Full Data Encryption (Fde) Disks; Premium Feature License; Keys - IBM System Storage DS3500 Introduction And Implementation Manual
Hide thumbs
Also See for System Storage DS3500:
- Installation, user's, and maintenance manual (222 pages) ,
- Installation, user & maintenance manual (180 pages) ,
- Quick start manual (18 pages)
Table of Contents
Advertisement
Draft Document for Review March 28, 2011 12:24 pm
With this function you can record both the security key ID, pass phrase, and the secure file
location in a safe place.
Using the FDE drive, it generates and encrypts a security key:
– Creates a unique security key ID that is paired with the security key.
– Adds a randomly generated number.
– The security key ID is saved. This folder location will be needed whenever a security
operation requires the key ID (for example, when a drive powers up).
– Creates a backup of the security key and the security key identifier.
– A secure backup is provided in which the security key and the security key identifier are
encrypted utilizing a user-selected pass phrase.
15.2.2 Full Data Encryption (FDE) disks
FDE drives are required to enable Disk Security. You must use Serial Attached SCSI (SAS)
disks with a speed of up to 15,000 rpm. These disks include:
ST9146852SS 6Gb/s SAS 2.0 2.5-inch 147GB 15k
ST9300503SS 6Gb/s SAS 2.0 2.5-inch 300GB 10k
ST3300657SS 6Gb/s SAS 2.0 3.5-inch 300GB 15K
ST3600957SS 6Gb/s SAS 2.0 3.5-inch 600GB 15k
15.2.3 Premium feature license
The DS3500 requires that the Full Disk Encryption premium feature be installed and enabled
for Disk Security to function. See 3.4, "Planning for premium features" on page 70 for details
about this topic.
15.2.4 Keys
There are two types of keys that are used with Drive Security and FDE drives:
encryption key
The
secure. It is stored in encrypted form and performs symmetric encryption and decryption
of data at full disk speed with no impact on disk performance. Each FDE drive uses its own
unique encryption key that is generated when the disk is manufactured and regenerated
when required by the storage administrator using the DS3500 Disk Encryption Manager.
lock key
The
the DS3500 Disk Encryption Manager using asymmetric encryption for authentication.
When the FDE drive is secure "enabled", it has to authenticate with the Disk Encryption
Manager or it will not return any data and remains locked. After the drive has been
authenticated, access to the drive operates like any other disk drive. One security key is
created for all FDE drives on the DS3500 storage subsystem, where it is generated,
encrypted, and hidden in the subsystem (NVSRAM). The authentication only occurs
typically after the FDE has powered up, where it will be in a "locked" state.
If the lock key is not initially established between the DS3500 Disk Encryption Manager
and the disk, then the disk is considered unlocked with access unlimited, as per a
non-FDE drive.
is generated by the drive and never leaves the drive, so it always stays
security key
or
is a 32 byte random number that authenticates the drive with
Chapter 15. Disk Security with Full Disk Encryption drives
7914FDE.fm
453
Advertisement
Table of Contents
Troubleshooting
