Storage hardware encryption
Cloud Pak for Data System uses SSD disks as the main storage medium. These disk drives are self-encrypting drives (SED), which provides improved security and protection of the data stored on the system.
Self-encrypting drives encrypt data as it is written to the disk. Each disk has a disk encryption key (DEK) that is set at the factory and stored on the disk. The disk uses the DEK to encrypt data as it writes, and then to decrypt the data as it is read from disk. The operation of the disk, and its encryption and decryption, is transparent to the users who are reading and writing data. This default encryption and decryption mode is referred to as secure erase mode. In secure erase mode, you do not need an authentication key or password to decrypt and read data. SEDs offer improved capabilities for an easy and speedy secure erase for situations when disks must be repurposed or returned for support or warranty reasons.
For the optimal security of the data stored on the disks, SEDs have a mode referred to as auto-lock mode. In auto-lock mode, the disk uses an authentication encryption key (AEK) to protect its DEK. When powered off, the disks are automatically locked. When the disk is powered on, the SED requires a valid AEK to read the DEK and unlock the disk to proceed with read and write operations. If the SED does not receive a valid authentication key, the data on the disk cannot be read. The auto-lock mode helps to protect the data when disks are accidentally or intentionally removed from the system.
In many environments, the secure erase mode may be sufficient for normal operations and provides you with easy access to commands that can quickly and securely erase the contents of the disk before a maintenance or re-purposing task. For environments where protection against data theft is paramount, the auto-lock mode adds an extra layer of access protection for the data stored on your disks.
The SED models certified for use on the Cloud Pak for Data System meet the requirements of FIPS 140-2 with respect to the cryptographic routines used by the disks. The ap hw -detail command provides information for disk model information which can be referenced on the NIST vendor list. For more information about the NIST vendor list, see http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm.