Upload
deisecairo
View
216
Download
1
Embed Size (px)
Citation preview
8/9/2019 Tips 1288
1/16
ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 1
Implementing Disk Encryption on System x Servers
with IBM Security Key Lifecycle ManagerLenovo Press Solution Guide
SecuringsensitiveclientandcompanydataisbecominganITtaskofparamountimportance.Oftenorganizationsinvestheavilyinprotectionagainstnetworkattacks,butfailtosafeguardagainstthecostlyexposurethatcanresultfromtheloss,replacement,redeployment,orretirementofdiskdrives.Otherorganizationsinvestinsoftware-basedencryptiontosecuretheirdata,butreceivelimitedprotectionatagreatcosttoperformance.
Self-encryptingdrives(SEDs)cansatisfytherequirementfordata-at-restsecuritywithcost-effectiveinlineencryptionwithouttheperformancetradeoffthatisrequiredbysoftware-basedencryption.TheadditionofIBMSecurityKeyLifecycleManager(SKLM)allowsforloweroperatingcostsbystreamliningtheconfigurationandmanagementofSEDauthenticationthroughoneSKLMinterfacethatcontrolstheauthenticationofseveralSystemxservers.Whetheryouwanttoprotectpersonaldataforlegalrequirements,suchastheHealthInsurancePortabilityandAccountabilityAct(HIPAA),bettersecurebankinginformation,orensurethesafetyofcompanyandemployeerecordsinanefficientmanner,thisIBMRedbooksSolutionGuideprovidesanoverviewofhowSEDsandSKLMcanhelpaccomplishthatgoal.Figure1showsthemaincomponentsofanSKLMenvironment,whichincludesthefollowingfeatures:
TheinteractionbetweenSKLMandtheRAIDcontrollertoexchangeahiddenpassword.
VerificationofencryptionkeysbetweenSEDsandtheencryption-capableRAIDcontrollertoallowthesystemtobootandusethedrives.
8/9/2019 Tips 1288
2/16
ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 2
Figure1.MaincomponentsforSKLMandSEDkeyexchange
Did you know?
Thetraditionalmethodsofdestroyinganddegaussingdiskdrivesarenotstandardizedandmightnotguaranteethedestructionandprotectionofdata,whileoverwritingdatacantakehoursordays.SEDs
adheretoacertifiedgovernmentstandard,theFederalInformationProcessingStandardsorFIPS140-2SecurityRequirementsforCryptographicModelsrecognizedbytheUSNationalInstituteofStandardsandTechnology(NIST)andCanadianCommunicationsSecurityEstablishment(CSE).Thestandardsassertthattheencryptionthatisusedbyself-encryptingdrivesprotectsSensitivebutUnclassifiedandProtectClassData.
AESencryptionensuresthatsensitivedataissafelystoredwhileSEDsareinuse.ThedataalsoisprotectedwhenSEDsareretiredfromuse.Whenimplemented,asolutionthatusesSEDseliminatestheneedtorecoverlostorstolendrives,andend-of-lifedrivescanbediscardedorrecycledwithoutanyneedforcostlyorinefficientdatadestructionprocesses.WiththeadditionofSKLMtothesecuritysolution,systemswithSEDsbecomeeasiertotrackandmaintainandthetheftorlossofanentireserverisnolongeradatasecurityissuebecausetheSEDscannotfunctionwithouttheirSKLMauthentication.
Business value
IndependentlySEDscanaddsignificantsecurityvaluewithminimalcostforanybusinessthatmustprotectitsstoreddatawithoutcumbersomeprocessesforphysicalsecurityanddestructionoffailedandretireddrives.
8/9/2019 Tips 1288
3/16
ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 3
TheseSEDsincludethefollowingbenefits:
Inlinehardwareencryptionensuresnoperformancedegradationorriskofdatalossbecauseoperatingsystemorsoftwarecorruption.Instantsecureerasureallowsdatatobeclearedimmediatelybyusingencryptionkeys.Drivescanthenbesafelyreused,sold,ordiscardedorrecycled.Evenwithoutperformingasecureinstanterasure,encryptionensuresthatdataisprotectedifadriveisremoved,stolen,orfails.AnSEDmustbematchedbacktothesamediskcontrollerordatacannotbedecrypted.Alternatively,theabilitytobackupacontroller’smediaencryptionkeysallowsforprotectionagainstserveranddiskcontrollerfailuresonoSEDdataislost.TheFederallybacked(FIPS:140-2)dataencryptionstandardprovidesconfidencethaterased,disposedof,orstolendrivescannotresultindataexposure.SEDencryptionisalwayson,whichmeansthatself-encryptingcapabledrives,controllers,andserverscanbepurchasedandusedindefaultconfigurationswithencryptionenforcementoff.Whenreadyforencryption,turnonencryptionatthecontrollerforthewantedRAIDarraysorvirtualdisksandcontinuewithsecureoperation.Inlineencryptioneliminatestheneedforlengthyretroactivedataencryptionasisnecessarywithsoftwareencryption.
