Effect Of Self-Encryption On Data Ontap Features; Mixing Drive Types; Managementkey Management - IBM N Series Hardware Manual
System storage
Hide thumbs
Also See for N Series:
- Hardware manual (368 pages) ,
- Manual (168 pages) ,
- Implementation manual (105 pages)
Table of Contents
Advertisement
encrypted data at rest on powered-off disk drives. That is, it prevents someone from removing
a shelf or drive and mounting them on an unauthorized system. This security minimizes risk
of unauthorized access to data if drives are stolen from a facility or compromised during
physical movement of the storage array between facilities.
Additionally, Self-encryption prevents unauthorized data access when drives are returned as
spares or after drive failure. This security includes cryptographic shredding of data for
non-returnable disk (NRD), disk repurposing scenarios, and simplified disposal of the drive
through disk destroy commands. These processes render a disk completely unusable. This
greatly simplifies the disposal of drives and eliminates the need for costly, time-consuming
physical drive shredding.
Remember that all data on the drives is automatically encrypted. If you do not want to track
where the most sensitive data is or risk it being outside an encrypted volume, use NSE to
ensure that all data is encrypted.
5.5.4 Effect of self-encryption on Data ONTAP features
Self-encryption operates below all Data ONTAP features such as SnapDrive, SnapMirror, and
even compression and deduplication. Interoperability with these features should be
transparent. SnapVault and SnapMirror are both supported, but in order for data at the
destination to be encrypted, the target must be another self-encrypted system.
The use of SnapLock prevents the inclusion of self-encryption. Therefore, simultaneous
operation of SnapLock and self-encryption is not possible. This limitation is being evaluated
for a future release of Data ONTAP. MetroCluster is not currently supported because of the
lack of support for the SAS interface. Support for MetroCluster is currently targeted for a
future release of Data ONTAP.
5.5.5 Mixing drive types
In Data ONTAP 8.1, all drives installed within the storage platform must be self-encrypting
drives. The mixing of encrypted with unencrypted drives or shelves across a stand-alone
platform or high availability (HA) pair is not supported.
5.5.6 managementKey management
This section provides more detailed information about key management.
Overview of KMIP
Key Management Interoperability Protocol (KMIP) is an encryption key interoperability
standard created by a consortium of security and storage vendors (OASIS). Version 1.0 was
ratified in September 2010, and participating vendors have later released compatible
products. KMIP seems to have replaced IEEE P1619.3, which was an earlier proposed
standard.
With KMIP-compatible tools, organizations can manage their encryption keys from a single
point of control. This system improves security, simplifies complexity, and achieves regulation
compliance more quickly and easily. It is a huge improvement over the current approach of
using many different encryption key management tools for many different business purposes
and IT assets.
56
IBM System Storage N series Hardware Guide
- Quick Links:
- N6210 and N6240 and N6240 Hardware...
Hide quick links:
Advertisement
Table of Contents
