Encryption
To use encryption on the system, you must enable encryption and create copies of the keys. For SuperMicro based servers, it is necessary to configure the trusted platform module before you enable encryption.
The system supports optional encryption of data at rest. This support protects against the potential exposure of sensitive user data and user metadata that is stored on discarded, lost, or stolen storage devices.
Accessing an encrypted system
Planning for encryption involves enabling the function on the system. The system supports two methods of configuring encryption. You can use a centralized key server that simplifies creating and managing encryption keys on the system. This method of encryption key management is preferred for security and simplification of key management. In addition, the system also supports storing encryption keys on USB flash drives. USB flash drive-based encryption requires physical access to the systems and is effective in environments with a minimal number of systems. For organizations that require strict security policies regarding USB flash drives, the system supports disabling these ports to prevent unauthorized transfer of system data to portable media devices. If you have such security requirements, use key servers to manage encryption keys.
To encrypt data that is stored on drives, the nodes capable of encryption must be configured to use encryption. When encryption is enabled on the system, valid encryption keys must be present on the system when the system unlocks the drives or the user generates a new key.
If you are using encryption to protect data that is copied to cloud storage, the cloud account is always synchronized with the system encryption settings. If both USB flash drives and key servers are configured, the cloud account that is created supports both of these methods. If just one encryption method is configured and the other is disabled, the cloud account supports encryption with the remaining configured encryption method. To ensure that the cloud account supports encryption, one or both methods must be configured with active keys when the cloud account is created.
If a cloud account is created with one encryption method, you can configure the second method later, but the cloud account must be online while the configuration occurs. After the second method is configured, the cloud account will support both key providers.
Encryption using key servers
A key server is a centralized system that generates, stores, and sends encryption keys to the system. If the key server provider supports replication of keys among multiple key servers, you can specify up to four key servers that connect to the system over both a public network or a separate private network. The system supports IBM Security Key Lifecycle Manager or Gemalto SafeNet KeySecure key servers to handle key management on the system. Both of these supported key server management applications create and manage cryptographic keys for the system and provide access to these keys through a certificate. Only one type of key server management application can be enabled on the system at a time. Authentication takes place when certificates are exchanged between the system and the key server. Certificates must be managed closely because expired certificates can cause system outages. Key servers must be installed and configured before they are defined on the system.
IBM Security Key Lifecycle Manager key servers support Key Management Interoperability Protocol (KMIP), which is a standard for encryption of stored data and management of cryptographic keys.
- One primary (master) key server and several secondary key servers: IBM Security Key Lifecycle Manager key servers designate one master or primary key server, which can have up to three secondary key servers (also known as clones) defined. These additional key servers support more paths when it delivers keys to the system; however, during rekeying only the path to the primary key server is used. When the system is rekeyed, secondary key servers are unavailable until the primary key server replicates the new keys to these secondary key servers. The amount of time it takes to replicate the key to a secondary key server depends on the amount of key and certificate information that is being replicated. Each replication to a secondary key server can take some time. Replication must complete before keys can be used on the system. You can either schedule automatic replication or complete it manually with IBM Security Key Lifecycle Manager. During replication, key servers are not available to distribute keys or accept new keys. The total time that it takes for a replication to complete on the IBM Security Key Lifecycle Manager depends on the number of key servers that are configured as clones. If replication is triggered manually, the IBM Security Key Lifecycle Manager issues a completion message when the replication completes. Verify that all key servers contain replicated key and certificate information before keys are used on the system.
- Multiple master key servers: Key servers can be configured in a multi-master configuration where each key server has the ability to create new encryption keys. In this instance, any server can be set as the primary key server. The primary key server is the key server that the system uses when you create any new key server encryption keys. If multi-master mode is enabled on the IBM Security Key Lifecycle Manager, the key is immediately replicated to the other key servers in the configuration.
For more information about the supported versions, see the IBM Security Key Lifecycle Manager IBM Knowledge Center.
When you create key server objects on the system for IBM Security Key Lifecycle Manager key servers, you must create a device group, in addition to name, IP address, port and certificate information. The device group is a collection of security credentials (including keys and groups of keys) that allows for restricted management of subsets of devices within a larger pool. The system must be defined on the key server to the SPECTRUM_VIRT device group if you are using the default settings. If the SPECTRUM_VIRT device group does not exist on the key server, it must be created based on the GPFS device family. If you are configuring multiple key servers, the SPECTRUM_VIRT device group must be defined on the primary and all additional key servers.
- KeySecure key servers use an active-active model, where there are multiple key servers to provide redundancy. One KeySecure key server must be specified as the primary key server. The primary key server is the key server that the system uses when you create any new encryption keys. The key is immediately replicated to the other key servers in the KeySecure cluster. All of the KeySecure key servers that are defined on the system can be used to retrieve keys. Although it is possible to configure a single key server instance with KeySecure, two key servers are recommended to ensure availability of keys if one key server experiences an outage.
- The system supports up to four key servers with KeySecure. If the system is accessing multiple key servers, they need to belong to the same cluster of KeySecure key servers.
Encryption using USB flash drives
You can use USB flash drives to enable encryption and copy a key to the system. However, if your organization requires additional restrictions on accessing USB ports, you can disable access to these ports to prevent unauthorized access. You must create system encryption keys and write those keys to all USB flash drives.
Two options are available for accessing key information on USB flash drives:
Encryption technology
Data encryption is protected by the Advanced Encryption Standard (AES) algorithm that uses a 256-bit symmetric encryption key in XTS mode, as defined in the IEEE 1619-2007 standard and NIST Special Publication 800-38E as XTS-AES-256. That data encryption key is itself protected by a 256-bit AES key wrap of a key derived from the access key stored on the USB flash drive. The wrapped key is stored in the system in non-volatile form.