Encryption overview

Encryption is a technology that uses cryptography to help ensure confidentiality of sensitive information. Encryption uses keys to encode information so that it cannot be understood by unauthorized parties. Depending on your model, the system supports both encryption of data-at-rest and encryption of data-in-flight.

To use encryption of data-at-rest on the system, you need to:
  • Purchase and activate licenses for the encryption feature.
  • Decide which methods to use for managing the main keys.
  • Configure encryption with the chosen key management methods.
  • Create encrypted objects such as arrays, pools, or cloud accounts.
To use encryption of data-in-flight on the system, you need to:
  • Purchase and activate licenses for the encryption feature.
  • Create secure IP partnerships between systems.

Configuring encryption is a nondisruptive procedure. During the procedure, the system continues to process I/O operations normally and the existing storage objects are not impacted.

Encryption of Data at Rest (EDaR)

EDaR is the encryption of static data that is being stored on an internal drive or external storage. Data is automatically encrypted as it is written to the storage, and automatically decrypted as it is read from the storage. This feature protects against the potential exposure of sensitive user data and user metadata that is stored on discarded, lost, or stolen storage devices. Depending on your model, the system supports data encryption that uses encryption-capable hardware and software.

To use EDaR the encryption feature must be licensed and configured on the system.

EDaR is performed that uses the symmetric Advanced Encryption Standard (AES) algorithm with 256-bit encryption keys in XTS mode (XTS-AES-256), as defined in the IEEE 1619-2007 standard and NIST Special Publication 800-38E. The data encryption keys are protected by use of NIST’s AES key wrap that uses an intermediate 256-bit wrapping key. This intermediate key is in turn protected that uses NIST’s AES key wrap that uses an intermediate 256-bit wrapping key. The access keys are managed that uses whichever key management methods are enabled on the system. The wrapped keys are stored securely on the system in nonvolatile memory so that they can be accessed when the system starts up. During normal system operation, all unwrapped keys are stored securely in volatile memory, the contents of which are securely discarded on system shutdown or power loss. All data encryption keys (DEKs) and key encryption keys (KEKs) on the system are AES-256 bit keys, and all keys are protected by using an AES wrap-key operation.

All NVMe drives that are supported by the system, including IBM FlashCore Modules (FCMs) and a range of other third-party drives, are self-encrypting drives (SEDs) that encrypt data within the electrical circuit of each individual drive, with no performance penalty. Depending on the model, IBM FlashCore Modules are either FIPS 140-2 Level 2 or FIPS 140-3 Level 3 validated. For drives that support FIPS 140-3, the system must be running software version 8.6.2 or later to enable this.

When drives are connected through a Serial Attached SCSI (SAS) network, the SAS protocol chip provides data encryption capabilities, with no performance penalty. The SAS chip uses data encryption algorithms that are FIPS 140-2 Level 1 compliant.

The system software also can apply encryption to data on external storage devices that do not support built-in encryption. In this scenario, the software offloads the job of data encryption to the Advanced Encryption Standard New Instructions (AES-NI)-capable CPU within the hardware, with a small performance penalty, which depends on your configuration. The software uses algorithms that are FIPS 140-2 Level 1 compliant.

EDaR is always applied after data reduction technologies, such as compression and deduplication.

Encryption of Data in Flight (EDiF)

EDiF is the encryption of data that is being transmitted from one location to another. Data is encrypted before it is sent over the link and is decrypted when it is received on the other side. This feature protects against threats such as eavesdropping and unauthorized proxy attacks. Depending on your model, the system supports data encryption that uses encryption-capable hardware and software.

To use EDiF the encryption feature must be licensed, but there is no need to configure encryption on the system.

The system supports EDiF for data that is being replicated between two systems that are connected by Ethernet and configured in a secure Internet Protocol (IP) partnership. When a secured IP partnership is created, for example, between a production system and a recovery system, the data is secured as it travels through the network between the production system and the recovery system. Secured IP partnerships use a combination of IPsec and IKEv2 to secure data in flight. IKEv2 is an IPsec-based tunnelling protocol that uses secure key exchange algorithms to establish a secure connection to the partner system. IPsec is a suite of security protocols that helps ensure packets that are transmitted over the network are authenticated and encrypted.

