Encryption
A SAN Volume Controller 2145-DH8 or SAN Volume Controller 2145-SV1 system supports optional encryption of data at rest. This support protects against the potential exposure of sensitive user data and user metadata that is stored on discarded, lost, or stolen storage devices. To use encryption on the system, an encryption license is required for each pair of nodes that support encryption.
Accessing an encrypted system
Planning for encryption involves purchasing a licensed function and then activating and enabling the function on the system. Either USB encryption or key server encryption can be enabled on the system. The system supports IBM Security Key Lifecycle Manager version 2.6.0 or later for enabling encryption with a key server.
To encrypt data that is stored on drives, the nodes capable of encryption must be licensed and configured to use encryption. When encryption is activated and enabled on the system, valid encryption keys must be present on the system when the system unlocks the drives or the user generates a new key. If USB encryption is enabled on the system, the encryption key must be stored on USB flash drives that contain a copy of the key that was generated when encryption was enabled. If key server encryption is enabled on the system, the key is retrieved from the key server.
Encryption using USB flash drives
You can use USB flash drives to enable encryption and copy a key to the system. You must create system encryption keys and write those keys to all USB flash drives.
Two options are available for accessing key information on USB flash drives:
- If you want the system to restart automatically, a USB flash drive must be left inserted in all the nodes on the system. When you power on, all nodes then have access to the encryption key. This method requires that the physical environment where the system is located is secure. If the location is secure, it prevents an unauthorized person from making copies of the encryption keys, stealing the system, or accessing data that is stored on the system.
- For the most secure operation, do not keep the USB flash drives inserted into the nodes on the system. However, this method requires that you manually insert the USB flash drives that contain copies of the encryption key in the nodes during operations that the system requires an encryption key to be present. USB flash drives that contain the keys must be stored securely to prevent theft or loss. During operations that the system requires an encryption key to be present, the USB flash drives must be inserted manually into each node so data can be accessed. After the system completes unlocking the drives, the USB flash drives must be removed and stored securely to prevent theft or loss.
Encryption using key servers
You can use encryption key servers to enable encryption. A key server is a centralized system that generates, stores, and serves encryption keys. At least one key server is required to enable encryption key server support.
The IBM Security Key Lifecycle Manager is the supported key server type. It complies with the Key Management Interface Protocol (KMIP) protocol.
You can enable encryption on the IBM Security Key Lifecycle Manager, which supports the Key Management Interface Protocol (KMIP). The IBM Security Key Lifecycle Manager is an unclustered key server.
The IBM Security Key Lifecycle Manager creates managed keys for the system and uses a digital certificate to access these keys and provide authentication. This authentication takes place when certificates are exchanged. Certificates must be managed closely because expired certificates can cause system outages.
To use IBM Security Key Lifecycle Manager, you must specify an IP address, port, and device group to communicate with the system. The device group is a collection of security credentials (including keys and groups of keys) that allows for restricted management of subsets of devices within a larger pool.