IBM DS8000 Encryption for data at rest, Transparent Cloud Tiering, and Endpoint Security (DS8000 Release 9.1)

A draft IBM Redpaper publication

Updated 11 February 2021

cover image

IBM Form #: REDP-4500-09

More options

Rate and comment

Authors: Bert Dufrasne, Rinkesh Bansal, Tony Eriksson, Leandro Cesar Fida, Lisa Martinez


IBM® experts recognize the need for data protection, both from hardware or software failures, and from physical relocation of hardware, theft, and retasking of existing hardware.

The IBM DS8000® supports encryption-capable hard disk drives (HDDs) and flash drives. These Full Disk Encryption (FDE) drive sets are used with key management services to allow encryption for data at rest. Use of encryption technology involves several considerations that are critical for you to understand to maintain the security and accessibility of encrypted data.

Failure to follow the requirements that are described in the IBM Redpaper can result in an encryption deadlock.

Starting with Release 8.5 code, the DS8000 also supports Transparent Cloud Tiering (TCT) data object encryption. With TCT encryption, data is encrypted before it is transmitted to the cloud. The data remains encrypted in cloud storage and is decrypted after it is transmitted back to the IBM DS8000.

Starting with DS8000 Release 9.0, the DS8900F provides Fibre Channel Endpoint Security when communicating with an IBM z15™, which supports link authentication and the encryption of data in-flight. For more information, see IBM Fibre Channel Endpoint Security for IBM DS8900F and IBM Z, SG24-8455.

This edition focuses on IBM Security Key Lifecycle Manager Version 4.0 or later with the DS8000 Release 9.1 code or later and updated DS GUI for encryption functions. Other external key managers, such as Thales CipherTrust Manager (CM) , Thales Vormetric Data Security Manager (DSM), and Gemalto SafeNet KeySecure (KS) are referenced, as supported for data at rest encryption and Transparent Cloud Tiering encryption.

Table of contents

Chapter 1. Encryption overview
Chapter 2. External Key Managers
Chapter 3. IBM DS8000 encryption mechanisms
Chapter 4. Planning and guidelines for IBM DS8000 encryption
Chapter 5. IBM DS8000 encryption implementation
Chapter 6. Maintaining the IBM DS8000 encryption environment

These pages are Web versions of IBM Redbooks- and Redpapers-in-progress. They are published here for those who need the information now and may contain spelling, layout and grammatical errors. This material has not been submitted to any formal IBM test and is published AS IS. It has not been the subject of rigorous review. Your feedback is welcomed to improve the usefulness of the material to others.

Follow IBM Redbooks

Follow IBM Redbooks