In secured IP partnerships, the partner systems authenticate with each other, negotiate the security parameters, exchange encryption keys, and establish secured network tunnels through which encrypted data travels. Partner systems are authenticated by certificates that are issued by either the system's internal root CA or a trusted third-party root CA or intermediate CA.

The system does not support EDiF between host servers and the system, the system and back-end storage devices, or systems that are connected by FC that are configured in an FC replication partnership.

Licensing encryption

To use encryption, an encryption feature license must be purchased and activated for every machine in the system. A machine is defined to be either a control enclosure or a node, depending on the platform and model used. As an example, an eight-node system consisting of four IBM Storage FlashSystem control enclosures would require four feature licenses. Alternatively, an eight-node system composing of eight IBM SAN Volume Controller nodes would require eight feature licenses. Licenses for the encryption feature are only made available in countries that permit the use of encryption technologies. Encryption can be configured once all required feature licenses have been activated. See Licensing encryption for more details.

Configuring key management

To configure encryption on the system, the user must have the SecurityAdmin role. When configuring encryption on the system, one or more key management methods must be used to manage the main keys for the system.

The system also supports an encryption recovery key, which can be used as a backup method alongside any other key management methods, to help ensure that encrypted data is available when there is a problem accessing the main keys.

For organizations with strict security policies regarding USB flash drives, the system supports disabling the USB ports to prevent unauthorized transfer of system data to portable media devices. If you have such security requirements, consider that uses key servers or internal key management method to manage encryption keys instead.

It is possible to simultaneously configure USB flash drives and key servers to help ensure that access to encrypted data is retained if either method is inaccessible, or if the keys are permanently lost for one of the methods.

You can migrate from the existing external methods (USB flash drives and key servers) to internal key management method without affecting the encrypted objects.

Note:
  • To protect against permanent key loss for one of the methods, a simultaneous configuration must be planned. It is not permitted to enable another key method when the keys for an existing method have already been lost.
  • It is not recommended to configure the external methods along with the internal key management method.
  • It is recommended to configure encryption recovery key while enabling the encryption using external methods or internal key management method.

If your system contains existing volumes in nonencrypted pools, you can migrate these volumes to encrypted pools after encryption has been configured.

Using encryption

Once the encryption feature has been configured, the system allows logical configuration objects to be created as encrypted, meaning that the system will automatically encrypt and decrypt the data being stored for that object. The system supports the Migrating volumes to an encrypted pool.

Depending on your configuration, the system will automatically apply the right method of encryption (hardware-based or software-based). Encrypted arrays consisting of internal drives will always use hardware-based encryption and will only use the encryption key belonging to the array, even if the array is part of an encrypted pool. Encrypted pools consisting of external storage will always use software-based encryption and will only use the encryption key belonging to the pool.

Unlocking an encrypted system

When the system is unlocked and running normally, each node in the system keeps a copy of the main key in secure volatile memory. When a node restarts, the in-memory copy of the key is discarded and keys are retrieved from USB in case of USB encryption is enabled, otherwise read from primary key server in case of key server encryption is enabled and in case keys not retrieved locally then copy is fetched from a partner node, without needing to retrieve the main key from elsewhere. If all the nodes in the system have lost the in-memory copy of the main key simultaneously (in scenarios such as a full system shut down or unexpected power loss), the system tries to retrieve the main key from one of the configured key management methods.

If key servers are configured, the key is retrieved automatically from any key servers that are online and available to the system. If USB flash drives are configured, the key is automatically retrieved from any USB flash drives that are locally installed. If the internal key management is configured, the key is retrieved internally from the boot drive. Should any of these methods be unavailable at the time the system requires a master key. The system is locked and all encrypted arrays, pools, and cloud accounts are held offline. In such situation, encryption recovery key will help in unlocking the system and bringing all encrypted objects online.

Note: If all copies of the main key are unavailable when the system is locked, and your system contains encrypted arrays with SAS drives, then all SAS drives connected to the enclosure go offline, even drives belonging to unencrypted arrays. An encryption recovery key helps to recover the system from such situations.

If the encryption recovery key is configured, the recovery key can be supplied to unlock the system to bring encrypted data online.

The system requires a main encryption key to be available during the following operations:
  • System power-on
  • System restart
  • User-initiated rekey operations
  • System recovery