Symmetric keys and the DS5000 storage server
IBM® Security Guardium® Key Lifecycle Manager uses only symmetric data keys as the unlock key for a DS5000 storage server.
When a DS5000 storage server requests a key, IBM Security Guardium Key Lifecycle Manager uses the alias that the request specifies to get the key. If the DS5000 storage server request does not specify an alias, IBM Security Guardium Key Lifecycle Manager obtains an alias from the list of keys that are associated with the requesting DS5000 storage server. Keys from the list are served in round robin fashion to balance the use of keys evenly.
The selected alias is associated with a symmetric data key that was preinstalled in the keystore. IBM Security Guardium Key Lifecycle Manager sends the symmetric data key to the device to unlock the disk drives of this array. The selected alias is also converted to an entity that is termed a data key identifier, which the DS5000 storage server stores. IBM Security Guardium Key Lifecycle Manager can use the data key identifier to identify the correct data key when needed.