Disk Security Components; Ds3500 Disk Encryption Manager - IBM System Storage DS3500 Introduction And Implementation Manual

7914FDE.fm
With this relationship, the correct keys, and authentication, the FDE drive will encrypt data
written and decrypt data read from it. But if the disk is removed and data on the disk is
attempted to be read, as shown in Figure 15-2, the user will not have the appropriate
authorizations, as data cannot be read from or written to the drive without authenticating with
the DS3500 Disk Encryption Manager, which will unlock the drive.
Authorization Flow
Data Flow
Figure 15-2 Unauthorized access to the drive results in the data remaining encrypted

15.2 Disk Security components

There are a number of new components to this new feature that are detailed in this section.
All of these features are managed by the Storage Manager (V10.70.x and higher).

15.2.1 DS3500 Disk Encryption Manager

The Disk Encryption Manager on the DS3500 system maintains and controls the key linkage
and communications with FDE drives. It will be included with the firmware and Storage
Manager. It:
Provides all the management tools necessary to quickly and simply enable and secure
FDE drives.
Establishes and manages a single authorization scheme for all the FDE drives in a
DS3500 storage subsystem.
– Places FDE drives in a secured state.
– Defines secure arrays.
– Supports the decommissioning or re-purposing of drives with Instant Secure Erase.
452
IBM System Storage DS3500: Introduction and Implementation Guide
Draft Document for Review March 28, 2011 12:24 pm
Reading from the Drive
Decryption Process
Data cannot be read if
authorization fails
Data
Encryption
Key
%$#@ßde?? f f ?? ?s ?d%
$#@j&&6544IY899#@&$
Data on Drive