Encryption

Encryption using USB flash drives

You can use USB flash drives to enable encryption and copy a key to the system. You must create system encryption keys and write those keys to all USB flash drives.

Two options are available for accessing key information on USB flash drives:

USB flash drives are left inserted in the system at all times

This method requires that the physical environment where the system is located is secure. If the location is secure, it prevents an unauthorized person from making copies of the encryption keys, stealing the system, or accessing data that is stored on the system.

USB flash drives are not left inserted into the system except as required

After the system completes unlocking the drives, the USB flash drives must be removed and stored securely to prevent theft or loss.

Encryption using key servers

You can use encryption key servers to enable encryption. A key server is a centralized system that generates, stores, and serves encryption keys. At least one key server is required to enable encryption key server support.

The IBM Security Key Lifecycle Manager is the supported key server type. It complies with the Key Management Interface Protocol (KMIP) protocol.

You can enable encryption on the IBM Security Key Lifecycle Manager, which supports the Key Management Interface Protocol (KMIP). The IBM Security Key Lifecycle Manager is an unclustered key server.

The IBM Security Key Lifecycle Manager creates managed keys for the system and uses a digital certificate to access these keys and provide authentication. This authentication takes place when certificates are exchanged. Certificates must be managed closely because expired certificates can cause system outages.

To use IBM Security Key Lifecycle Manager, you must specify an IP address, port, and device group to communicate with the system. The device group is a collection of security credentials (including keys and groups of keys) that allows for restricted management of subsets of devices within a larger pool.