TS7770 Data at Rest Encryption
Before you begin
Note:
- For feature 5276 Disk Encrypt-External Key Manager, encryption keys are maintained outside of the TS7700 and passed to the TS7700 from an encryption key manager. Only IBM Security Key Lifecycle Manager (SKLM) will be supported.
- Disk encryption using externally managed keys with SKLM requires software entitlements. For more information about SKLM, see the IBM Security Key Lifecycle Manager website.
- If using TLS encryption to connect to the encryption key manager, the X.509 certificate that will be presented by the key server must be trusted in advance by the TS7700. Use the SSL Certificates page in the TS7700 Management Interface to install any necessary self-signed certificates or custom CA certificates before proceeding.
An administrator can setup or modify encryption configurations in the TS7700 for the following
conditions or any combination of these conditions:
- If using CSA cache – IPP key servers are required for encryption.
- If using Tape attached – IPP key servers are required for encryption.
- If using CSB cache – KMIP key servers are required for encryption.
-
For IPP only, the user must specify the following for both the primary and secondary key server:
- IP address [text box]
- Port (defaults to IPP port) [text box]
- Connection test [Button next to IP/port]
- TLS Enabled [checkbox]
- Certificate info (shown if TLS enabled) [text field with link to modify certificate]
-
For KMIP only, the user must specify the following for both the primary and secondary key server:
- IP address [text box]
- Port (defaults to KMIP port) [text box]
- Connection test [Button next to IP/port]
- Certificate info [text field with link to modify certificate]
-
For KMIP and IPP, the user must specify the following for both the primary and secondary key server:
- IPP key server IP address [text box]
- IPP key server Port (defaults to IPP port) [text box]
- IPP TLS Enabled [checkbox]
- KMIP key server IP address [text box]
- KMIP key server Port (defaults to IPP port) [text box]
- Certificate info (if TLS enabled) [text field with link to modify certificate]
Note: If the IPP port is not supported by the EKM, the IPP port will not be used. Therefore, the required field must be set to '0' or any other number.
Log into the TS7700 Management Interface