Chapter 13. Encryption 745
Encryption of data at-rest complies with the Federal Information Processing Standard 140
(FIPS-140) standard, but is not certified.
Ciphertext stealing XTS-AES-256 is used for data encryption.
AES 256 is used for master access keys.
The algorithm is public. The only secrets are the keys.
A symmetric key algorithm is used. The same key is used to encrypt and decrypt data.
The encryption of system data and metadata is not required, so they are not encrypted.
Encryption is enabled at a system level and all of the following prerequisites must be met
before you can use encryption:
You must purchase an encryption license before you activate the function.
If you did not purchase a license, contact an IBM marketing representative or IBM
Business Partner to purchase an encryption license.
At least three USB flash drives are required if you plan not to use a key management
server. They are available as a feature code from IBM (see the note on 761).
You must activate the license that you purchased.
Encryption must be enabled.
Figure 13-1 shows an encryption example. Encrypted disks and encrypted data paths are
marked in blue. Unencrypted disks and data paths are marked in red. In this example the
server sends unencrypted data to a SAN Volume Controller 2145-DH8 system, which stores
hardware-encrypted data on internal disks.
The data is mirrored to a remote Storwize V5000 Gen 1 system using Remote Copy. The data
flowing through the Remote Copy link is not encrypted. Because the Storwize V5000 Gen1 is
unable to perform any encryption activities, data on the Storwize V5000 Gen1 is not
encrypted.
Figure 13-1 Encryption on single site
Note: Only data at-rest is encrypted. Host to storage communication and data sent over
links used for Remote Mirroring are not encrypted.
Server
Hardware
Encryption
2145-DH8
2077-24C
SAS
2145-24F
2145-24F
2077-24E
2077-24E
Remote Copy
SAS
To Next Page
Loading...
Need help?
General