Troubleshooting
Problem
This document contains ASP Encryption Basics.
Resolving The Problem
This document contains ASP Encryption Basics.
There are two types of encryption At Rest, as follows:
- Disk encryption using basic or independent ASP (Option 45)
- BRMS encrypted backup (if need to encrypt backup tapes) (Option 44)
Note: 5761SS1 Option 45 is not delivered with the standard set of media. It must be ordered, and will be delivered on an F2924_01 CD or can be downloaded from the ESS site. It has a tiered pricing model.
Basics for ASP Encryption:
| o | Requires IBM i V6R1M0 or above. |
| o | Must have 57xx-SS1 Option 45 - Encrypted ASP Enablement installed. |
| o | Reduces the need to sanitize disks. |
| o | Protects transmitted data in a geo-mirrored environment. |
| o | System ASP (ASP number 1), Basic ASPs (ASP numbers 2-32), and independent ASPs (ASP numbers 33-225) can be encrypted start at IBM i 7.6. Only Basic ASPs (ASP numbers 2-32) and independent ASPs (ASP numbers 33-225) can be encrypted at 7.5 and below. Disk encryption uses an AES with 256 bit key in CBC mode. |
| o | When you set up an encrypted disk pool, the system generates a data key, which encrypts the data written to that storage pool and decrypts data read from that storage pool. The data keys for independent storage pools are kept with the storage pool and are protected with the ASP master key. Basic ASPs are protected with a data key that is stored in the Licensed Internal Code. The ASP master key is not required for creating an encrypted user ASP. However, it is required to create an encrypted iASP. If you are creating an iASP you must first set the ASP Master Key. There are three different ways to set the ASP Master Key. Option 1: You can use IBM i Navigator. You go under Security and Cryptographic Services. You first load key parts and then set the ASP master key. The ASP master key is used for protecting data in the independent auxiliary storage pool. Option 2: The other ways to add and set the ASP Master key is by using CL command ADDMSTPART MSTKEY(*ASP) PASSPHRASE() and then SETMSTKEY MSTKEY(*ASP). In the ADDMSTPART, specify a PASSPHRASE and be sure to save or record the passphrase securely and separately from this IBM i in case of recovery or migration. Option 3: Set the master key part and master key by using API's QC3LDMKP or Qc3LoadMasterKeyPart and QC3SETMK or Qc3SetMasterKey. |
| o | Data privacy for SAN environment. |
| o | Prior to IBM i 7.1 Technology Refresh 7 (TR7), the only way to encrypt was during ASP creation. However, at 7.1 TR7 and above, ASP encryption can be stopped/started through Service Tools: http://www.redbooks.ibm.com/redbooks/pdfs/sg247858.pdf Encryption keys can also be changed in service tools at 7.1 TR7 and beyond. |
| o | Two to three times longer to create encrypted ASP versus a non-encrypted ASP. |
| o | Slower backup as the data has to be decrypted before it saves. Reference Section 'Should I utilize ASP Encryption?' of the IBM i on Power® - Performance FAQ and the IBM Power Systems Performance Capabilities Reference. |
| o o | Note: Encryption of ASPs can be performed through Service Tools or IBM i Navigator, but at 7.1 to 7.4 iASPs can only be encrypted through IBM i Navigator. Note: If the iASP being encrypted exists in a Cluster/PowerHA environment, the ADD and SET commands should be identically run on ALL nodes in the cluster which will be associated with that iASP. |
| o | IBM i 7.1 TR6 and below: Disk encryption cannot encrypt existing disk pools or independent disk pools. Disk encryption cannot be turned off once a disk pool or independent disk pool has been created; even if Option 45 is removed from the system or partition. However, the drive can be moved/added to an unencrypted ASP. When a drive with encrypted data is added to the configuration of an unencrypted ASP, the data will be zeroed and encryption removed. When an encrypted drive is removed from an encrypted ASP and added to some other encrypted ASP, data will be zeroed and the original encryption removed, then new encryption/key added/used. As with all encryption/decryption, there will be extra CPU consumption during the encryption/decryption process. |
| o | Any processing of encrypted data incurs a performance impact. The more encrypted data processing, the larger the performance impact. Thus, while always securing your objects and the processing rights on that object, consider encrypting only data that needs to be encrypted according to your security policies and performance requirements. Depending upon the amount of encrypted data being processed and processor capacity you have, the performance impact could be close to negligible or significant. |
| o | NVMe drives are already self-encrypted drives. However, the key used to encrypt and decrypt the data is not protected. Starting at IBM i 7.4 TR7 and IBM i 7.5 TR1, you can add a password protected locking policy. See document: How to set up NVMe Locking Policy / Password for IBM i. |
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m3p000000PCSOAA4","label":"Internal LIC and Partitions-\u003EDisk"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"6.1.0;7.1.0;7.2.0;7.3.0;7.4.0;7.5.0;7.6.0"}]
Historical Number
516298314
Was this topic helpful?
Document Information
Modified date:
05 May 2026
UID
nas8N1013136