Data encryption
Encryption of data ensures that in a case of a physical loss of a media, the data inside is unreadable and still confidential. The data can't be obtained at all or needs to be decrypted to be obtained.IBM® Integrated Analytics System provides multi-level encryption of data at rest (data on the disk).
Db2® software encryption is used to protect only the database data managed by Db2 and stored in the storage devices. System with integrated rack enables also the underlying hardware encryption capabilities of the storage devices to protect all the stored data.
IAS stores its internal user passwords in the LDAP database by using the Salted SHA1 (SSHA) scheme.
Encryption scheme
In an encryption scheme, the data requiring protection is transformed into an unreadable form by applying a cryptographic algorithm and an encryption key. A cryptographic algorithm is a mathematical function that is used in encryption and decryption processes. An encryption key is a sequence that controls the operation of a cryptographic algorithm and enables the reliable encryption and decryption of data. A local or external key manager is typically used to manage the keys.
With native database encryption, the database system itself encrypts the data before it calls the underlying file system to write that data to disk. It means that not only your current data is protected, but also data in new table space containers or table spaces that you might add in the future. A database encryption key (DEK) is the encryption key, which actual user data is encrypted. A master key is a "key encrypting key": It's used to protect the DEK. Although the DEK is stored and managed by the database, the master key is stored and managed outside of the database. For information on rotating the master keys, see Db2 Warehouse native encryption.
With hardware encryption, storage devices like Flash subsystem can encrypt the data as it’s written to the media based on an encryption key. The encryption key can be resident on the storage controller or externally kept in an encryption key server such as IBM Security Key Lifecycle Manager.
For information on how storage encryption works on integrated rack models, see Storage hardware encryption on systems with integrated rack.
For information on how storage encryption works on M4002-001 model, see Storage hardware encryption for M4002-001 model.
Currently, Db2 software encryption is enabled by default and can't be disabled. Keys are always managed by Db2 software. Integrated rack models support external encryption key management via IBM Security Key Lifecycle Manager (IBM SKLM).
Integrated rack models persistent media types
- Server-resident hard disk drives (OS disks)
- The disks hold the OS, other software packages, log files and the OS swap area.
- They aren’t hardware encrypted.
- The hardware encryption of the disk isn’t supported by current Power® P8 Servers.
- First tier storage (hot table data)
- Data is provided by the FlashSystem 900 storage arrays.
- Data is always written in an encrypted fashion on the flash modules and by default the key is resident in the Flash array controller. It can be managed by integrating IAS with an external IBM Security Key Lifecycle Manager (IBM SKLM).
- If a Flash Module is removed, data is unreadable. If the entire Flash Array is removed, data is accessible (if key isn’t managed externally by IBM SKLM), but at the same time encrypted by the Db2 software.
- Second tier storage (cooling data)
- Data is provided by the V5020 HDD storage arrays.
- Data isn’t written encrypted, but is protected by the Db2 software encryption.
For more information on the IAS hardware building blocks, see Rack-provided models hardware.
M4002-001 models persistent media types
- Two M.2 drives - for OS and platform
- They are not hot swappable.
- They do not support encryption.
- Four 4 TB NVMe SSD drives - for user data
- They are hot-swappable drives used for user data storage.
- Data-at-rest encryption is always enabled.
- Data protection and redundancy is managed by GPFS.