Storage hardware encryption

Note: Storage hardware encryption is only applicable to Cloud Pak for Data System versions 1.x.
Note:

All NVMe devices that store user data support TCG Opal encryption in Cloud Pak for Data System. TCG Opal encryption provides full disc encryption for all host-accessible user data that is stored on media.

The TCG Opal standard requires AES-128 or AES-256. Cloud Pak for Data System is compatible with the following drives and standards. To verify the drive type, run the command sedutil-cli --scan on each node to see the manufacturer's drive type in column three of the output. Compare this to the manufacturer's part column in the following table. The links include both the Lenovo documentation for the drive and the manufacturer's cryptographic certificate.

For more details on TCG Opal specifications, see TCG Storage Opal SSC.

Cloud Pak for Data System uses SSD disks as the main storage medium. These disk drives are self-encrypting drives (SED), which provides improved security and protection of the data that is stored on the system. 

Self-encrypting drives encrypt data as it is written to the disk. Each disk has a disk encryption key (DEK) that is set at the factory and stored on the disk. The disk uses the DEK to encrypt data as it writes, and then to decrypt the data as it is read from disk. The operation of the disk, and its encryption and decryption, is transparent to the users who are reading and writing data. This default encryption and decryption mode are referred to as secure erase mode. In secure erase mode, you do not need an authentication key or password to decrypt and read data. SEDs offer improved capabilities for an easy and speedy secure erase for situations when disks must be repurposed or returned for support or warranty reasons.

For the optimal security of the data stored on the disks, SEDs have a mode referred to as auto-lock mode. In auto-lock mode, the disk uses an authentication encryption key (AEK) to protect its DEK. When powered off, the disks are automatically locked. When the disk is powered on, the SED requires a valid AEK to read the DEK and unlock the disk to proceed with read and write operations. If the SED does not receive a valid authentication key, the data on the disk cannot be read. The auto-lock mode helps to protect the data when disks are accidentally or intentionally removed from the system.

In many environments, the secure erase mode may be sufficient for normal operations and provides you with easy access to commands that can quickly and securely erase the contents of the disk before a maintenance or re-purposing task. For environments where protection against data theft is paramount, the auto-lock mode adds an extra layer of access protection for the data that is stored on your disks.

The SED models that are certified for use on the Cloud Pak for Data System meet the requirements of FIPS 140-2 concerning the cryptographic routines used by the disks. The ap hw -detail command provides information for disk model information, which can be referenced on the NIST vendor list. For more information about the NIST vendor list, see http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm.