AES keys and the DS8000 Turbo drive

When the DS8000® Turbo drive starts, the device requests an unlock key from IBM® Security Guardium® Key Lifecycle Manager.

If the DS8000 Turbo drive requests a new key for its unlock key, IBM Security Guardium Key Lifecycle Manager generates an Advanced Encryption Standard (AES) key. The key is then served to the drive in the following two protected forms:

  • Encrypted (wrapped) by using Rivest-Shamir-Adleman (RSA) key pairs. The DS8000 Turbo drive stores this copy of the key on the array in an unencrypted partition.
  • Separately wrapped for secure transfer to the drive where it is unwrapped upon arrival and the key inside is used to unlock the array.

If the DS8000 Turbo drive requests an existing unlock key, the protected AES key on the array is sent to IBM Security Guardium Key Lifecycle Manager where the wrapped AES key is unwrapped. The AES key is then wrapped with a different key for secure transfer back to the DS8000 Turbo drive. The key is unwrapped and used to unlock the array.