8/9/2019 Tips 1288

1/16

ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 1

Implementing Disk Encryption on System x Servers

with IBM Security Key Lifecycle ManagerLenovo Press Solution Guide

SecuringsensitiveclientandcompanydataisbecominganITtaskofparamountimportance.Oftenorganizationsinvestheavilyinprotectionagainstnetworkattacks,butfailtosafeguardagainstthecostlyexposurethatcanresultfromtheloss,replacement,redeployment,orretirementofdiskdrives.Otherorganizationsinvestinsoftware-basedencryptiontosecuretheirdata,butreceivelimitedprotectionatagreatcosttoperformance.

Self-encryptingdrives(SEDs)cansatisfytherequirementfordata-at-restsecuritywithcost-effectiveinlineencryptionwithouttheperformancetradeoffthatisrequiredbysoftware-basedencryption.TheadditionofIBMSecurityKeyLifecycleManager(SKLM)allowsforloweroperatingcostsbystreamliningtheconfigurationandmanagementofSEDauthenticationthroughoneSKLMinterfacethatcontrolstheauthenticationofseveralSystemxservers.Whetheryouwanttoprotectpersonaldataforlegalrequirements,suchastheHealthInsurancePortabilityandAccountabilityAct(HIPAA),bettersecurebankinginformation,orensurethesafetyofcompanyandemployeerecordsinanefficientmanner,thisIBMRedbooksSolutionGuideprovidesanoverviewofhowSEDsandSKLMcanhelpaccomplishthatgoal.Figure1showsthemaincomponentsofanSKLMenvironment,whichincludesthefollowingfeatures:

TheinteractionbetweenSKLMandtheRAIDcontrollertoexchangeahiddenpassword.

VerificationofencryptionkeysbetweenSEDsandtheencryption-capableRAIDcontrollertoallowthesystemtobootandusethedrives.

8/9/2019 Tips 1288

2/16

ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 2

Figure1.MaincomponentsforSKLMandSEDkeyexchange

Did you know?

Thetraditionalmethodsofdestroyinganddegaussingdiskdrivesarenotstandardizedandmightnotguaranteethedestructionandprotectionofdata,whileoverwritingdatacantakehoursordays.SEDs

adheretoacertifiedgovernmentstandard,theFederalInformationProcessingStandardsorFIPS140-2SecurityRequirementsforCryptographicModelsrecognizedbytheUSNationalInstituteofStandardsandTechnology(NIST)andCanadianCommunicationsSecurityEstablishment(CSE).Thestandardsassertthattheencryptionthatisusedbyself-encryptingdrivesprotectsSensitivebutUnclassifiedandProtectClassData.

 AESencryptionensuresthatsensitivedataissafelystoredwhileSEDsareinuse.ThedataalsoisprotectedwhenSEDsareretiredfromuse.Whenimplemented,asolutionthatusesSEDseliminatestheneedtorecoverlostorstolendrives,andend-of-lifedrivescanbediscardedorrecycledwithoutanyneedforcostlyorinefficientdatadestructionprocesses.WiththeadditionofSKLMtothesecuritysolution,systemswithSEDsbecomeeasiertotrackandmaintainandthetheftorlossofanentireserverisnolongeradatasecurityissuebecausetheSEDscannotfunctionwithouttheirSKLMauthentication.

Business value

IndependentlySEDscanaddsignificantsecurityvaluewithminimalcostforanybusinessthatmustprotectitsstoreddatawithoutcumbersomeprocessesforphysicalsecurityanddestructionoffailedandretireddrives.

8/9/2019 Tips 1288

3/16

ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 3

TheseSEDsincludethefollowingbenefits:

Inlinehardwareencryptionensuresnoperformancedegradationorriskofdatalossbecauseoperatingsystemorsoftwarecorruption.Instantsecureerasureallowsdatatobeclearedimmediatelybyusingencryptionkeys.Drivescanthenbesafelyreused,sold,ordiscardedorrecycled.Evenwithoutperformingasecureinstanterasure,encryptionensuresthatdataisprotectedifadriveisremoved,stolen,orfails.AnSEDmustbematchedbacktothesamediskcontrollerordatacannotbedecrypted.Alternatively,theabilitytobackupacontroller’smediaencryptionkeysallowsforprotectionagainstserveranddiskcontrollerfailuresonoSEDdataislost.TheFederallybacked(FIPS:140-2)dataencryptionstandardprovidesconfidencethaterased,disposedof,orstolendrivescannotresultindataexposure.SEDencryptionisalwayson,whichmeansthatself-encryptingcapabledrives,controllers,andserverscanbepurchasedandusedindefaultconfigurationswithencryptionenforcementoff.Whenreadyforencryption,turnonencryptionatthecontrollerforthewantedRAIDarraysorvirtualdisksandcontinuewithsecureoperation.Inlineencryptioneliminatestheneedforlengthyretroactivedataencryptionasisnecessarywithsoftwareencryption.

Figure2showstheinteractionbetweenanSEDandanencryption-capableRAIDcontroller.Atpower-on,

theencryptionprocessorontheSEDbeginsitskeyexchangewiththeRAIDcontrollertoensurethattheyhavematchingkeysanddatacanbesafelydecryptedforusebytheserver.Afterthatkeyexchangeissuccessfulbetweenthecontrollerandthedrive,theencryptionprocessorprovidesunencrypteddatatotheserver.Ifthekeyexchangeisunsuccessful,theserverbootishalted.

Figure2.EncryptionkeyexchangesbetweendriveandRAIDcontroller

8/9/2019 Tips 1288

4/16

ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 4

WhenpairedwithIBMSKLM,SEDmanagementanddeploymentcanbesimplified.SKLMprovidesalow-touch,centralizedwaytomanagetheauthenticationexchangeswithSEDsandincludesthefollowingbenefits:

WithSKLMintegration,noSEDintheenvironmentcanbecompromised,evenifanentireserverisstolen.ManagementofmultipleSEDs,multipleencryptionenablecontrollers,multipleencryptionenabledservers,evenmultipleplatformsinoneinterface.RemotemanagementofSEDsallowskeystobeexpiredandreissued,anddrivesorserverstobesecurelyretiredorreusedwithonlyaconnectiontotheSystemxserver’sIntegratedManagementModule(IMM).

TheseconceptsareshowninFigure3.

Figure3.EncryptionsolutionwithSKLMforcentralizedmanagement

8/9/2019 Tips 1288

5/16

ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 5

Solution overview and architecture

 AsolutiontocentrallymanageaccesstoSEDsinSystemxserversbyusingIBMSKLMrequiresthefollowingmaincomponents:

IBMSKLMsoftware

Thesoftwaremustbeinstalledonasupportedoperatingsystem,butcanbeinstalledinavirtualinstanceofthatoperatingsystemtousehighavailabilitysafeguardsandstreamlinebackupmethods.SKLMisaself-containedinstaller;thenecessarycomponents(includingDB2andWebSphere ApplicationServer)areincluded.

SupportedSystemxserver(orservers)

 AtleastoneSystemxserverthatsupportsSEDsisrequired.Toenabletheserver(orservers)touseexternalkeymanagementforSEDs,oneFeatureonDemand(FoD)activationkeymustbepurchasedforeachserverandappliedtotheservers’IMM.

SupportedRAIDcontroller

SpecificRAIDcontrollerssupportSEDs.AnyserverthatusesSEDsmusthavethosedrivesconnectedtoanencryption-enabledRAIDcontroller.ThecontrolleralsomightneedacacheorRAIDupgradeaddedtoenableSEDsupport.Someoftheseupgradesareno-charge.

SEDs

 AtleasttwoSEDsarerequiredtosetupanencryptedsolutiononavirtualdiskorRAIDarrayofSEDs.

8/9/2019 Tips 1288

6/16

ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 6

ImplementingacentrallymanagedSEDsolutionisofteneasiestfromthegroundup.Figure4showsthecomponentsthatinteractateachstageoftheconfiguration(toptobottom)fromlocalencryptiononlytocentrallymanagedencryption.

Figure4.Stagesofanencryptionsolutionandcomponentcommunication

8/9/2019 Tips 1288

7/16

ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 7

Eachstagefeaturesthefollowingactivities:

DataisalwaysbeingencryptedattheSEDlevel.Atfirstinstallation,thecontrollerisnotrequiringa1.keyexchangetoenforcematchingtheSEDtothecontrollerandsecuringthesystem;therefore,noautomaticprotectionisofferedatthispoint.

