Inside System Storage -- by Tony Pearson

Tony Pearson Tony Pearson is a Master Inventor and Senior IT Specialist for the IBM System Storage product line at the IBM Executive Briefing Center in Tucson Arizona, and featured contributor to IBM's developerWorks. In 2011, Tony celebrated his 25th year anniversary with IBM Storage on the same day as the IBM's Centennial. He is author of the Inside System Storage series of books. This blog is for the open exchange of ideas relating to storage and storage networking hardware, software and services. You can also follow him on Twitter @az990tony.
(Short URL for this blog: ibm.co/Pearson )
  • Add a Comment
  • Edit
  • More Actions v
  • Quarantine this Entry

Comments (2)

1 localhost commented Trackback

Clarifying questions:<div>&nbsp;</div> 1) The DS8K can only FDE on new systems, using the specific drives mentioned, and the entire array must be encrypted - all or nothing - correct?<div>&nbsp;</div> 1a) Can you later choose to un-encrypt the entire array?<div>&nbsp;</div> 1b) Is the encryption one key per system, one key per drive, or multiple keys per drive?<div>&nbsp;</div> 1c) Can you re-key the drives non-disruptively?<div>&nbsp;</div> 2) The DS8K cannot encrypt either Flash or SATA drives, under any configuration - correct?<div>&nbsp;</div> 3) The minimum purchase of Flash drives for the DS8K is 16, of which 14 are usable (RAID 5 protection required), and 2 are hot spares - correct?<div>&nbsp;</div> 4) You do not support RAID 5 on SATA drives in the DS8K - correct?<div>&nbsp;</div> Thanks...

2 localhost commented Trackback

Hi BarryB, happy new year!<div>&nbsp;</div> Here are the answers to your questions. Most of this is in the announcement letters, but for the benefit of everyone who may not pick up on some of the subtleties, I will spell it out.<div>&nbsp;</div> 1) The DS8K can only FDE on new systems, using the specific drives mentioned, and the entire array must be encrypted - all or nothing - correct?<div>&nbsp;</div> Correct, for now. From the press release:"The Full Disk Encryption support feature is available only as plant order. Plant configured encryption supporting systems will be allowed to increase the number of drive sets installed at the installed location. Intermixing of drives is not supported, thus the entire subsystem is either encrypted drives (#5xxx features) or intermixed devices of Fibre Channel, SATA, and SSD devices (#2xxx and #6xxx features)."<div>&nbsp;</div> 1a) Can you later choose to un-encrypt the entire array?<div>&nbsp;</div> Yes, IBM offers this as a simple means to securely erase all the data for decommissioning the array. (Normally, clients hire someone to erase all the data securely, to protect sensitive information for compliance reasons, for example, and now they can do it themselves to save money)<div>&nbsp;</div> 1b) Is the encryption one key per system, one key per drive, or multiple keys per drive?<div>&nbsp;</div> Not exactly. One key per "Storage Facility Image". If you have a DS8100 or DS8300 in non-LPAR mode, then this is the same as one key per system. If you split your DS8300 into separate LPARs, then each LPAR can have its own key.<div>&nbsp;</div> 1c) Can you re-key the drives non-disruptively?<div>&nbsp;</div> Currently, no, the FDE drives do not yet support that.<div>&nbsp;</div> 2) The DS8K cannot encrypt either Flash or SATA drives, under any configuration - correct?<div>&nbsp;</div> The encryption is done at the HDD level, not in the array itself. However, you can continue to encrypt data using the application or operating system as you have today, onto data that is stored on Flash SSD or SATA disks. If sometime in the future Flash SSD or SATA drives are manufactured with FDE capability, then IBM can offer this as well, but currently FDE drives currently only come in 15K rpm drive speeds.<div>&nbsp;</div> 3) The minimum purchase of Flash drives for the DS8K is 16, of which 14 are usable (RAID 5 protection required), and 2 are hot spares - correct?<div>&nbsp;</div> Two hot spares are required per storage facility instance, not per drive set, so the first drive set will have two RAID-5 ranks of 6+P+S and the rest of the drive sets can be 7+P. Only RAID-5 is supported for now at this time under standard terms and conditions. Clients can submit an RPQ if they want RAID-6 or RAID-10 support.<div>&nbsp;</div> 4) You do not support RAID 5 on SATA drives in the DS8K - correct?<div>&nbsp;</div> Some industry experts consider RAID-5 on large SATA drives to be the equivalent of "professional malpractice" because it takes a long time to rebuild from an HDD failure and there is risk during those hours that a second drive might fail, resulting in tape recovery. Based on these concerns, IBM decided not to support this at this time under standard terms and conditions for the DS8000. However, if clients are willing to accept the risks, perhaps the data is temporary or easily re-creatable, they can submit an RPQ requesting RAID-5 support on their DS8000 SATA drives. IBM also offers plenty of other disk arrays that support RAID-5 SATA, including our DS4000 and DS5000 series, where mainframe attachment is not required.<div>&nbsp;</div> Hope that answers everything, Barry!

Add a Comment Add a Comment