Enable policy to encrypt data at rest

Explore how IBM Security Key Lifecycle Manager 2.5 automates the onerous key management task

The emphasis on encrypting data at rest (instead of just data in motion) adds even more complexity to the key management process. Explore how IBM® Security Key Lifecycle Manager (formerly Tivoli® Key Lifecycle Manager) can simplify this task for security professionals by automating many of the component tasks. Also, learn how the latest Version 2.5 has been enhanced and improved.


developerWorks security editors, IBM staff, IBM

This article is brought to you by the editors of the developerWorks Security site.

20 January 2014

Also available in Russian

Encrypting data with confidence

Encrypting Data With Confidence

IBM has published a new white paper on encrypting data at an enterprise scale. Learn about encrypting mission-critical data with confidence and reduce security risks across the enterprise and beyond. Download "Encrypting Data With Confidence."

For typical IT managers, one important aspect of system security involves encrypting resource and transaction data. A critical component of encryption is the encryption key, the piece of information or parameter that determines the functional output of a cryptographic algorithm or cipher; the key specifies a particular transformation of plaintext into ciphertext and vice-versa.

The modern, complex IT system contains many bits of data that might need to be encrypted. More and more transaction data (data in motion) is being encrypted; the same can be said of data resources in storage or in use within the IT system (data at rest). Figure 1 demonstrates some of the many points in an IT system at which data can be encrypted:

Figure 1. Data at rest (or in motion) can be encrypted anywhere within the IT ecosystem
Data at rest (or in motion) can be encrypted anywhere within the IT ecosystem

This means an IT security manager needs to generate many encryption keys, but the story doesn't end there. The security professional also needs to be able to track, investigate, verify and validate, retire, and recreate this growing number of keys — in other words, manage the entire lifecycle of a large number of encryption keys.

How complex and critical is managing encryption keys throughout their lifecycles?

  • Lost keys mean lost data.
  • Theoretically, every component in your IT system could harbor data that might need to be encrypted, including storage devices, disk drives, networking switches and equipment, smart meters, and even applications.

To effectively manage such a large amount of metadata with individual lifespans, the security manager should turn to tools that automate much of the process.

One such tool is IBM® Security Key Lifecycle Manager, optimized to manage keys for data at rest through the various key lifecycles. But before we talk about that, let's see if we can explain why data at rest should be encrypted.

Protecting data at rest

Traditionally, IT security has been more highly focused on protecting data in motion: the data that flows in the form of transactions between two customers, a customer and a business, and two businesses. The original thinking was that at this point, data was out of the control of the originator and was therefore more vulnerable to hijacking by a malicious third party.

The change in the uses of data at rest has made it more important to re-emphasize security for it. Those changes include:

  • Compliance requirements and adherence to standards that more agencies and governments are demanding.
  • New and expanded disclosure laws concerning privacy breaches.
  • A larger percentage of employees have more access to sensitive data within an organization's IT infrastructure, which exposes a company to insider threats.
  • To be more useful in decision-making, more of an organization's data at rest resides outside of a more easily protected central repository.

Let's examine how IBM Security Key Lifecycle Manager helps automate the massive job of encryption key management.

IBM Security Key Lifecycle Manager 2.5

IBM Security Key Lifecycle Manager (formerly Tivoli Key Lifecycle Manager) is a simple and robust solution for key storage, key serving, and key lifecycle management, designed both for IBM self-encrypting storage devices and non-IBM devices. The product enables encryption of sensitive data and it offers automated replication to clone a master manager automatically with up to five servers. Not only are keys replicated, but also other configuration information as well, such as when new keys are rolled over.

The product meets regulations and standards such as the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley, and the Health Insurance Portability and Accountability Act (HIPAA). It supports the OASIS Key Management Interoperability Protocol (KMIP) standard and Federal Information Processing Standard (FIPS) 140-2 Level 1. It also offers users the option to use FIPS 140-2 Level 3 validated hardware to enhance key security.

Other features of Security Key Lifecycle Manager include:

  • Automated creation, import, distribution, and backup of keys.
  • Key generation and servicing from a central location.
  • Device grouping into separate domains.
  • Multivariable administrator definitions.
  • Integrated, centralized directory servers for role-based access control.
  • Key readability can be tied to specific encryption hardware.
  • Key delivery can be tied to specific known devices.
  • Automated replication for high-availability deployments.
  • Automated clone replication that can clone up to five copies and be configured to do automated backups of the master.
  • Support for disaster recovery by working with a wide variety of clustering, replication, and failover implementations.

The latest version of Security Key Lifecycle Manager, Version 2.5, includes:

  • An improved and simplified user interface.
  • Easier installation by using the IBM Installation Manager.
  • Quicker, more silent installation: approximately 15 minutes.
  • Seamless integration of all installation components: IBM WebSphere® Application Server, IBM DB2®, and Security Lifecycle Manager application installations.

Version 2.5 also gathers all required installation information for you before the installation starts. The logs are now centralized in a single location, and the system now scales to support even larger numbers of keys.



Get products and technologies

  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, or use a product in a cloud environment.


  • Get involved in the developerWorks community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.


developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Security on developerWorks

ArticleTitle=Enable policy to encrypt data at rest