Enabling and disabling 3592 Generation 2 and later drive encryption

Edit online

With IBM Storage Protect, you can use the following types of drive encryption with drives that are 3592 Generation 2 and later: Application, System, and Library. These methods are defined through the hardware.

About this task

The DRIVEENCRYPTION parameter on the DEFINE DEVCLASS command specifies whether drive encryption is allowed for drives that are 3592 Generation 2 and later. Use this parameter to ensure IBM Storage Protect compatibility with hardware encryption settings for empty volumes. You cannot use this parameter for storage pool volumes that are full or are filling.
  • To use the Application method, in which IBM Storage Protect generates and manages encryption keys, set the DRIVEENCRYPTION parameter to ON. This enables the encryption of data for empty volumes. If the parameter is set to ON and if the hardware is configured for another encryption method, backup operations fail.
  • To use the Library or System methods of encryption, set the parameter to ALLOW. This specifies that IBM Storage Protect is not the key manager for drive encryption, but allows the hardware to encrypt the volume's data through one of the other methods. Specifying this parameter does not automatically encrypt volumes. Data can be encrypted only by specifying the ALLOW parameter and configuring the hardware to use one of these methods.

The DRIVEENCRYPTION parameter is optional. The default value is to allow the Library or System methods of encryption.

Procedure

The following simplified example shows how to encrypt data for empty volumes in a storage pool, by using IBM Storage Protect as the key manager:

  1. Define a library by issuing the DEFINE LIBRARY command.
    For example, issue the following command:
    define library 3584 libtype=SCSI
  2. Define a device class, 3592_ENCRYPT, by issuing the DEFINE DEVCLASS command and specifying the value ON for the DRIVEENCRYPTION parameter.
    For example, issue the following command:
    define devclass 3592_encrypt library=3584 devtype=3592 driveencryption=on
  3. Define a storage pool.
    For example, issue the following command:
    define stgpool 3592_encrypt_pool 3592_encrypt

What to do next

To disable any method of encryption on new volumes, set the DRIVEENCRYPTION parameter to OFF. If the hardware is configured to encrypt data through either the Library or System method and DRIVEENCRYPTION is set to OFF, backup operations fail.