When considering encryption at your installation, consider the following factors.
As the availability of encryption-capable devices becomes more pervasive, more and more data will be migrated from non-encrypted storage to encrypted storage. Even if the key servers are initially configured correctly, it is possible that a storage administrator might accidentally migrate data required by the key server from non-encrypted to encrypted storage.
Generally, a number of layers of virtualization in the I/O stack hierarchy can make it difficult for the client to maintain an awareness of where all the files (necessary to make the key server, and its associated keystore, available) are stored. The key server can access its data through a database that runs on a file system that runs on a logical volume manager, which
communicates with a storage subsystem that provisions logical volumes with capacity obtained from other subordinate storage arrays. The data required by the key server might end up provisioned over various storage devices, each of which can be independently encryption capable or encryption enabled.
Consolidation of servers and storage tends to drive data migration and tends to move increasingly more data under a generalized shared storage environment. This storage environment will become encryption capable as time goes on.
All IBM server platforms support fabric-attached boot devices and storage. Certain servers do not support internal boot devices. Therefore, boot devices are commonly present within the generalized storage environment. These storage devices are accessible to generalized storage management tools that support data management and relocation.
To mitigate the risk of an encryption deadlock, you must be directly involved in managing the encryption environment.
Important: Any data required to make the Tivoli Key Lifecycle Manager key server operational must not be stored on an encrypted storage device that is managed by this particular key server. This situation is referred as an encryption deadlock. This situation is similar to having a bank vault that is unlocked with a combination and the only copy of the combination is locked inside the vault.
© Copyright IBM Corp. 2010. All rights reserved. 49
Chapter 3.
IBM storage encryption methods
In this chapter, we describe the Tivoli Key Lifecycle Manager and the Encryption Key
Manager (EKM), both of which are Java software programs that manage keys enterprise-wide and provide encryption-enabled disk and tape drives with keys for encryption and decryption.
The Tivoli Key Lifecycle Manager is the follow-on product to EKM that adds a graphical interface and additional life cycle key management functionality.
For IBM disks (specifically, the IBM System Storage DS8000), we describe the disk
encryption mechanism that is used, and how Tivoli Key Lifecycle Manager is used to manage the keys and so enable disk encryption.
For IBM tape, we describe the various methods of managing encryption.These methods differ in respect to where the encryption policies reside, where key management is performed, whether a key manager is required, and, if a key manager is required, how the tape drives communicate with it. IBM supports three methods of encrypting data on tape:
System-Managed Encryption (SME)
Library-Managed Encryption (LME)
Application-Managed Encryption (AME)
Only two of these methods, SME and LME, require the implementation of an external key manager, such as the Tivoli Key Lifecycle Manager or EKM, to provide and manage keys.
With AME, key provisioning and key management are handled by the application.
When describing the tape and disk encryption methods, we trace the flow of data and keys.
We explain how the disk and tape drives communicate with the key manager (or, in the case of tapes, the application, if AME is the method) and how symmetric keys and asymmetric keys are transferred to the drive. For AME, we describe how the application communicates with the tape drives.
In each section, we briefly describe the criteria that can influence your decision for or against a specific encryption method. For more information, see Chapter 10, “Planning for software and hardware to support tape drives” on page 191).
3
3.1 Tivoli Key Lifecycle Manager
In your enterprise, a large number of symmetric keys, asymmetric keys, and certificates can exist and all of these keys and certificates have to be managed. Key management can be handled either internally by an application, such as the IBM Tivoli Storage Manager, or externally by a key manager. The IBM approach to key management revolves around IBM Tivoli Key Lifecycle Manager, a product announced in 2008 that is enhanced in phases. From an initial focus on key management for tape and disk encryption, IBM plans to expand Tivoli Key Lifecycle Manager into a centralized key management facility for managing encryption across a range of deployments.
The Tivoli Key Lifecycle Manager product is an application that performs key management tasks for IBM encryption-enabled hardware, such as the IBM System Storage DS8000 Series family and IBM encryption-enabled tape drives (TS1120 and TS1130 tape drives and Linear Tape-Open (LTO) Ultrium 4 Tape Drives). Tivoli Key Lifecycle Manager provides, protects, stores, and maintains encryption keys that are used to encrypt information being written to, and decrypt information being read from, a encryption-enabled disk or tape. Tivoli Key Lifecycle Manager is supported on a variety of operating systems. Version 1.0 of Tivoli Key Lifecycle Manager supports these operating systems:
AIX 5.3 and AIX 6.1: 64 bit
Red Hat Enterprise Linux AS V4.0 x86: 32 bit
SUSE Linux Enterprise Server V9.0 and V10 x86: 32 bit
Sun Server Solaris 10 Sparc: 64 bit
Microsoft Windows Server 2003 R2: x86: 32 bit
z/OS V1 Release 9 or later
Fix Pack 1 (available April 2009) added additional platform support:
Red Hat Enterprise Linux 5 32 bit
Red Hat Enterprise Linux 5 64 bit (32-bit mode application)
Solaris 9 SPARC 64 bit
SUSE Linux Enterprise Server 10 64 bit (32-bit mode application)
Windows Server 2003 64 bit (32-bit mode application)
Windows Server 2008 32 bit
Windows Server 2008 64 bit (32-bit mode application)
Interim Fix Packs 1A and 2 (available September 2009) did not add any additional platform support.
Tivoli Key Lifecycle Manager is designed to be a shared resource deployed in several locations within an enterprise, and it is capable of serving many IBM encrypting devices regardless of where those drives reside. Tivoli Key Lifecycle Manager communicates with the managed storage devices using TCP/IP.
