Skip to main content

IBM DS8000 Encryption for Data at Rest, Transparent Cloud Tiering, and Endpoint Security (DS8000 Release 10.0)

A draft IBM Redpaper publication

thumbnail 

Last updated on 01 November 2024

  1. .PDF (15.2 MB)

Share this page:   

IBM Form #: REDP-4500-11


Authors: Bert Dufrasne , Gregg Arquero, Rinkesh Bansal, Tony Eriksson, Michael Frankenberg, Peter Kimmel, Aditi Prasad and Andreas Reinhardt

    menu icon

    Abstract

    The IBM DS8000® supports encryption-capable drives. They are used with key management services (local or external) to allow encryption for data-at-rest (DAR). The use of encryption technology involves several considerations that are critical for you to understand to maintain the security and accessibility of encrypted data.

    This edition of this IBM Redpaper publication focuses on IBM Security® Guardium® Key Lifecycle Manager with the DS8000 Release 10.0 code or later and updated DS GUI for encryption functions.

    The DS8000 Release 9.2 code introduced support for local key management for DAR encryption and is described in Chapter 7, “Local key management” on page 229.

    Important: Failure to follow the requirements that are described in this publication can result in an encryption deadlock.

    The DS8000 system supports Transparent Cloud Tiering (TCT) data object encryption. With TCT encryption, data is encrypted before it is transmitted to the cloud. The data remains encrypted in cloud storage and is decrypted after it is transmitted back to the IBM DS8000.

    The DS8000 system also supports Fibre Channel Endpoint Security when communicating with IBM z15® and newer IBM Z® servers, which includes encryption of data that is in-flight, and link authentication.

    Table of Contents

    Chapter 1. Encryption overview

    Chapter 2. External key managers

    Chapter 3. IBM DS8000 encryption mechanisms

    Chapter 4. Planning and guidelines for IBM DS8000 encryption

    Chapter 5. Implementing IBM DS8000 encryption

    Chapter 6. Maintaining the IBM DS8000 encryption environment

    Chapter 7. Local key management

     

    Special Notices

    The material included in this document is in DRAFT form and is provided 'as is' without warranty of any kind. IBM is not responsible for the accuracy or completeness of the material, and may update the document at any time. The final, published document may not include any, or all, of the material included herein. Client assumes all risks associated with Client's use of this document.