Disk encryption

The storage system supports data encryption with the Full Disk Encryption (FDE) feature.

The FDE disks are standard on the DS8870. These drives encrypt and decrypt at interface speeds, with no impact on performance.

Recovery key and dual key server support is available on the DS8870. For a list of FDE drives, see Feature codes for drive sets.

To enable encryption, the storage system must be configured to communicate with two or more Security Key Lifecycle Manager servers. The physical connection between the Hardware Management Console (HMC) and the key server is through an Internet Protocol network.

Each FDE drive has an encryption key for the region of the disk that contains data. When the data region is locked, the encryption key for the region is wrapped with an access credential and stored on the disk media. Read-and-write access to the data on a locked region is blocked following a power loss until the initiator that is accessing the drive authenticates with the currently active access credential. When the data region is unlocked, the encryption key for the region is wrapped with the unique data key that is assigned to this particular disk and stored on the disk media. This data key is accessible to the device and to any initiator that is attached and the wrapped key is stored on the disk media. Read-and-write access to the data on an unlocked region does not require an access credential or any interface protocols that are not used on a non-FDE drive. FDE drives still encrypt and decrypt data with an encryption key. However, the encryption and decryption is done transparently to the initiator.

The FDE drive that is a member of an encryption-enabled rank is locked. An FDE drive that is not assigned, a spare, or a member of an encryption-disabled rank is unlocked. Locking occurs when an FDE drive is added to an encryption-enabled rank. Unlocking occurs when an encryption-enabled rank is deleted or when an encryption-enabled rank member becomes a spare. Unlocking implies a cryptographic erasure of an FDE drive. FDE drives are also cryptographically erased when an encryption-disabled rank is deleted. You can cryptographically erase data for a set of logical volumes in an encryption-capable extent pool by deleting all of the ranks that are associated with the extent pool.

FDE drives are not cryptographically erased when the disk fails. In this case, the device-adapter might not intentionally fence the failing drive from the device interface as soon as possible to prevent it from causing any other problems on the interface.

A unique access credential for each locked drive in the storage facility image (SFI) is derived from one data key that it obtains from the Security Key Lifecycle Manager server. The storage system stores multiple independent copies of the EEDK persistently and it must be able to communicate with a Security Key Lifecycle Manager server after power on to allow access to the disks that are enabled for encryption.

In the current implementation of an encryption-capable storage system, data is persistently stored in one of the following places:
On your disks
Data on your disks (for example, DDM installed through DDM Install Group features) that are members of an encryption-enabled rank is managed through a data key that is obtained from the Security Key Lifecycle Manager server. The data is encrypted with an encryption key that is managed through an externally encrypted key. The data on disks that are members of a rank that is not encryption-enabled is encrypted with an encryption key that is encrypted with a derived key and stored on the disk. Therefore, this data is obfuscated.
NVS dump data on system disks
If you start a force power off sequence, write data in flight in the NVS memory is encrypted with an encryption key and stored on the system disk in the storage system. The encryption key is encrypted with a derived key and stored on the system disk, hence NVS data is obfuscated. The data on the system disk is cryptographically erased after power is restored and after the data is restored to the NVS memory during the initial microcode load.
Atomic-parity update (APU) dump data in device flash memories
If a force power off sequence is initiated atomic parity write data in flight within the device adapter memory for RAID 6 arrays is encrypted with an encryption key. The data is stored in flash memory on the device adapter in the storage system, and is limited to 32 MB per device adapter or 512 MB per storage facility.
Note: The power off requests that are completed through the DS Storage Manager, the command-line interface, or through the IBM® System z® power control interfaces do not start a unit emergency power off (UEPO) sequence. Activation of the UEPO switch or loss of AC power does start a power off sequence.

Recovery key configuration operations

A storage administrator must start the process to configure a recovery key for the storage system SFI before an encryption group is created. Each configured encryption group has an associated recovery key. You can use the recovery key to access data from an encryption group that is in a configured-inaccessible state when access to the encryption group data key through any key server is not possible.

The security administrator receives a 256-bit key that is generated from the SFI during the configuration process and must securely maintain it for future use if an encryption deadlock occurs. The SFI does not maintain a copy of the recovery key. The storage administrator must then approve the recovery key configuration request for it to become active. During the configuration process, the following steps take place:
  1. The security administrator initiates the configure recovery key function.
  2. The SFI generates a recovery key and generates a secure hash of the recovery key that produces the recovery key signature.
  3. The SFI generates a random key pair (the private key is referred to as the primary recovery key and the public key is referred to as the secondary recovery key).
  4. The SFI stores the encrypted primary recovery key, secondary recovery key, and recovery key signature for future use. The encrypted primary recovery key and secondary recovery key are stored in multiple places for reliability.
  5. The SFI provides the recovery key to the security administrator.
  6. The SFI sets the primary recovery key and recovery key to zero, puts the recovery key in the verify-pending state, and completes the configure recovery key function successfully.
  7. The security administrator initiates the verify recovery key function and inputs the recovery key.
  8. The storage administrator initiates the authorize recovery key function.
  9. The SFI puts the recovery key in the configured state and completes the authorize recovery key function successfully.

Within a secure key environment, you might choose to disable the recovery key rather than to configure one. While you disable the recovery key increases the security of the encrypted data in the DS8000 system, it also increases the risk of encryption deadlock.

If you choose to disable the recovery key, you are highly encouraged to strictly follow the guidelines for preventing encryption deadlock. Failure to do so might result in permanent loss of all your encrypted data that is managed by key servers, if an encryption deadlock occurs.

The state of the recovery key must be Unconfigured to disable the recovery key. The recovery key process includes the following actions:
  1. The security administrator requests that the recovery key is disabled. This action changes the recovery key state from Unconfigured to Disable Authorize Pending.
  2. The storage administrator authorizes the recovery key disablement. This action changes the recovery key state from Disable Authorize Pending to Disabled.

    Each encryption group that is configured has its own recovery key that might be configured or disabled. The current implementation supports a single encryption group and a single recovery key.

It is possible to re-enable the recovery key of an encryption group after the encryption group is in the unconfigured state. This action implies a prerequisite breakdown of encrypted volumes, ranks, and extent pools. The following information includes the process of enabling the recovery key:
  1. The security administrator requests that the recovery key is enabled. This action changes the recovery key state from Disabled to Enable Authorize Pending.
  2. The storage administrator authorizes the recovery key enablement. This action changes the recovery key state from Enable Authorize Pending to Unconfigured.
  3. Normal recovery key configuration steps are followed to configure the recovery key before encryption group creation.
Related concepts:
Encryption deadlock
Encryption deadlock prevention