Data encryption
Encryption of data ensures that in a case of a physical loss of a media, the data inside is unreadable and still confidential. The data can't be obtained at all or needs to be decrypted to be obtained. Cloud Pak for Data System provides multi-level encryption of data at rest (data on the disk).
Cloud Pak for Data System stores its internal user passwords in the database by using Salted SHA1 (SSHA) scheme.
Encryption scheme
In an encryption scheme, the data requiring protection is transformed into an unreadable form by applying a cryptographic algorithm and an encryption key. A cryptographic algorithm is a mathematical function that is used in encryption and decryption processes. An encryption key is a sequence that controls the operation of a cryptographic algorithm and enables the reliable encryption and decryption of data. A local or external key manager is typically used to manage the keys.
With native database encryption, the database system itself encrypts the data before it calls the underlying file system to write that data to disk. It means that not only your current data is protected, but also data in new table space containers or table spaces that you might add in the future. A database encryption key (DEK) is the encryption key, which actual user data is encrypted. A master key is a "key encrypting key": It's used to protect the DEK. Although the DEK is stored and managed by the database, the master key is stored and managed outside of the database.
For information on how storage encryption works, see Storage hardware encryption .
Persistent media types
- M.2 drives - for OS and platform
- They are not hot swappable.
- They do not support encryption.
- NVMe SSD drives - for user data
- They are hot-swappable drives used for user data storage.
- Data-at-rest encryption is always enabled.
- Data protection and redundancy is managed by GPFS.
please review media types on Yosemite