Whendiskencryptionisenabledatthecontrollerandvirtualdisks,SEDsmustexchangean2.encryptionpasswordwiththecontrollertoallowdataaccess,whichprotectsdataagainstdrivetheftandallowseasyandsecureretirementorreuse.

Withexternalkeymanagementenabledatthecontroller,thecontrollerpasswordexchangewiththe3.SEDsisnolongertheonlyrequirementforaservertobootandanSED’sdatatobeaccessed.Theserver’sIMMnowmustcompleteacertificateandpasswordexchangewithakeymanagementserverfortheSEDtofunction.

WiththeSKLMserverinplace,theserver’sIMMnowcompletesacertificateexchangewithSKLM.4.SKLMsupersedestheauthorityofthecontrollerandrequiresanetworkconnectiontotheserver’sIMMuponstart.SKLMthenexchangestheencryptionkey(orkeys)withthecontrollerandprotectsagainstdrivetheftorretirementorreuseandservertheft,retirement,andreuse.

Withcentralizedkeymanagement,theSKLMserveranditsdatabasebecomecriticalcomponentsoftheSEDsolution.ThelossofSKLMresultsinthelossofaccesstothedataonallSEDsitismanaging.Forthisreason,itiscriticalthatabackupordisasterrecoveryprocessisinplace,andpreferablyhighavailability.ThedefaultSKLMlicenseallowsfortheinstallationoftwoinstances(onemasterandoneclone).SKLMcanreplicatetouptothreecloneinstancesofthesoftwarewithaSystemxenvironment.ThislimitationisbasedontheFoDlimitationoftheSystemxIMMs,nottheSKLMclonemaximum(whichisfive).

Inthe“Usagescenario”section,webuildonthefundamentalsthatareshowninFigure4withanexampleofacustomerproductionscenario.

Usage scenario

Manyorganizationsmustprotectdataontheirdiskdrivesthatareintheirdatacentersandinremotelocations.Bankinginstitutionsprovideanexcellentexampleofbusinessesthatbenefitfromlocalencryptionauthentication,butneedacentralizedauthenticationsolutiontooperateefficientlyandsecurely.

Companiesthatprovidebankingserversoftenhaveserversindatacentersandinlocalbranches,bothofwhichcontainsensitiveclientdata.Theuseofself-encryptingdrivesineachlocalbranchwithencryptionenabledonthecontrolleranditsvirtualdisksprotectsagainstdrivetheftandprovideseasydiskretirementviasecureinstanterase.However,thissolutionstillleavesclientsvulnerabletoservertheftandpresentsacomplexsolutionfromakeymanagementandbackupstandpoint.IBMSKLMcanalleviatetheseproblemsbycryptographicallysecuringdataoverthecompanynetwork.

Toprotectagainstservertheftorallowforsaferetirementorreuseofanentireserver,SKLMrequiresaconnectionbacktoSKLMtoaccessdataandboottheserverfromSEDs.WithcentralizedkeyauthenticationinplacewithSKLM,aserverthatisremovedfromthecompanynetworkhastheoptiontosecureinstanteraseitsdrivesuponbootonly,whichautomaticallyprotectsagainstsensitivedataformbeingexposed.Also,SKLMnowallowsholdsallofthedatathatmustbemanagedandbackedupupwithoutmuchmoresetupeffortthanalocallymanagedSEDsolution.WithSKLMinplace,backupsaresignificantlymoresimpleandservercertificatesordriveencryptionkeyscanberemovedsafelywhenserversordrivesmustberetired.

8/9/2019 Tips 1288

8/16

ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 8

Figure5showsmultiplebankbranchesthatareuseserverswithSEDs.ThoseserversconnecttoserversthatarerunningSKLMinthecorporatedatacenterstoauthenticateandallowaccesstothedrive’sdatainthelocalbranch.TheuseofSKLMclonestoreplicatedataprotectsagainstthecorruptionorlossofanSKLMinstance.Inaddition,theuseofaclusteredsolution(suchasaVMwarevSphereHighAvailabilitysetupwithESXiandvCenter)allowsforresiliencytoserverfailuresormaintenancethatcannormallyresultinadowntimeforyourSKLMsolution.TheexampleinFigure5alsoshowsreplicationtoadisasterrecovery(DR)siteforSKLM.ThisconfigurationisalsostronglyrecommendedbecauseofthecriticalnatureofthedatathatisstoredbySKLM.

Figure5.SKLMbankingexample

8/9/2019 Tips 1288

9/16

ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 9

Integration and supported platforms

SeveralIBMplatformssupporttheuseofmanysizesandtypesofSEDs,notonlySystemx.SystemzandSystemp,aswellasmultipleIBMstorageplatforms,includingNAS,SAN,andtapestorage.EachoftheseplatformsaresupportedbySKLMtocentrallymanagetheexchangesthatarerequiredfortheir

encrypteddrivesinasimilarfashion,andallfromoneinterface.

System x instal lat ion requirements

Thefollowingcomponentsarerequiredforacentrallymanagedencryptionsolution:

IBMSKLMsoftware AtleastoneSEDRAIDcontrollersupportingencryptionSystemxserverthatsupportsencryptionandFoDenablementkeytoactivateexternalkeymanagementonthatserver

ThefollowingSKLMhardwarerequirementsmustbemet:

Systemmemory:4GBProcessorspeed:One3.0GHzCPUDiskspace:12GB

ThefollowingSKLMWindowsoperatingsystemsaresupported:

WindowsServer2008R2EnterpriseandStandardEditionsWindowsServer2012StandardEditionWindowsServer2012R2StandardEdition

ThefollowingSKLMLinuxoperatingsystemsaresupported:

SUSELinuxEnterpriseServer(SLES)11

SUSELinuxEnterpriseServer(SLES)10RedHatEnterpriseLinux(RHEL)Server6RedHatEnterpriseLinux(RHEL)Server5

8/9/2019 Tips 1288

10/16

ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 10

Ordering information

Orderinginformationislistedinthefollowingtables.

 Atthetimeofthiswriting,theSystemxserversystemsthatarelistedinTable1aresupportedfor

externalkeymanagement.

Formoreinformationaboutsupportedconfigurations,seethefollowingServerProvenwebsite:

http://www.ibm.com/systems/info/x86servers/serverproven/compat/us/

Table1.Supportedservers

Server M achine Type

Systemx3100M5 5457

Systemx3250M5 5458

Systemx3300M4 7382

Systemx3500M4 7383

Systemx3500M4(E5-xxxxV2) 7383,E5-xxxxV2

Systemx3530M4 7160Systemx3530M4(E5-xxxxV2) 7160,E5-xxxxV2

Systemx3630M4 7158

Systemx3630M4(E5-xxxxV2) 7158,E5-xxxxV2

Systemx3550M4 7914

Systemx3550M4(E5-xxxxV2) 7914,E5-xxxxV2

Systemx3550M5 5463

Systemx3650M4 7915

Systemx3650M4(E5-xxxxV2) 7915,E5-xxxxV2

Systemx3650M4HD 5460

Systemx3650M5 5462

Systemx3750M4 8722/8733

Systemx3750M4 8752/8718Systemx3850X6/x3950X6 3837

NeXtScalenx360M5 5465

http://www.ibm.com/systems/info/x86servers/serverproven/compat/us/http://www.ibm.com/systems/info/x86servers/serverproven/compat/us/

8/9/2019 Tips 1288

11/16

ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 11

Table2liststhesupportedRAIDadaptersandthecorrespondingupgrades.

Formoreinformationaboutthesupportedcontrollersandoptions,seethefollowingServerProvenwebsite:

http://www.ibm.com/systems/info/x86servers/serverproven/compat/us/

Table2.SupportedRAIDadaptersandthecorrespondingupgrades

O ption part num ber Description

Supported RAID adapters M5110

81Y4481 ServeRAIDM5110SAS/SATAControllerforSystemx

Onboard ServeRAIDM5110eSAS/SATAControllerforSystemx

One of the upgrades be low is required to support SEDs with the M5 110 RAID co ntrol ler

