Seagate 15K.2 Self-Encrypting Drives for Servers, NAS, and SAN Arrays - Page 8

Self-Encrypting Drives for Servers, NAS and SAN Arrays Figure 3 Key Management and Managing Auto-Locking Self-Encrypting Drives When the SED is used in auto-lock mode, the SED requires an authentication key from an outside source before the drive will unlock for read/write operations. A data center containing auto-locking Self-Encrypting Drives utilizes a key-management service that stores, manages and serves authentication keys, and a storage system that passes these authentication keys to the correct drive (see Figure 3). Seagate, IBM and LSI have collaboratively worked to bring together technologies from their respective organizations and deliver complete self-encrypting solutions, such as in the IBM System Storage DS8000 and the IBM System Storage DS5000. In addition to its traditional functions, the storage system also defines secure volume groups, obtains the authentication keys from the key management service and passes the key to the correct drive. The orange line in Figure 3 denotes this operation. In this way the storage system makes the encryption function transparent to the hosts, OS, databases and applications. Once authentication is completed during power-up, encryption is fully transparent to the storage system, which can perform its traditional functions normally. In Figure 3, the dark gray line denotes the data flow that is clear text data. Storage systems are optimized for unencrypted data for data compression and de-duplication. A key management service may employ softwareor hardware-based key stores in order to create, assign and manage the relevant authentication and encryption keys across the enterprise. Effective key management should integrate well into an organization's existing security policies, to help ensure that both the service and the keys themselves are well protected from unauthorized access. Moreover, an effective key management system should include backup, synchronization, life-cycle management, auditing and long-term retention capabilities. Deployment of a key management service is greatly simplified when it's possible to take advantage of an organization's existing highavailability and disaster-recovery solution. The IBM Tivoli Key Lifecycle Manager (formerly Encryption Key Manager) is a Java-based software program that can generate, protect, store and maintain authentication keys that are used with IBM self-encrypting tape drives and with the IBM System Storage DS8000 with full disk encrypting drives. As a Java application, IBM Tivoli Key Lifecycle Manager operates on z/OS, i5/OS, AIX, Linux, HP-UX, Sun Solaris and Windows operating systems, and is designed to be a shared resource which can be deployed in several locations within an enterprise to help ensure the application is highly available. With its platform neutrality and its ability to take advantage of the existing security policies and high-availability environment in an organization's most secure server platform, IBM Tivoli Key Lifecycle Manager offers a simple and effective method for managing the growing number of encryption keys across the enterprise. 8