790 Implementing the IBM Storwize V5000 Gen2 with IBM Spectrum Virtualize V8.1
13.8.4 Encrypted MDisks
See Chapter 4, “Storage pools” on page 143 for instructions on how to add external storage
to a pool. Each MDisk belonging to external storage added to an encrypted pool or child pool
is automatically encrypted using the pool or child pool key, unless the MDisk is detected or
declared as self-encrypting.
The user interface gives no method to see which extents contain encrypted data and which
do not. However, if a volume is created in a correctly configured encrypted pool, then all data
written to this volume will be encrypted.
The extents could contain stale unencrypted data if the MDisk was earlier used for storage of
unencrypted data. This is because file deletion only marks disk space as free, the data is not
actually removed from the storage. So, if the MDisk is not self-encrypting and was a part of an
unencrypted pool, and then was moved to an encrypted pool, then it will contain stale data
from its previous life. Another failure mode is to misconfigure an external MDisk as
self-encrypting, while in reality it’s not self-encrypting.
In that case, the data written to this MDisk would not be encrypted by IBM SAN Volume
Controller, because IBM SAN Volume Controller would be convinced that MDisk will encrypt
the data by itself. At the same time, the MDisk will not encrypt the data, because it’s not
self-encrypting, so we end up with unencrypted data on an extent in an encrypted pool.
However, all data written to any MDisk that’s a part of correctly configured encrypted pool, is
going to be encrypted.
You can customise the MDisk by Pools view to show the object encryption state by clicking
Pools → MDisk by Pools, selecting the menu bar, right-clicking it, and selecting the
Encryption Key icon. Figure 13-68 shows a case where self-encrypting MDisk is in an
unencrypted pools.
Figure 13-68 MDisk encryption state
Self-encrypting MDisks
When adding external storage to a pool, you should be exceptionally diligent when declaring
the MDisk as self-encrypting. Correctly declaring an MDisk as self-encrypting avoids waste of
resources, such as CPU time. However, when used improperly it may lead to unencrypted
data at-rest.
To Next Page
Loading...
Need help?
General