81Y4544 ServeRAIDM5100SeriesZeroCache/RAID5UpgradeforSystemx

81Y4484 ServeRAIDM5100Series512MBCache/RAID5UpgradeforSystemx

81Y4487 ServeRAIDM5100Series512MBFlash/RAID5Upgradefor

Systemx81Y4559 ServeRAIDM5100Series1GBFlash/RAID5Upgradefor

Systemx

47C8670 ServeRAIDM5100Series2GBFlash/RAID5UpgradeforSystemx

Supported RAID adapters M5210

46C9110 ServeRAIDM5210SAS/SATAControllerforSystemx

Onboard ServeRAIDM5210eSAS/SATAControllerforSystemx

One of the upgrades be low is required to support SEDs with the M5 210 RAID co ntrol ler

47C8708 ServeRAIDM5200SeriesZeroCache/RAID5UpgradeforIBMSystems-FoD

47C8656 ServeRAIDM5200Series1GBCache/RAID5UpgradeforIBMSystems

47C8660 ServeRAIDM5200Series1GBFlash/RAID5UpgradeforIBMSystems

47C8664 ServeRAIDM5200Series2GBFlash/RAID5UpgradeforIBMSystems

47C8668 ServeRAIDM5200Series4GBFlash/RAID5UpgradeforIBMSystems

Supported RAID adapters M1215

46C9114 ServeRAIDM1215SAS/SATAControllerforSystemx

The upgrade below is required to support SEDs with the M 1215 RAID control ler

46C9114 ServeRAIDM1215SAS/SATAControllerforIBMSystemx

http://www.ibm.com/systems/info/x86servers/serverproven/compat/us/http://www.ibm.com/systems/info/x86servers/serverproven/compat/us/

8/9/2019 Tips 1288

12/16

ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 12

Table3liststhesupportedSEDsasofthiswriting.Thisrapidlygrowinglistofdevicesshouldbeconsideredasasub-setofsupportedoptionsonly.FormoreinformationaboutthesupportedSEDsforaspecificservermodel,seethefollowingIBMServerProvenwebsite:

http://www.ibm.com/systems/info/x86servers/serverproven/compat/us/

Table3.SupportedSEDs

O ption part num ber Description

90Y8944 IBM146GB15K6GbpsSAS2.5"SFFG2HSSED

00AJ116 IBM146GB15K6GbpsSAS2.5"G3HSSED

00NA281 IBM300GB15K12GbpsSAS2.5"G3HS512eSED

00NA286 IBM600GB15K12GbpsSAS2.5"G3HS512eSED

90Y8913 IBM300GB10K6GbpsSAS2.5"SFFG2HSSED

00AJ106 IBM300GB10K6GbpsSAS2.5"G3HSSED

90Y8908 IBM600GB10K6GbpsSAS2.5"SFFG2HSSED

00AJ101 IBM600GB10K6GbpsSAS2.5"G3HSSED

00NA291 IBM600GB10K12GbpsSAS2.5"G3HS512eSED

81Y9662 IBM900GB10K6GbpsSAS2.5"SFFG2HSSED

00AJ076 IBM900GB10K6GbpsSAS2.5"G3HSSED00NA296 IBM900GB10K12GbpsSAS2.5"G3HS512eSED

00AD085 IBM1.2TB10K6GbpsSAS2.5''G2HSSED

00AJ151 IBM1.2TB10K6GbpsSAS2.5''G3HSSED

00NA301 IBM1.2TB10K12GbpsSAS2.5''G3HS512eSED

00NA476 IBM1.8TB10K6GbpsSAS2.5''G2HS512eSED

00NA306 IBM1.8TB10K12GbpsSAS2.5''G3HS512eSED

00W1533 IBM2TB7.2K6GbpsNLSAS3.5''G2HSSED

00ML218 IBM2TB7.2K6GbpsNLSAS3.5"G2HS512eSED

00FN238 IBM2TB7.2K12GbpsNLSAS3.5"G2HS512eSED

00W1543 IBM4TB7.2K6GbpsNLSAS3.5''G2HSSED

00ML223 IBM4TB7.2K6GbpsNLSAS3.5"G2HS512eSED

00FN248 IBM4TB7.2K12GbpsNLSAS3.5"G2HS512eSED00ML228 IBM6TB7.2K6GbpsNLSAS3.5"G2HS512eSED

00FN258 IBM6TB7.2K12GbpsNLSAS3.5"G2HS512eSED

Notalldrivesaresupportedinallservers.Formoreinformationaboutthesupporteddrives,seetheServerProvenwebsite.

