Encrypted storage installation guidelines

For a successful installation, ensure that you understand and follow the guidelines for installing encryption-capable storage devices.

Review and apply the following encryption guidelines:
  • You must have an isolated key server that meets the hardware and software requirements that are specified in the IBM® Security Guardium Key Lifecycle Manager online product documentation.
  • You must have at least one isolated key server per site. This key server can be configured to serve keys to any Security Guardium Key Lifecycle Manager supported device, including IBM tape.
  • You must configure at least one isolated key server to each storage system that is encryption-enabled.
  • You must configure at least two key servers to each storage system that is encryption-enabled.
  • To use encryption on your storage system, you must be certified for using encryption on each system. After you are certified, IBM enables the encryption function.
The ordering, installation, and encryption activation of an encryption-capable storage system involves the following steps:
  1. You order a storage system from IBM with encryption-capable DDMs.
  2. IBM delivers the system and the IBM service representative installs it.
  3. You configure the key servers to be used with the system. IBM Lab Services or IBM Global Services can be contracted to assist with the setup of the key servers.
  4. You configure the Security Guardium Key Lifecycle Manager to add the storage system to the device table and configure its key label.
  5. You configure the system with the IP addresses of the associated key server ports.
  6. Before you configure an encryption group, configure a recovery key either configure a recovery key or disable it. You configure an encryption group on the storage system with a key-label defined on the Security Guardium Key Lifecycle Manager.
  7. You request encryption certification for the storage system. Obtaining encryption certification involves:
    • Contracting IBM Lab Services to provide education and to validate the configuration of key servers that are configured with the system.
    • Notifying the IBM sales team of readiness to activate encryption on the storage system.
  8. IBM files your agreement and authorizes a LIC authorization key to activate encryption on the storage system. Each LIC authorization key is unique to the system for which it is generated.
  9. You install the LIC authorization key on the storage system.
  10. You can now configure ranks or extent pools for the configured encryption group.
    Notes:
    1. All ranks and extent pools on a given encryption-capable storage system must be configured with the same encryption group attribute. The first rank or encryption group that is configured determines what the remaining objects must be configured with. A value of 0 indicates encryption-disabled. A value of 1 indicates encryption-enabled. The value 0 can be specified only when no encryption groups are configured. The value 1 can be specified only when encryption group 1 is configured.
    2. To change between encryption-enabled and encryption-disabled, all ranks and extent pools must be unconfigured. Unconfiguring an encryption-enabled rank causes any data that is stored on the rank to be cryptographically erased and then overwritten to reinitialize the rank. Additionally, if encryption is to be enabled, encryption group 1 must be configured. If encryption is to be disabled, encryption group 1 must be unconfigured.