This document discusses IBM's data encryption solutions, including symmetric and asymmetric encryption methods. It describes IBM's Encryption Key Manager and Tivoli Key Lifecycle Manager products for managing encryption keys. The document also outlines how IBM implements encryption on its tape drives and disk storage systems, such as the TS1120 tape drive, DS5000, and DS8000 storage systems, using these key management solutions to encrypt and decrypt data.

1. IBM System Storage Data
Encryption
Presented By : Esmaeil Zarrinfar
zarrinfar@gmail.com

2. Topic
 Data Encryption
 Definition
 Symmetric key encryption
 Asymmetric key encryption
 Hybrid encryption
 Digital certificates
 Key Management
 Encryption Key Manager
 Tivoli Key Lifecycle Manager
 IBM Tape Drive & Disk System Encryption
 IBM Tape Drive TS1120 & TS1130 & LTO Model
 IBM Disk System DS5000 & DS8000
 References
2

3. Data Encryption
Definition
 Encryption transforms data that is unprotected, or plain text, into
encrypted data, or cipher text, by using a key.
 IBM invented one of the first computer-based algorithms, Data
Encryption Standard (DES), in 1974.
 With the advances in computer technology, DES is now considered
obsolete.
 Today :Triple DES (TDES) and Advanced Encryption Standard (AES)
 Early encryption methods used the same key to encrypt clear text
to generate cipher text and to decrypt the cipher text to
regenerate the clear text. This method is called symmetric
encryption.
 asymmetric encryption algorithms use separate keys for
encryption and decryption
3

4. Data Encryption
Symmetric Key Encryption
4

5. Data Encryption
Symmetric Key Encryption
Known As private or secret key encryption.
The Symmetric key encryption method uses one
key for encrypting and decrypting data.
Well-known symmetric key examples include AES,
Twofish, Blowfish, Serpent, Cast5, DES,TDES, and IDEA
Adv  Symmetric Key Proccess is Very Fast.
Adv  Symmetric Key length is short.
DisAdv  Way that keys are exchanged
DisAdv  Number of required keys
5

6. Data Encryption
Symmetric Key Encryption
6

7. Data Encryption
Asymmetric Key Encryption
 Known As public-private key encryption or public key encryption.
 The asymmetric key encryption method uses key pairs for encrypting
and decrypting data.
 One key is used to encrypt the data, and the other key is used to
decrypt the data
 Public key used to encrypt the data.
 Private key used to decrypt the data.
 Well-known Asymmetric key examples include RSA, Diffie-Hellman,
Elliptic curve , cryptography (ECC), and ElGamal.
 Adv  The ability to share secret data without sharing the same
encryption key.
 DisAdv  Asymmetric key encryption is computationally more
intensive and therefore significantly slower than symmetric key
encryption.
7

8. Data Encryption
Symmetric Key Encryption
8

9. Data Encryption
Hybrid Encryption
 Hybrid encryption is combine symmetric and asymmetric encryption.
 Hybrid methods use a symmetric data key to actually encrypt and decrypt data.
 The recipient is able to decrypt the encrypted data key and use the data key to
encrypt or decrypt a message.
 Adv  Secure and Convenient key exchange with fast and efficient encryption
9

10. IBM Key Management methods
Encryption challenges
 Key security :
 To preserve the security of encryption keys, the implementation
must ensure that no one individual (system or person) has
access to all the information required to determine the
encryption key.
 Key availability :
 To preserve the access to encryption keys, many techniques can
be used in an implementation to ensure that more than one
agent has access to any single piece of information necessary to
determine an encryption key.
 Solution :
 A key server is integrated with encrypting storage products to
resolve most of the security and usability issues associated with
key management for encrypted storage
10

11. IBM Key Management methods
 Key security :
 To preserve the security of encryption keys, the implementation
must ensure that no one individual (system or person) has
access to all the information required to determine the
encryption key.
 Key availability :
 To preserve the access to encryption keys, many techniques can
be used in an implementation to ensure that more than one
agent has access to any single piece of information necessary to
determine an encryption key.
 Solution :
 A key server is integrated with encrypting storage products to
resolve most of the security and usability issues associated with
key management for encrypted storage
 IBM Tivoli Key Lifecycle Manager and Encryption Key Manager
11

12. IBM Key Management methods
IBM Encryption Key Manager
12

13. IBM Key Management methods
IBM Encryption Key Manager
EKM is a Java software which works as a external program.
EKM works on IBM encryption-enabled Tape Drive Like TS1120
and Tape-Open (LTO) Ultrium 4.
EKM is providing, protecting, storing, and maintaining encryption
keys that are used to encrypt information being written to, and
decrypt information being read from, tape media.
There are three methods of encryption management from which
to choose. These methods differ in where you choose to locate
your Encryption Key Manager application
The EKM does not perform any cryptographic operations, such as
generating encryption keys, and it does not provide storage for
keys and certificates.
To perform these tasks, Encryption Key Manager has to rely on
external components.
13

14. IBM Key Management methods
IBM Encryption Key Manager - Component
• The tape drive table is used by EKM to track the tape devices that it
supports.
• The configuration file is an editable file that tells your EKM how to operate.
• A keystore holds the certificates and keys used by EKM to perform
cryptographic operations.
• EKM uses the IBM Crypto Services for its cryptographic capabilities.
14

15. IBM Key Management methods
IBM Tivoli Key Lifecycle Manager
15

16. IBM Key Management methods
IBM Tivoli Key Lifecycle Manager
Announce in 2008.
EKM works on IBM encryption-enabled such as the IBM
System Storage DS8000 Series family and the IBM
encryption-enabled tape drives (TS1130 and TS1040).
TKLM provides, protects, stores, and maintains encryption
keys that are used to encrypt information being written to,
and decrypt information being read from, an encryption-
enabled disk.
Two Tivoli Key Lifecycle Manager key servers provide
redundancy.
Tivoli Key Lifecycle Manager communicates with the
managed storage devices using TCP/IP.
Tivoli Key Lifecycle Manager is supported on a variety of
operating systems.
16

17. IBM Tape Drive & Disk System Encryption
DS 5000DS 8000
LTO Ultrim
TS 1120
IBM Disk systems
IBM Tape drives
17

18. IBM Tape Drive & Disk System Encryption
IBM TS1120 , TS1130 and LTO Tape Drives Encryption Diagram
18

19. IBM Tape Drive & Disk System Encryption
IBM DS 5000 Disk Storage Encryption Diagram
19

20. IBM Tape Drive & Disk System Encryption
Unauthorized access to the drive results
20

21. IBM Tape Drive & Disk System Encryption
IBM DS 8000 Disk Storage Encryption Diagram
21

22. IBM Tape Drive & Disk System Encryption
IBM DS 8000 Disk Storage Encryption Diagram
22

23. IBM Tape Drive & Disk System Encryption
IBM DS 8000 Disk Storage Encryption Diagram
23

24. References
1. IBM Storage Data Encryption Solutions - IBM Redbooks
2. IBM System Storage Tape Encryption Solutions
3. IBM System Storage Product Guide
4. IBM Security Key Lifecycle Manager
5. Using IBM Tivoli Key Lifecycle Manager: Business Benefits
and Architecture Overview
24