Data-at-rest Encryption for the IBM Spectrum Accelerate Family

Data-at-rest Encryption for the IBM Spectrum Accelerate Family

by Bert Dufrasne, Roman Fridli, Andrew Greenfield
Released April 2019
Publisher(s): IBM Redbooks
ISBN: 9780738457574

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

With the ever-growing landscape of national, state, and local regulations, industry requirements, and increased security threats, ensuring the protection of an organization's information is a key part of operating a successful business.

Encrypting data-at-rest is a key element when addressing these concerns. Most storage products offer encryption at an additional cost. The IBM® Spectrum Accelerate family, which includes IBM XIV® Storage System, IBM FlashSystem® A9000, IBM FlashSystem A9000R system(s), and IBM Spectrum™ Accelerate Software provides data-at-rest encryption at no charge. Clients can take advantage of encryption and still benefit from the lower total cost of ownership (TCO) that the IBM Spectrum Accelerate™ family offers.

For IBM FlashSystem A9000 and A9000R, clients now have a choice between an external key manager-based implementation or a local key based encryption implementation. The local key solution offers a simplified deployment of data-at-rest encryption.

This IBM Redpaper™ publication explains the architecture and design of the XIV and IBM FlashSystem A9000 and A9000R encryption solutions. Details are provided for configuring and implementing both solutions.

Table of contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. Authors
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  4. Summary of changes
    1. April 2019, Third Edition
  5. Chapter 1. Encryption overview
    1. 1.1 Introduction to data-at-rest encryption
      1. 1.1.1 External key management
      2. 1.1.2 Local key management
    2. 1.2 Threats and security challenges
    3. 1.3 Need for encryption
    4. 1.4 Encryption concepts
      1. 1.4.1 Symmetric key encryption
    5. 1.5 Encryption challenges
  6. Chapter 2. Planning
    1. 2.1 Planning and implementation process flow
      1. 2.1.1 Additional planning when using an external key server
      2. 2.1.2 Digital certificates
      3. 2.1.3 IBM Security Key Lifecycle Manager licensing for IBM FlashSystem A9000 and IBM FlashSystem A9000R
      4. 2.1.4 IBM Security Key Lifecycle Manager licensing under virtualization
    2. 2.2 Best practices for an external key server
      1. 2.2.1 Security
      2. 2.2.2 Availability
      3. 2.2.3 Encryption administration
      4. 2.2.4 Multiple key servers for redundancy
      5. 2.2.5 Setting up IBM Security Key Lifecycle Manager servers
    3. 2.3 IBM FlashSystem A9000 / A9000R with local encryption
      1. 2.3.1 Security
      2. 2.3.2 Availability
      3. 2.3.3 Encryption administration
      4. 2.3.4 Safeguard keys for redundancy
  7. Chapter 3. Implementing encryption on XIV
    1. 3.1 XIV disk encryption
      1. 3.1.1 Self-encrypting drives
    2. 3.2 Encryption process overview
    3. 3.3 IBM Security Key Lifecycle Manager installation
    4. 3.4 XIV data-at-rest encryption configuration
      1. 3.4.1 Overview of configuration steps
      2. 3.4.2 Detailed configuration steps
    5. 3.5 Recovery key use and maintenance
      1. 3.5.1 Process for recovery keys
      2. 3.5.2 Recovery key generation with the XIV GUI
      3. 3.5.3 Recovery key generation with XCLI
      4. 3.5.4 Recovery key verification by using the XIV GUI
      5. 3.5.5 Recovery key verification by using the XCLI
      6. 3.5.6 Recovery key rekey
      7. 3.5.7 Using a recovery key to unlock an XIV system
    6. 3.6 Activating or deactivating encryption
      1. 3.6.1 Activating data-at-rest XIV encryption
      2. 3.6.2 Deactivating XIV data-at-rest encryption
    7. 3.7 Verifying encryption state
  8. Chapter 4. Implementing encryption on IBM FlashSystem A9000 and A9000R
    1. 4.1 IBM FlashSystem A9000/A9000R encryption
    2. 4.2 External Encryption mechanism and process
      1. 4.2.1 External key server encryption process overview
      2. 4.2.2 External key server encryption configurations
      3. 4.2.3 IBM Security Key Lifecycle Manager installation
      4. 4.2.4 SKLM External key server configuration steps
      5. 4.2.5 Setting up SafeNet KeySecure encryption
      6. 4.2.6 Installing and configuring SafeNet KeySecure key server
      7. 4.2.7 Installing the KeySecure certificate on the A9000/R
    3. 4.3 Recovery key use and maintenance
      1. 4.3.1 Process for recovery keys
      2. 4.3.2 Recovery key generation and verification with XCLI
      3. 4.3.3 Recovery key rekey
      4. 4.3.4 Using a recovery key to unlock IBM FlashSystem A9000/A9000R
    4. 4.4 Activating and deactivating encryption
      1. 4.4.1 Activating data-at-rest encryption
      2. 4.4.2 Deactivating data-at-rest encryption
    5. 4.5 Verifying the encryption state
    6. 4.6 Local encryption mechanism and process
      1. 4.6.1 Configuring local encryption
      2. 4.6.2 Local encryption configuration and process
    7. 4.7 Converting from external to local key encryption
  9. Chapter 5. Maintaining
    1. 5.1 Automated replication
    2. 5.2 Starting and stopping an external IBM Security Key Lifecycle Manager server
      1. 5.2.1 Starting and stopping the server by using scripts
      2. 5.2.2 Determining status
    3. 5.3 Encryption server rekey
      1. 5.3.1 XIV system external encryption rekey by using the XIV GUI
      2. 5.3.2 XIV and IBM FlashSystem A9000 or A9000R server rekey by using XCLI
    4. 5.4 Encryption deadlock
    5. 5.5 Component replacements
  10. Related publications
    1. IBM Redbooks
    2. Other publications and online resources
    3. Help from IBM
  11. Back cover

Product information

  • Title: Data-at-rest Encryption for the IBM Spectrum Accelerate Family
  • Author(s): Bert Dufrasne, Roman Fridli, Andrew Greenfield
  • Release date: April 2019
  • Publisher(s): IBM Redbooks
  • ISBN: 9780738457574