Encryption

Lenovo Storage V5030 supports optional encryption of data at rest. Encryption protects against the potential exposure of sensitive user data that is stored on discarded, lost, or stolen storage devices. This system requires an encryption license for each enclosure that supports encryption.

Encryption using USB flash drives

You can use USB flash drives to enable encryption and copy a key to the system. You must create system encryption keys and write those keys to all USB flash drives.

Two options are available for accessing key information on USB flash drives:

USB flash drives are left inserted in the system at all times
If you want the system to restart automatically, a USB flash drive must be left inserted in all the canisters on the system. When you power on, all canisters then have access to the encryption key. This method requires that the physical environment where the system is located is secure. If the location is secure, it prevents an unauthorized person from making copies of the encryption keys, stealing the system, or accessing data that is stored on the system.
USB flash drives are not left inserted into the system except as required
For the most secure operation, do not keep the USB flash drives inserted into the canisters on the system. However, this method requires that you manually insert the USB flash drives that contain copies of the encryption key in the canisters during operations that the system requires an encryption key to be present. USB flash drives that contain the keys must be stored securely to prevent theft or loss. During operations that the system requires an encryption key to be present, the USB flash drives must be inserted manually into each canister so data can be accessed. After the system completes unlocking the drives, the USB flash drives must be removed and stored securely to prevent theft or loss.

Encryption using key servers

You can use encryption key servers to enable encryption. A key server is a centralized system that generates, stores, and serves encryption keys. At least one key server is required to enable encryption key server support.

The IBM Security Key Lifecycle Manager is the supported key server type. It complies with the Key Management Interface Protocol (KMIP) protocol.

You can enable encryption on the IBM Security Key Lifecycle Manager, which supports the Key Management Interface Protocol (KMIP). The IBM Security Key Lifecycle Manager is an unclustered key server.

The IBM Security Key Lifecycle Manager creates managed keys for the system and uses a digital certificate to access these keys and provide authentication. This authentication takes place when certificates are exchanged. Certificates must be managed closely because expired certificates can cause system outages.

To use IBM Security Key Lifecycle Manager, you must specify an IP address, port, and device group to communicate with the system. The device group is a collection of security credentials (including keys and groups of keys) that allows for restricted management of subsets of devices within a larger pool.

Note: The Lenovo Storage V5030 Encryption Enablement feature and the Encryption USB Drive Pack feature are not available in the following countries:

  • Belarus

  • Kazakhstan

  • People's Republic of China

  • Russia

Parent topic: Technical overview
Related concepts
Configuring encryption
Planning for encryption
Encryption
Rekeying an encryption-enabled system using a key server
Rekeying an encryption-enabled system using a USB flash drive
Related information
Managing encryption