IBM DS8000 Encryption for Data at Rest, Transparent Cloud Tiering, and Endpoint Security (DS8000 Release 9.1)

An IBM Redpaper publication

Published 29 April 2021

cover image

ISBN-10: 073845964X
ISBN-13: 9780738459646
IBM Form #: REDP-4500-09
(260 pages)

More options

Rate and comment

Authors: Bert Dufrasne, Rinkesh Bansal, Tony Eriksson, Leandro Cesar Fida, Lisa Martinez


IBM® experts recognize the need for data protection, both from hardware or software failures, and from physical relocation of hardware, theft, and retasking of existing hardware.

The IBM DS8000® supports encryption-capable hard disk drives (HDDs) and flash drives. These Full Disk Encryption (FDE) drive sets are used with key management services to allow encryption for data at rest (DAR). Use of encryption technology involves several considerations that are critical for you to understand to maintain the security and accessibility of encrypted data.

Starting with Release 8.5 code, the DS8000 also supports Transparent Cloud Tiering (TCT) data object encryption. With TCT encryption, data is encrypted before it is transmitted to the cloud. The data remains encrypted in cloud storage and is decrypted after it is transmitted back to the DS8000.

Starting with DS8000 Release 9.0, the DS8900F provides IBM Fibre Channel Endpoint Security when communicating with an IBM z15™, which supports link authentication and the encryption of data that is in-flight. For more information, see IBM Fibre Channel Endpoint Security for IBM DS8900F and IBM Z, SG24-8455.

This edition focuses on IBM Security™ Key Lifecycle Manager V4.0 or later with the DS8000 Release 9.1 code or later and an updated DS GUI for encryption functions. Other external key managers, such as Thales CipherTrust Manager, Thales Vormetric Data Security Manager (DSM), and Gemalto SafeNet KeySecure (KS) are referenced as supported for DAR encryption and TCT encryption.

Table of contents

Chapter 1. Encryption overview
Chapter 2. External key managers
Chapter 3. IBM DS8000 encryption mechanisms
Chapter 4. Planning and guidelines for IBM DS8000 encryption
Chapter 5. IBM DS8000 encryption implementation
Chapter 6. Maintaining the IBM DS8000 encryption environment

Follow IBM Redbooks

Follow IBM Redbooks