Formoreinformationaboutwhichdrivesaresupportedinaserver,seetheConfigurationandOptionsGuidethatispublishedquarterlyandisavailableatthiswebsite:

http://www.ibm.com/systems/xbc/cog/

http://www.ibm.com/systems/info/x86servers/serverproven/compat/us/http://www.ibm.com/systems/xbc/cog/http://www.ibm.com/systems/xbc/cog/http://www.ibm.com/systems/info/x86servers/serverproven/compat/us/

8/9/2019 Tips 1288

13/16

ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 13

Related information

Formoreinformation,seethefollowingresources:

IBMRedbooks:CentrallyManagingAccesstoSelf-EncryptingDrivesinSystemxServersUsingIBM

SecurityKeyLifecycleManager ,SG24-8247:http://www.redbooks.ibm.com/redpieces/abstracts/sg248247.html

IBMRedbooksProductGuide:Self-EncryptingDrivesforIBMSystemX ,TIPS0761:http://www.redbooks.ibm.com/abstracts/tips0761.html?Open

IBMSecurityKeyLifecycleManagerproductpage:http://www.ibm.com/software/products/en/key-lifecycle-manager/

IBMSecurityKeyLifecycleManagerforSystemXservices:

http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=FY&infotype=PM&appname=STGE_QL_QL_USEN&htmlfid=QLF12409USEN&attachment=QLF12409USEN.PDF#loaded

http://www.redbooks.ibm.com/redpieces/abstracts/sg248247.htmlhttp://www.redbooks.ibm.com/abstracts/tips0761.html?Openhttp://www.ibm.com/software/products/en/key-lifecycle-manager/http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=FY&infotype=PM&appname=STGE_Qhttp://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=FY&infotype=PM&appname=STGE_Qhttp://www.ibm.com/software/products/en/key-lifecycle-manager/http://www.redbooks.ibm.com/abstracts/tips0761.html?Openhttp://www.redbooks.ibm.com/redpieces/abstracts/sg248247.html

8/9/2019 Tips 1288

14/16

ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 14

NoticesLenovomaynotoffertheproducts,services,orfeaturesdiscussedinthisdocumentinallcountries.ConsultyourlocalLenovorepresentativeforinformationontheproductsandservicescurrentlyavailableinyourarea.AnyreferencetoaLenovoproduct,program,orserviceisnotintendedtostateorimplythatonlythatLenovoproduct,

program,orservicemaybeused.Anyfunctionallyequivalentproduct,program,orservicethatdoesnotinfringeanyLenovointellectualpropertyrightmaybeusedinstead.However,itistheuser'sresponsibilitytoevaluateandverifytheoperationofanyotherproduct,program,orservice.Lenovomayhavepatentsorpendingpatentapplicationscoveringsubjectmatterdescribedinthisdocument.Thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents.Youcansendlicenseinquiries,inwriting,to:

Lenovo(UnitedStates),Inc.1009ThinkPlace-BuildingOne Morrisville,NC27560 U.S.A. Attention:LenovoDirectorofLicensing 

LENOVOPROVIDESTHISPUBLICATION“ASIS”WITHOUTWARRANTYOFANYKIND,EITHEREXPRESSORIMPLIED,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDWARRANTIESOFNON-INFRINGEMENT,MERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE.Somejurisdictionsdonotallowdisclaimerof

expressorimpliedwarrantiesincertaintransactions,therefore,thisstatementmaynotapplytoyou.

Thisinformationcouldincludetechnicalinaccuraciesortypographicalerrors.Changesareperiodicallymadetotheinformationherein;thesechangeswillbeincorporatedinneweditionsofthepublication.Lenovomaymakeimprovementsand/orchangesintheproduct(s)and/ortheprogram(s)describedinthispublicationatanytimewithoutnotice.

