IBM Full Disk Encryption drives are not cryptographically erased when the disk
fails. In this case, there is no guarantee that the device-adapter intentionally fences
the failing drive from the device interface as soon as possible to prevent it from
causing any other problems on the interface.
A unique access credential for each locked drive in the SFI is derived from one
data key that it obtains from the Tivoli Key Lifecycle Manager key server. The
DS8000 stores multiple independent copies of the EEDK persistently and it must be
able to communicate with a Tivoli Key Lifecycle Manager key server after a power
on to allow access to the disks that have encryption enabled.
In the current implementation of an encryption-capable DS8000, data is persistently
stored in one of the following places:
On your disks
Data on your disks (for example, DDM installed through DDM Install
Group features) that are members of an encryption-enabled rank is
managed through a data key obtained from the Tivoli Key Lifecycle
Manager key server. The data is encrypted with an encryption key that is
managed through an externally encrypted key. The data on disks that are
members of a rank that is not encryption-enabled is encrypted with an
encryption key that is encrypted with a derived key and stored on the
disk. Therefore, this data is obfuscated.
NVS dump data on system disks
If you start a force power off sequence, write data in flight in the NVS
memory is encrypted with an encryption key and stored on the system
disk in the DS8000. The data is limited to 8 GBs. The encryption key is
encrypted with a derived key and stored on the system disk, hence NVS
data is obfuscated. The data on the system disk is cryptographically erased
after power is restored and after the data has been restored to the NVS
memory during the initial microcode load.
Atomic-parity update (APU) dump data in device flash memories
If a force power off sequence is initiated atomic parity write data in flight
within the device adapter memory for RAID 6 arrays is encrypted with an
encryption key. The data is stored in flash memory on the device adapter
card in the DS8000 system, and is limited to 32 MB per device adapter or
512 MB per storage facility.
For version 6, release 1 and later, the encryption key to unlock the APU
data in compact flash is a randomly generated AES-256 key, which is
stored externally to each individual device adapter, and encrypted at the
FRU level.
Note: The power off requests that are issued through the DS8000 Storage Manager,
the command-line interface or through the IBM System z power control
interfaces do not start a force power off sequence. Activation of the Force
Power Off service switch or loss of AC power does start a force power off
sequence.
Recovery key configuration operations
A storage administrator must start the process to configure a recovery key for the
DS8000 SFI before an encryption group is created. Each configured encryption
group has an associated recovery key. You can use the recovery key to access data
from an encryption group that is in a configured-inaccessible state when access to
the encryption group data key through any key server is not possible.
76 Introduction and Planning Guide
To Next Page
Loading...
Need help?
General