In the IBM i 6.1 release, the ability to encrypt data on disk was introduced. This support allows you to encrypt your data on user and independent disk pools (“disk pools” is the term used in the graphical user interface; if you typically use green screen interfaces, auxiliary storage pools (ASPs) may be more familiar terminology.)
There are several reasons you may want to consider encrypting your data on disk:
- If you are using external storage, you may want to have the data encrypted so it cannot be viewed over the network when it is being written to or read from the external storage system.
- Similarly, if you are using data replication technologies to mirror your data for disaster recovery or high availability purposes, you may want your data to be encrypted to protect it during transmission in the cross-site mirroring environment.
- If you had a disk drive stolen, encrypted data on that disk would protect your data from being read.
However, disk encryption just ensures the data on the disk is encrypted. Disk encryption will NOT protect your data from misuse within your organization. Once the data is read from disk and loaded into memory, the data is available in the clear to the programs (and thus users) accessing that data.
To use disk encryption, you need to purchase and install Option 45, Encrypted ASP Enablement. When this option has been installed, it will make available to you the ability to encrypt data on your disk pools.
The user interface to specify that disk pools are to be encrypted is available through the IBM Navigator for I graphical user interface or through the Disk Management tasks within System Service Tools (SST); note however, that encrypted independent ASPs (IASPs) can only be configured through the graphical user interfaces.
In the 6.1 release, you specify that a disk pool is to be encrypted when you configure it and encryption cannot be turned off without recreating the disk pool (which means deleting it and creating it again). In the 7.1 release, IBM enhanced the disk encryption support so you can dynamically turn encryption on and off, but this can be a lengthy operation; turning encryption on means all the data in the disk pool must be encrypted. Likewise, turning encryption off means all data in the disk pool must be unencrypted. Once the disk pool is set up to use encryption, you can expect an increase in CPU consumption and additional memory requirements, but with proper planning, you should be able to achieve the same performance when encrypting you data as you had without encryption. The Performance Capabilities Reference reviews the performance characteristics of disk encryption.
This blog was just a high-level review of IBM i disk encryption. If you chose to learn more about encrypting your data on disk, be sure to read about master keys, understand key management, and be aware of important backup and recovery information, all of which is covered in the IBM i Information Center. Another useful reference is the Security Guide for IBM i, which also covers IBM i disk encryption.
This blog post was originally published on IBMSystemsMag.com and is reproduced here by permission of IBM Systems Media.