Protocol (KMIP) that is sent over an SSL connection between the client and the server. Support is provided for self-signed and CA-signed certificates. Lenovo Storage V series validates the server's KMIP certificate and conforms to the KMIP standard. Existing SAS hardware needs access to at least one master key to unlock and needs to be able to respond to key server master keys. Enabling key servers for the first time is a simple procedure. Once key server encryption is enabled, the type can be configured and enabled, server end-points can be created, and then the keys can be prepared and committed.

Security requirements: Security of all key server communications is governed by the TLS 1.2 protocol. Encryption keys are clustered in the system using TLS 1.2. Lenovo Storage V series uses AES-128 encryption that uses OpenSSL library interfaces.

IP addresses and ports

All nodes that want to communicate with key servers must have their service IP address configured. A node must have its full service IP stack configured (address, gateway, mask) in order for that node to be a candidate for attempting to contact the key server. Key servers are typically set up on a private LAN, and this requires enforcement of service IP addresses. If only a subset of nodes have service IP addresses set, then those nodes without a service IP address log an error. The IP address that the user supplies must be the one that Lenovo Storage V series uses to communicate with the key server.

Each key server will have a TCP port associated with its access. Since a key server serves multiple clients, Lenovo Storage V series allows the user to use a different port for each server and enables access for this port as and when required. KMIP server conformance mandates that TCP port 5696 be supported, so this will be the default port for the server end point.

Key generation policy and key database

If key server encryption is enabled, then the key server generates and manages the master keys. The node generates all other keys.

The key database can be clustered or unclustered depending on the type of key server that is used. For unclustered key servers, the user needs to consider backup and replication of the key database. IBM Security Key Lifecycle Manager is an example of a key server product where replication must be configured in order for encryption keys to be shared automatically between IBM Security Key Lifecycle Manager instances. Without replication configured, manual backup and restore operations must be used. Other products might self-replicate, so other key server instances automatically have any new keys created. For IBM Security Key Lifecycle Manager, complete backups and restores by following the IBM Security Key Lifecycle Manager user guide.