External key management

You can manage the encryption key for the disk drive modules (DDMs) externally.

For external key management of encryption, the encryption must be enabled onsite by an IBM service representative.

The encryption key server, Tivoli Key Lifecycle Manager (TKLM), or IBM Security Key Lifecycle Manager (ISKLM) is installed and configured on the network.

The following tasks can be done:
  • Re-key (from SMIT and Management Interface)
  • Activate (from SMIT only)
  • Switch from internal key management to external key management (from SMIT only)

Prerequisites

The prerequisites are the same as for internal key management for encryption.

Disk encryption is available on a new order from manufacturing that uses FC 7404, Encryption or as an MES that uses FC 5272, Enable disk encryption - Local Key Management. The following conditions must also be met:
  • The TS7740 must contain a 3957-V07. The TS7720 must contain a 3957-VEB. The TS7760 must contain a 3957-VEC.
  • FDE drives must be a 600 GB Fibre Channel drive (TS7740), a 3 TB near-line SAS drive (TS7720 ), or a 4 TB near-line SAS drive (TS7760).
  • Encryption is enabled onsite following code activation by an IBM Service Representative.
  • An entire file system must be encrypted; a mixture of encrypted and non-encrypted arrays is not supported. All arrays in all strings must be encryption-capable.
Parent topic: Disk encryption
Related information
Trademarks