Encryption

The system provides optional encryption of data at rest, which protects against the potential exposure of sensitive user data and user metadata that is stored on discarded, lost, or stolen flash modules. Encryption of system data and system metadata is not required, so system data and metadata are not encrypted.

If you want to use encryption, ensure that you purchased Feature Code AF14: Encryption Enablement Pack (Plant).

Scenario 1: Initializing a new system with encryption

In this scenario, you are initializing and activating encryption on a new system that does not have any data that is stored on flash modules. You purchased the encryption feature code AF14 when you purchased the system. In this case, IBM® sends a total of three USB flash drives, one USB flash drive for the system, and two more USB flash drives for the encryption feature code.

You can use the initialization tool to activate encryption. If encryption is activated, an encryption key is generated by the system to be used for access to encrypted data that is stored on the system. The initialization tool launches a wizard that guides you through the process of copying the encryption key to multiple USB flash drives. The following actions are considered best practices for copying and storing encryption keys:
  1. Make copies of the encryption key on at least three USB flash drives to access the system.
  2. In addition, copy the encryption keys to other forms of storage to provide resiliency and to mitigate risk, if, for example, the three USB flash drives are from a faulty batch of drives.
  3. Test each copy of the encryption key before writing any user data to the initialized system.
  4. Securely store all copies of the encryption key. As an example, any USB flash drives which are not left inserted into the system could be locked in a safe. Comparable precautions should be taken to securely protect any other copies of the encryption key stored to other forms of storage.
    Note: During the initialization, the wizard prompts you to insert two of the USB flash drives that contain the encryption keys one into each canister. This assumes that the physical environment where the system is located is very secure.

Scenario 2: Activating encryption after system initialization

The following situations can occur where encryption is activated after a system is initialized:
  • Adding an encryption license to a previously initialized system
  • Changing the encryption key on a previously initialized system
Both of these operations can be done only by working closely with IBM support. Both operations require that you purchase the Feature Code AF14: Encryption Enablement Pack (Plant), and require that all existing data is copied from the flash modules and stored on external storage.

To purchase the license, you must submit a request price quotation (RPQ) to IBM support to request that the encryption feature code is applied to your system. When the feature code is purchased, IBM sends two more USB flash drives.

To activate encryption on a previously initialized system, IBM support works with you to complete the following steps:
  1. Copy all data that is stored on all virtual volumes to external storage. Before you activate encryption on a previously initialized system, you must remove all user data from the system. Move any data that must be retained to another form of resilient storage. All existing data on flash modules is effectively cryptographically erased when encryption is activated on the system.
  2. Delete all the virtual volumes and RAID arrays that were defined without encryption.
  3. Start the initialization tool and select Yes to configure a new system.
  4. On the Encryption panel, select Yes to indicate that you purchased the license and want to activate encryption.
  5. Complete the initialization tool. Ensure that copies of the encryption keys are copied to at least three USB flash drives and any additional copies to other storage that your environment requires.
  6. After the initialization tool, start the management GUI and run the system setup wizard. This setup wizard automatically creates an encrypted RAID array.
  7. Copy all data that was copied to external storage in step 1 back to the system.
Warning: At system startup (power on) or to access an encrypted system, the encryption key must be provided by an outside source so that the system can be accessed. The encryption key is read from the USB flash drives that store copies of the keys that were created during system initialization. If you want the system to reboot automatically, a USB flash drive with the encryption keys must be left inserted in each of the canisters, so that both canisters have access to the encryption key when they power on. This method requires that the physical environment where the system is located is very secure, so no unauthorized person could make copies of encryption keys on the USB flash drives and gain access to data stored on the system. For the most secure operation, do not keep the USB flash drives inserted into the canisters on the system. However, this method requires that you manually insert the USB flash drives that contain copies of the encryption key in both canisters before rebooting the system. The encryption key is required to access encrypted data, and resides only on the USB flash drive copies and on any additional copies made on other forms of storage. The encryption key cannot be recovered or regenerated by IBM if all user-maintained copies are lost or unrecoverable.

Feature Code AF14: Encryption Enablement Pack (Plant) is required for support

If you activate encryption by selecting Yes, to obtain further IBM support, you must provide proof of purchase of the encryption feature code (FC AF14: Encryption Enablement Pack (Plant)).

IBM support by RPQ is required to circumvent the following restrictions:
  • Encryption cannot be activated or deactivated after the system is initialized.
  • The encryption key cannot be changed.