Encryption of data at rest

Encryption of data at rest can be accomplished either through the use of encryption capable storage devices, such as the IBM DS8870 and the IBM TS3592, or through the use of the IBM Encryption Facility.

Encryption capable devices implement in-line transparent encryption of data as it flows onto and off of the associated media. Encryption of data ensures that, in the event of physical loss of media (either through theft or replacement), the data is unreadable and its confidentiality is maintained. When data is moved within the boundaries of the device, it is encrypted throughout that process. Any residual data exposed on a drive is also encrypted. The ability to read data in unallocated space is eliminated because that residual data is encrypted. The IBM DS8870 implements Full Disk Encryption (FDE) whereby an external encryption key manager, such as the IBM Security Key Lifecycle Manager (IBM SKLM), creates and maintains the encryption keys on behalf of the DS8870.

Tape based datasets may be encrypted by the TS3592 devices. When directed to encrypt, by DFSMS for example, the drive contacts the IBM SKLM for an encryption key. The data is encrypted as it flows through the tape drive. The encryption keys are managed by the IBM SKLM.

The IBM Encryption Facility provides a mechanism for encrypting datasets manually. Encryption keys maintained in RACF or ICSF are used by the Encryption Facility to encrypt from a source dataset to a target dataset. Access to the specific key material is required to decrypt the target dataset.