How IBM Guardium for File and Database Encryption works

Performs transparent encryption and decryption

Encryption and decryption are performed above the file system or logical volume layer so it is transparent to users, applications, databases and storage subsystems. It requires no coding or modification to applications or databases and protects both structured and unstructured data. The solution scales for large and complex environments. It offers extensible protection to log files, configuration files and other database output.

Provides secure, centralized key and policy management

IBM Guardium for File and Database Encryption offers a secure solution for protecting structured and unstructured data through the enforcement of policy-based encryption and centralized encryption key management that enables organizations to keep data private and compliant. Guardium for File and Database Encryption includes a user-friendly management server that allows for fast definition of encryption policies that are enforced by agents across a multitude of operating systems.

Offers granular support for regulatory compliance

The solution enforces separation of duties with a separate database management system (DBMS) and security administration. It allows for granular and configurable auditing and reporting of access requests to protected data, policies and keys; and delivers audit management to reduce audit scope. Encrypting sensitive data itself also helps meet regulatory compliance requirements, because data encryption renders sensitive data in question unreadable and usable without the encryption key.

Supports live data transformation

Traditionally, deploying and managing data-at-rest encryption that involved transforming clear-text to cipher-text presented many business challenges, including requiring planned downtime or labor-intensive data cloning and synchronization. Live data transformation, which enables organizations to encrypt data without ever taking applications offline, eliminates these issues, allowing businesses to speed the data protection process while also supporting business continuity and efficiency.

How customers use it

  • Enforce encryption based upon separation of duties

    Enforce encryption based upon separation of duties


    Encryption is required but you want the level of encryption to match your users access rights


    Mirroring your organization’s hierarchy, our solution intelligently matches permissions to user needs, avoiding redundant procedures. Users or applications with permissions to files and databases are automatically shown decrypted content.

  • Auditing and reporting to satisfy compliance requirements

    Auditing and reporting to satisfy compliance requirements


    Your organization process sensitive information covered under HIPAA or GDPR


    Guardium for File and Database Encryption provides access control based upon user permissions for file and database access as well as providing audit details and reports for reporting purposes

Technical details

Software requirements

Guardium for File and Database Encryption (with and without Live Data Transformation) requires a virtual data security module (DSM) virtual appliance depolyed on a VMWare hypervisor (ESXi Server 5.5 or higher). The DSM virtual appliance may require additional resources based on the number of agents that are being managed.

Please see the administrators guide and product documentation for more detailed (or updated) requirements, but the following minimum requirements should be followed (for the DSM and server where the agents are installed):

  • DSM Number of CPU Cores: 2 (min) and 6 (recommended); DSM RAM: 4-16 GB minimum
  • DSM Hard Disk space: 100-200 GB
  • Agent server CPU: 2 Intel E5620 2.4 GHz or higher (Quad-Core with hyperthreading)
  • Agent server RAM: 4 GB main memory (8 GB for use with LDT); Agent server Network: 1 GB port
  • Agent server Hard Disk: SATA-3 (6 GB/s) 300GB or larger
  • Agent server OS: Windows, Linux, & Unix - Please see Vormetric Data Security compatibility matrix

Hardware requirements

None required.