IBM DS8000 Encryption for data at rest, Transparent Cloud Tiering, and Endpoint Security (DS8000 Release 9.0)

An IBM Redpaper publication

Published 27 January 2020, updated 20 April 2020

cover image

ISBN-10: 0738458422
ISBN-13: 9780738458427
IBM Form #: REDP-4500-08
(200 pages)

More options

Rate and comment

Authors: Bert Dufrasne, Anreas Reinhardt, Tony Eriksson. Lisa Martinez


IBM® experts recognize the need for data protection, both from hardware or software failures, and from physical relocation of hardware, theft, and retasking of existing hardware.

The IBM DS8000® supports encryption-capable hard disk drives (HDDs) and flash drives. These Full Disk Encryption (FDE) drive sets are used with key management services that are provided by IBM Security Key Lifecycle Manager software or Gemalto SafeNet KeySecure to allow encryption for data at rest. Use of encryption technology involves several considerations that are critical for you to understand to maintain the security and accessibility of encrypted data.

Failure to follow the requirements that are described in the IBM Redpaper can result in an encryption deadlock.

Starting with Release 8.5 code, the DS8000 also supports Transparent Cloud Tiering (TCT) data object encryption. With TCT encryption, data is encrypted before it is transmitted to the cloud. The data remains encrypted in cloud storage and is decrypted after it is transmitted back to the IBM DS8000.

Starting with DS8000 Release 9.0, the DS8900F provides Fibre Channel Endpoint Security when communicating with an IBM z15™, which supports link authentication and the encryption of data that is in-flight. For more information, see IBM Fibre Channel Endpoint Security for IBM DS8900F and IBM Z, SG24-8455.

This edition focuses on IBM Security Key Lifecycle Manager Version or later, which enables support Key Management Interoperability Protocol (KMIP) with the DS8000 Release 9.0 code or later and updated DS GUI for encryption functions.

Table of contents

Chapter 1. Encryption overview
Chapter 2. IBM DS8000 encryption mechanisms
Chapter 3. Planning and guidelines for IBM DS8000 encryption
Chapter 4. IBM DS8000 encryption implementation
Chapter 5. Maintaining the IBM DS8000 encryption environment

Follow IBM Redbooks

Follow IBM Redbooks