DS8000: For the DS8000, an independent Tivoli Key Lifecycle Manager key server is required. This server is provided by IBM when a DS8000 is ordered and currently consists of an IBM System x running SUSE Linux Enterprise Server (SLES) 9.0 with storage not provisioned on the DS8000 to prevent a possible deadlock situation (see 3.4.2, “Encryption deadlock” on page 67). Additionally, you can deploy secondary key servers on any of the previously mentioned platforms.
Chapter 3. IBM storage encryption methods 51
3.1.1 Tivoli Key Lifecycle Manager components and resources
The purpose of the Tivoli Key Lifecycle Manager is to serve keys to encrypting disk or tape drives. The Tivoli Key Lifecycle Manager does not perform any cryptographic operations, such as generating encryption keys or encrypting data, and it does not provide storage for keys and certificates. To perform these tasks, Tivoli Key Lifecycle Manager has to rely on external components, which are typically provided by standard Java services, especially for non-z/OS implementations. In addition to the key-serving function, the Tivoli Key Lifecycle Manager also provides the following functions:
Life cycle functions:
– Notification of certificate expiration through the Tivoli Integrated Portal – Automated rotation of certificates
– Automated rotation of groups of keys
Usability functions:
– A graphical user interface (GUI) – Configuration wizards
– Migration wizards
Integrated backup and restore of Tivoli Key Lifecycle Manager files
One button to create and restore a single backup that is packaged as a JAR file
Tivoli Integrated Portal installation manager:
– Simple to use installation for Microsoft Windows, Linux, AIX, or Solaris – Silent installation option
The distributed version of the Tivoli Key Lifecycle Manager solution is implemented as an application within Tivoli Integrated Portal and consists of Tivoli Integrated Portal, the Tivoli Key Lifecycle Manager server, an IBM embedded WebSphere Application Server, and a database server (IBM DB2).
Figure 3-1 on page 52 shows the Tivoli Key Lifecycle Manager components and external resources.
More information: In Tivoli Key Lifecycle Manager, the drive table, LTO key group, and metadata are all kept in DB2 tables. The Tivoli Key Lifecycle Manager DB2 tables enable the user to search and query that information much easier. However, note that the keystore, configuration file, audit log, and debug log are still flat files.
Figure 3-1 Tivoli Key Lifecycle Manager components and resources
Tivoli Key Lifecycle Manager uses several other resources.
Configuration file
Tivoli Key Lifecycle Manager has an editable configuration file with additional configuration parameters that are not offered in the GUI. This file can be text-edited; however, the preferred method is to modify the file through the Tivoli Key Lifecycle Manager command-line interface (CLI). See “Starting the CLI on Microsoft Windows” on page 376.
We describe the installation, configuration, and configuration options of Tivoli Key Lifecycle Manager in Chapter 11, “Planning for Tivoli Key Lifecycle Manager and its keystores” on page 237.
Java security keystore
The keystore is defined as part of the Java Cryptography Extension (JCE) and an element of the Java Security components, which are, in turn, part of the Java Runtime Environment (JRE). A keystore holds the certificates and keys (or pointers to the certificates and keys) that are used by Tivoli Key Lifecycle Manager to perform cryptographic operations. A keystore can be either a hardware-based or software-based keystore.
Tivoli Key Lifecycle Manager supports several types of Java keystores, offering a variety of operational characteristics to meet your requirements.
Tivoli Key Lifecycle Manager on open systems supports the JCEKS keystore. This keystore supports both CLEAR key symmetric keys, and CLEAR key asymmetric keys. Symmetric keys are used for LTO 4 encrypting tape drives, and asymmetric keys are used for DS8000 and TS1100 tape drives.
We describe the characteristics of the keystores in detail in 14.3, “EKM and keystore considerations” on page 400 and “Keystores” on page 330.
• Stores public/priv ate keypairs
• Stores symmetric keys (LTO4)
• Generates Data Key (DK)
• Wraps DKs EEDK/SEDK
• Manages Data Key (DK) generation
• Manages keys transfer to and from tape and disk devices
Chapter 3. IBM storage encryption methods 53
Cryptographic services
Tivoli Key Lifecycle Manager uses the IBM Java Security components for its cryptographic capabilities. Tivoli Key Lifecycle Manager does not provide cryptographic capabilities and therefore does not require, or is allowed to obtain, FIPS 140-2 certification. However, Tivoli Key Lifecycle Manager takes advantage of the cryptographic capabilities of the IBM Java Virtual Machine (JVM) in the IBM Java Cryptographic Extension component and allows the selection and use of the IBMJCEFIPS cryptographic provider, which has a FIPS 140-2 Level 1 certification.
By setting the FIPS configuration parameter to ON in the Configuration Properties file, either through text editing or by using the Tivoli Key Lifecycle Manager CLI, you can make Tivoli Key Lifecycle Manager use the IBMJCEFIPS provider for all cryptographic functions.
You can obtain more information about the IBMJCEFIPS provider, its selection, and its use at this website:
http://www.ibm.com/developerworks/java/jdk/security/50/FIPShowto.html
3.1.2 Key exchange
Tivoli Key Lifecycle Manager acts as a process awaiting key generation or key retrieval requests sent to it through a TCP/IP communication path between Tivoli Key Lifecycle Manager and the disk subsystem, the tape library, tape controller, tape subsystem, device driver, or tape drive. When a disk or tape drive writes encrypted data, it first requests an encryption key from Tivoli Key Lifecycle Manager. The tasks that Tivoli Key Lifecycle Manager performs upon receipt of the request differ for each device type.