Cover image for IBM DS8000 Encryption for data at rest, Transparent Cloud Tiering, and Endpoint Security (DS8000 Release 9.0)

IBM DS8000 Encryption for data at rest, Transparent Cloud Tiering, and Endpoint Security (DS8000 Release 9.0)

Author Tony Eriksson. Lisa Martinez , Anreas Reinhardt , Bert Dufrasne
Release Date: 2020/01/01
ISBN: 9780738458427
Topic:
0%
12
Chapters
0-1
Hours read
0k
Total Words
    Start Reading Now    
       Add to Wishlist       
View table of contents

Book Description

IBM® experts recognize the need for data protection, both from hardware or software failures, and from physical relocation of hardware, theft, and retasking of existing hardware.

The IBM DS8000® supports encryption-capable hard disk drives (HDDs) and flash drives. These Full Disk Encryption (FDE) drive sets are used with key management services that are provided by IBM Security Key Lifecycle Manager software or Gemalto SafeNet KeySecure to allow encryption for data at rest. Use of encryption technology involves several considerations that are critical for you to understand to maintain the security and accessibility of encrypted data.

Failure to follow the requirements that are described in the IBM Redpaper can result in an encryption deadlock.

Starting with Release 8.5 code, the DS8000 also supports Transparent Cloud Tiering (TCT) data object encryption. With TCT encryption, data is encrypted before it is transmitted to the cloud. The data remains encrypted in cloud storage and is decrypted after it is transmitted back to the IBM DS8000.

Starting with DS8000 Release 9.0, the DS8900F provides Fibre Channel Endpoint Security when communicating with an IBM z15™, which supports link authentication and the encryption of data that is in-flight. For more information, see IBM Fibre Channel Endpoint Security for IBM DS8900F and IBM Z, SG24-8455.

This edition focuses on IBM Security Key Lifecycle Manager Version 3.0.1.3 or later, which enables support Key Management Interoperability Protocol (KMIP) with the DS8000 Release 9.0 code or later and updated DS GUI for encryption functions.

Table of Contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. Authors
    2. Now you can become a published author, too
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  4. Summary of changes
    1. January 2020, Ninth Edition
  5. Chapter 1. Encryption overview
    1. 1.1 Business context
      1. 1.1.1 Threats and security challenges
      2. 1.1.2 Need for data at rest encryption
      3. 1.1.3 Need for Transparent Cloud Tiering encryption
      4. 1.1.4 Need for Endpoint Security
    2. 1.2 Encryption concepts and terminology
      1. 1.2.1 Symmetric key encryption
      2. 1.2.2 Asymmetric key encryption
      3. 1.2.3 Hybrid encryption
      4. 1.2.4 Communication protocols IPP, SSL/TLS V1.2, and KMIP
    3. 1.3 Encryption challenges
    4. 1.4 Key Manager
      1. 1.4.1 IBM Security Key Lifecycle Manager v3.0 and later features overview
      2. 1.4.2 Key serving
      3. 1.4.3 How to protect IBM Security Key Lifecycle Manager data
    5. 1.5 IBM Security Key Lifecycle Manager for z/OS
      1. 1.5.1 IBM Security Key Lifecycle Manager for z/OS components
      2. 1.5.2 Functions that are performed by IBM SKLM for z/OS
      3. 1.5.3 Preventing a deadlock situation
      4. 1.5.4 Installing the IBM Security Key Lifecycle Manager for z/OS and keystores
    6. 1.6 Gemalto SafeNet KeySecure
  6. Chapter 2. IBM DS8000 encryption mechanisms
    1. 2.1 DS8000 data at rest disk encryption
      1. 2.1.1 Key management for IPP with IBM SKLM
      2. 2.1.2 Key Management by using KMIP
    2. 2.2 Encryption deadlock
    3. 2.3 Working with a recovery key
      1. 2.3.1 Recovery key management
      2. 2.3.2 Disabling or enabling a recovery key
    4. 2.4 Dual key server support
    5. 2.5 DS8000 TCT Encryption Key Management using KMIP
    6. 2.6 DS8000 Endpoint Encryption Key Management using KMIP
      1. 2.6.1 IFCES settings and policies
  7. Chapter 3. Planning and guidelines for IBM DS8000 encryption
    1. 3.1 About certificates
    2. 3.2 Planning and implementation process flow
    3. 3.3 Encryption-capable DS8000 ordering and configuration
    4. 3.4 Licensing
    5. 3.5 Advice for encryption in storage environments
      1. 3.5.1 Using LDAP authentication
      2. 3.5.2 Availability
      3. 3.5.3 Encryption deadlock prevention
    6. 3.6 Multiple IBM Security Key Lifecycle Managers for redundancy
  8. Chapter 4. IBM DS8000 encryption implementation
    1. 4.1 Installing IBM SKLM V3.0 in silent mode
      1. 4.1.1 Before you start the installation
      2. 4.1.2 Silent mode installation on Linux
      3. 4.1.3 Installing Fix Pack 1 (or later) for Security Key Lifecycle Manager V3.0
    2. 4.2 WebSphere, Java, and SKLM hardening
      1. 4.2.1 WebSphere Application Server hardening
      2. 4.2.2 Java hardening
      3. 4.2.3 SKLM hardening
    3. 4.3 Key Manager setup
      1. 4.3.1 IBM Security Key Lifecycle Manager V3.0 configuration
      2. 4.3.2 SafeNet KeySecure configuration
    4. 4.4 Configuration for data at rest Configuration
      1. 4.4.1 SKLM Key management setup by using IPP
      2. 4.4.2 SKLM Key management setup by using KMIP
      3. 4.4.3 DS8000 configuration for data at rest encryption
      4. 4.4.4 DS8000 CLI configuration for data at rest encryption
      5. 4.4.5 Configuring and administering encrypted storage pools
      6. 4.4.6 Managing the recovery keys
    5. 4.5 Configuration for TCT encryption
      1. 4.5.1 Setting up TCT encryption
    6. 4.6 Configuration for Endpoint Security
      1. 4.6.1 DS8000 GUI configuration for Endpoint Security
      2. 4.6.2 DS8000 CLI configuration for Endpoint Security
    7. 4.7 Data at rest encryption and Copy Services functions
    8. 4.8 NIST SP 800-131a requirements for key servers
      1. 4.8.1 Configuration steps for changing SKLM to use TLS 1.2
    9. 4.9 Migrating certificates
      1. 4.9.1 Migration from Gen 1 to a Gen 2 certificate for encryption
      2. 4.9.2 Migration from Gen 2 to a Gen 3 certificate for encryption
    10. 4.10 Using a custom generated Gen 1 or Gen 2 certificate
      1. 4.10.1 Configuring a Custom Certificate by using DSGUI
      2. 4.10.2 Configuring a custom certificate by using DSCLI
  9. Chapter 5. Maintaining the IBM DS8000 encryption environment
    1. 5.1 Rekeying the data key for data at rest encryption
      1. 5.1.1 Rekey the data key when using the IPP protocol
      2. 5.1.2 Rekey the data key when using the KMIP protocol
    2. 5.2 Recovery key use and maintenance
      1. 5.2.1 Validating or testing a recovery key
      2. 5.2.2 Using the recovery key in an emergency-deadlock situation (recovery action)
      3. 5.2.3 Rekeying the recovery key
      4. 5.2.4 Deleting or deconfiguring a recovery key
    3. 5.3 Recovery key state summary
  10. Related publications
    1. IBM Redbooks
    2. Other publications
    3. Online resources
    4. Help from IBM
  11. Back cover
18.219.14.63