Planning for remote encryption-key servers

If the local key manager (feature 0405) is not enabled, two encryption-key servers and associated software are required for each site that has one or more encryption-enabled storage systems.

One encryption-key server must be isolated. An isolated encryption-key server is a set of dedicated server resources that run only the encryption-key lifecycle manager application and its associated software stack. This server is attached directly to dedicated non-encrypting storage resources containing only key server code and data objects.

The remaining key servers can be of any supported key-server configuration. Any site that operates independently of other sites must have key servers for the encryption-enabled storage systems at that site.

For DS8000® encryption environments a second Hardware Management Console (HMC) should be configured for high availability.

Important: You are responsible for replicating key labels and their associated key material across all key servers that are attached to the encryption-enabled storage system before you configure those key labels on the system.

You can configure each encryption-enabled storage system with two independent key labels. This capability allows the use of two independent key-servers when one or both key-servers are using secure-key mode keystores. The isolated key-server can be used with a second key-server that is operating with a secure-key mode keystore.

To enable encryption on a storage system using TKLM or SKLM, you must upgrade to one of the following versions of TKLM or SKLM that has the Gen2 CA root installed:
  • TKLM version 2.0.1 or later on Open Systems
  • SKLM (all versions) on Open Systems
  • SKLM version 1.1.0.2 or later on z/OS
DS8000 supports the following KMIP key servers:
  • IBM® Security Guardium Key Lifecycle Manager 3.0 or later (a multi-master or incremental replication configuration is required). IBM Fibre Channel Endpoint Security requires 3.0.1 fix-pack 2 or later.
  • Gemalto Safenet KeySecure Classic 8.0.1, 8.3.2, 8.4.2, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, and 8.11.1
  • Gemalto Safenet KeySecure Next Generation 1.7.0 and 1.8.0
  • Thales CipherTrust Manager 2.0.0- 2.12.0 or later
  • Vormetric DSM V6100 version 6.4.0.15031 or later
  • Migration from Gemalto Safenet KeySecure 8.X to Thales CipherTrust Manager 2.X
Note: IBM Fibre Channel Endpoint Security does not support Gemalto Safenet KeySecure Classic, Gemalto Safenet KeySecure Next Generation, or Vormetric DSM. Security Guardium Key Lifecycle Manager must be configured with multi-master replication.
Note: DS8000 does not support communication with GKLM over IPP using custom device groups. KMIP is recommended for DS8000 systems communicating with IBM GKLM Key Servers in a Multi-Master configuration. When using IPP to communicate with IBM GKLM Key Servers in a Multi-Master configuration, it is not possible for the DS8000 systems to automatically detect problems related to key redundancy, leaving you responsible for determining when high availability disaster recovery (HADR) synchronization is not functioning properly. Loss of data in the GKLM key store can result in loss of DS8000 data.