Chapter 3. IBM System Storage DS3500 Storage System planning tasks
73
Draft Document for Review March 28, 2011 12:24 pm
7914DS3KPlanning_090710.fm
3.4.4 Drive Security
This is a new premium feature where Full Disk Encryption (FDE) protects the data on the
disks only when the drives are removed from storage subsystem enclosures. Drive Security
requires security capable drives (FDE) and provide access to data only through a controller
that has the correct security key when Drive Security is enabled.
Requirements
Businesses must comply with a growing number of corporate standards and government
regulations, Drive security is one tool that can enhance security thus complying with these
new standards and regulations.
Full Disk Encryption
Full Disk Encryption (FDE) does not prevent someone from copying the data in the storage
subsystems through Fibre Channel host port connections when the drives are unlocked and
operating. FDE also does not prevent unauthorized management access. A security capable
drive encrypts data during writes and decrypts data during reads. FDE prevents the physical
removal of the disk from the DS3500 system and interpreting data it contained. The FDE
drive with Drive Security enabled will be locked on power up and will only unlock after
successful authentication with the DS3500 system.
The Encryption Key is generated by the drive and never leaves the drive, so it always stays
secure. It is stored in encrypted form performing symmetric encryption and decryption of data
at full disk speed with no impact on disk performance. Each FDE drive uses its own unique
encryption key which is generated when the disk is manufactured and regenerated when
required by the storage administrator using the DS3500 Disk Encryption Manager.
The security enabled drives can be used as normal drives and intermixed in an array with
drives of equal type and capacity when this feature is not enabled. This new feature is
detailed in IBM Midrange System Storage Hardware Guide, SG24-7676.
3.4.5 Obtaining premium features key
You can generate the feature key file by using the premium feature activation tool that is
located at the following Web site:
http://www-912.ibm.com/PremiumFeatures/jsp/keyInput.jsp
The key can then be added to your DS3500 system as detailed in “Premium Features” on
page 200.
3.5 Additional planning considerations
In this section, we review additional elements to consider when planning your DS3500
Storage Systems using a Logical Volume Manager and virtualization options.
Note: ERM requires a dedicated
switched fabric
connection per controller to be attached
to Host port 4 on both A and B controllers of the DS3500 FC HIC option.
This same dedication is required at both the source and target ends of the ERM solution.
Summary of Contents for DS3500
Page 2: ......
Page 5: ...iii Draft Document for Review March 28 2011 12 24 pm 7914edno fm ...
Page 789: ......