GPFS™ provides support for file encryption that ensures both secure storage and secure deletion of data. GPFS manages encryption through the use of encryption keys and encryption policies.

Note: GPFS encryption is only available with IBM Spectrum Scale™ Advanced Edition or IBM Spectrum Scale Data Management Edition. The file system must be at GPFS V4.1 or later. Encryption is supported in:
  • Multicluster environments (provided that the remote nodes have their own /var/mmfs/etc/RKM.conf files and access to the remote key management servers. For more information, see Encryption keys.)
  • FPO environments

Secure storage uses encryption to make data unreadable to anyone who does not possess the necessary encryption keys. The data is encrypted while at rest (on disk) and is decrypted on the way to the reader. Only data, not metadata, is encrypted.

GPFS encryption can protect against attacks targeting the disks (for example, theft or acquisition of improperly discarded disks) as well as attacks performed by unprivileged users of a GPFS node in a multi-tenant cluster (that is, a cluster that stores data belonging to multiple administrative entities called tenants). However, it cannot protect against deliberate malicious acts by a cluster administrator.

Secure data deletion leverages encryption and key management to guarantee erasure of files beyond the physical and logical limitations of normal deletion operations. If data is encrypted, and the master key (or keys) required to decrypt it have been deleted from the key server, that data is effectively no longer retrievable. See Encryption keys.

Important: Encryption should not be viewed as a substitute for using file permissions to control user access.