IBM DS8000 Encryption for Data at Rest, Transparent Cloud Tiering, and Endpoint Security (DS8000 Release 9.2)
An IBM Redpaper publication
Published 08 September 2021
IBM Form #: REDP-4500-10
Rate and comment
Authors: Bertrand Dufrasne, Gregg Arquero, Rinkesh Bansal, Tony Eriksson, Aditi Prasad, Andreas Reinhardt
The IBM® DS8000® supports encryption-capable drives. They are used with key management services (local or external) to allow encryption for data at rest. The use of encryption technology involves several considerations that are critical for you to understand to maintain the security and accessibility of encrypted data.
This edition of this IBM Redpaper™ publication focuses on IBM Security™ Guardium Key Lifecycle Manager with the DS8000 Release 9.2 code or later and updated DS GUI for encryption functions.
The DS8000 Release 9.2 code introduces support for local key management for data at rest encryption and is described in Chapter 7, “Local key management” on page 223.
Important: Failure to follow the requirements that are described in this publication can result in an encryption deadlock.
The DS8000 also supports Transparent Cloud Tiering (TCT) data object encryption. With TCT encryption, data is encrypted before it is transmitted to the cloud. The data remains encrypted in cloud storage and is decrypted after it is transmitted back to the IBM DS8000.
The DS8900F also provides Fibre Channel Endpoint Security when communicating with an IBM z15™, which supports link authentication and the encryption of data that is in-flight.
Table of contents
Chapter 1. Encryption overview
Chapter 2. External key managers
Chapter 3. IBM DS8000 encryption mechanisms
Chapter 4. Planning and guidelines for IBM DS8000 encryption
Chapter 5. Implementing IBM DS8000 encryption
Chapter 6. Maintaining the IBM DS8000 encryption environment
Chapter 7. Local key management
Follow IBM Redbooks
Follow IBM Redbooks