IBM N Series Hardware Manual page 77

Communication with the KMIP server
Self-encryption uses Secure Sockets Layer (SSL) certificates to establish secure
communications with the KMIP server. These certificates need to be in Base64-encoded
X.509 PEM format, and can be either self-signed or signed by a certificate authority (CA).
Supported key managers
Self-encryption with Data ONTAP 8.1 supports IBM Tivoli Key Lifecycle Management Version
2 server for key management. Others will follow. Other KMIP-compliant key managers are
being evaluated as they come onto the market.
Self-encryption supports up to four key managers simultaneously for high availability of the
authentication key. Figure 5-10 shows authentication key use in self-encryption. It
demonstrates how the Authentication Key (AK) is used to wrap the Data Encryption Key
(DEK) and is backed up to an external key management server.
Figure 5-10 Authentication key use
Tivoli Key Lifecycle Manager
Obtaining that central point of control requires more than just an open standard. It also
requires a dedicated management solution designed to capitalize on it. IBM Tivoli Key
Lifecycle Manager version 2 gives you the power to manage keys centrally at every stage of
their lifecycles.
Tivoli Key Lifecycle Manager does key serving transparently for encrypting devices and key
management, making it simple to use. Furthermore, it is easy to install and configure.
Because it demands no changes to applications and servers, it is a seamless fit for virtually
any IT infrastructure.
For these reasons, IBM has led the IT industry in developing and promoting an exciting new
security standard: Key Management Interoperability Protocol (KMIP). KMIP is an open
standard designed to support the full lifecycle of key management tasks from key creation to
key retirement.
57
Chapter 5. Expansion units