Theproductsdescribedinthisdocumentarenotintendedforuseinimplantationorotherlifesupportapplicationswheremalfunctionmayresultininjuryordeathtopersons.TheinformationcontainedinthisdocumentdoesnotaffectorchangeLenovoproductspecificationsorwarranties.NothinginthisdocumentshalloperateasanexpressorimpliedlicenseorindemnityundertheintellectualpropertyrightsofLenovoorthirdparties.Allinformationcontainedinthisdocumentwasobtainedinspecificenvironmentsandispresentedasanillustration.Theresultobtainedinotheroperatingenvironmentsmayvary.Lenovomayuseordistributeanyoftheinformationyousupplyinanywayitbelievesappropriatewithoutincurringanyobligationtoyou.

 Anyreferencesinthispublicationtonon-LenovoWebsitesareprovidedforconvenienceonlyanddonotinanymannerserveasanendorsementofthoseWebsites.ThematerialsatthoseWebsitesarenotpartofthematerialsforthisLenovoproduct,anduseofthoseWebsitesisatyourownrisk.Anyperformancedatacontainedhereinwasdeterminedinacontrolledenvironment.Therefore,theresultobtainedinotheroperatingenvironmentsmayvarysignificantly.Somemeasurementsmayhavebeenmadeondevelopment-levelsystemsandthereisnoguaranteethatthesemeasurementswillbethesameongenerallyavailablesystems.Furthermore,somemeasurementsmayhavebeenestimatedthroughextrapolation.Actualresultsmayvary.Usersofthisdocumentshouldverifytheapplicabledatafortheirspecificenvironment.

© Copyr ight Lenovo 2015 Al l r ights reserved

8/9/2019 Tips 1288

15/16

ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 15

ThisdocumentwascreatedorupdatedonMarch9,2015.

Sendusyourcommentsinoneofthefollowingways:UsetheonlineContact us reviewformfoundat:ibm com /redbooksSendyourcommentsinane-mailto:

redbooks@us.ibm.com

Thisdocumentisavailableonlineathttp://www.ibm.com/redbooks/abstracts/tips1288.html.

Trademarks

Lenovo,ForThoseWhoDoandtheLenovologoaretrademarksorregisteredtrademarksofLenovointheUnitedStates,othercountries,orboth.TheseandotherLenovotrademarkedtermsaremarkedontheirfirstoccurrenceinthisinformationwiththeappropriatesymbol(®or™),indicatingUSregisteredorcommonlawtrademarksownedbyLenovoatthetimethisinformationwaspublished.Suchtrademarksmayalsoberegisteredorcommonlawtrademarksinothercountries.AcurrentlistofLenovotrademarksisavailableontheWebathttp://www.lenovo.com/legal/copytrade.html.

ThefollowingtermsaretrademarksofLenovointheUnitedStates,othercountries,orboth:

 AdvancedSettingsUtility™BladeCenter®BootableMediaCreator™DynamicSystemAnalysis™eX5™eXFlash™FlashCache™FlashCacheStorageAccelerator™FlexSystem™Lenovo®

Lenovo(logo)®ServeRAID™ServerGuide™ServerProven®Systemx®ToolsCenter™UpdateXpressSystemPacks™vNIC™X5™xSeries®

mailto:redbooks@us.ibm.comhttp://www.ibm.com/redbooks/abstracts/tips1288.htmlhttp://www.lenovo.com/legal/copytrade.html.http://www.lenovo.com/legal/copytrade.html.http://www.lenovo.com/legal/copytrade.html.http://www.ibm.com/redbooks/abstracts/tips1288.htmlmailto:redbooks@us.ibm.com

8/9/2019 Tips 1288

16/16

ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 16

Thefollowingtermsaretrademarksofothercompanies:

Intel,IntelXeon,Intellogo,IntelInsidelogo,andIntelCentrinologoaretrademarksorregisteredtrademarksofIntelCorporationoritssubsidiariesintheUnitedStatesandothercountries.LinuxisatrademarkofLinusTorvaldsintheUnitedStates,othercountries,orboth.Microsoft,Windows,andtheWindowslogoaretrademarksofMicrosoftCorporationintheUnitedStates,othercountries,orboth.Linux®IntelXeon®Intel®Windows®Microsoft®Othercompany,product,orservicenamesmaybetrademarksorservicemarksofothers.