Figure2showstheinteractionbetweenanSEDandanencryption-capableRAIDcontroller.Atpower-on,
theencryptionprocessorontheSEDbeginsitskeyexchangewiththeRAIDcontrollertoensurethattheyhavematchingkeysanddatacanbesafelydecryptedforusebytheserver.Afterthatkeyexchangeissuccessfulbetweenthecontrollerandthedrive,theencryptionprocessorprovidesunencrypteddatatotheserver.Ifthekeyexchangeisunsuccessful,theserverbootishalted.
Figure2.EncryptionkeyexchangesbetweendriveandRAIDcontroller
8/9/2019 Tips 1288
4/16
ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 4
WhenpairedwithIBMSKLM,SEDmanagementanddeploymentcanbesimplified.SKLMprovidesalow-touch,centralizedwaytomanagetheauthenticationexchangeswithSEDsandincludesthefollowingbenefits:
WithSKLMintegration,noSEDintheenvironmentcanbecompromised,evenifanentireserverisstolen.ManagementofmultipleSEDs,multipleencryptionenablecontrollers,multipleencryptionenabledservers,evenmultipleplatformsinoneinterface.RemotemanagementofSEDsallowskeystobeexpiredandreissued,anddrivesorserverstobesecurelyretiredorreusedwithonlyaconnectiontotheSystemxserver’sIntegratedManagementModule(IMM).
TheseconceptsareshowninFigure3.
Figure3.EncryptionsolutionwithSKLMforcentralizedmanagement
8/9/2019 Tips 1288
5/16
ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 5
Solution overview and architecture
AsolutiontocentrallymanageaccesstoSEDsinSystemxserversbyusingIBMSKLMrequiresthefollowingmaincomponents:
IBMSKLMsoftware
Thesoftwaremustbeinstalledonasupportedoperatingsystem,butcanbeinstalledinavirtualinstanceofthatoperatingsystemtousehighavailabilitysafeguardsandstreamlinebackupmethods.SKLMisaself-containedinstaller;thenecessarycomponents(includingDB2andWebSphere ApplicationServer)areincluded.
SupportedSystemxserver(orservers)
AtleastoneSystemxserverthatsupportsSEDsisrequired.Toenabletheserver(orservers)touseexternalkeymanagementforSEDs,oneFeatureonDemand(FoD)activationkeymustbepurchasedforeachserverandappliedtotheservers’IMM.
SupportedRAIDcontroller
SpecificRAIDcontrollerssupportSEDs.AnyserverthatusesSEDsmusthavethosedrivesconnectedtoanencryption-enabledRAIDcontroller.ThecontrolleralsomightneedacacheorRAIDupgradeaddedtoenableSEDsupport.Someoftheseupgradesareno-charge.
SEDs
AtleasttwoSEDsarerequiredtosetupanencryptedsolutiononavirtualdiskorRAIDarrayofSEDs.
8/9/2019 Tips 1288
6/16
ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 6
ImplementingacentrallymanagedSEDsolutionisofteneasiestfromthegroundup.Figure4showsthecomponentsthatinteractateachstageoftheconfiguration(toptobottom)fromlocalencryptiononlytocentrallymanagedencryption.
Figure4.Stagesofanencryptionsolutionandcomponentcommunication
8/9/2019 Tips 1288
7/16
ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 7
Eachstagefeaturesthefollowingactivities:
DataisalwaysbeingencryptedattheSEDlevel.Atfirstinstallation,thecontrollerisnotrequiringa1.keyexchangetoenforcematchingtheSEDtothecontrollerandsecuringthesystem;therefore,noautomaticprotectionisofferedatthispoint.
Whendiskencryptionisenabledatthecontrollerandvirtualdisks,SEDsmustexchangean2.encryptionpasswordwiththecontrollertoallowdataaccess,whichprotectsdataagainstdrivetheftandallowseasyandsecureretirementorreuse.
Withexternalkeymanagementenabledatthecontroller,thecontrollerpasswordexchangewiththe3.SEDsisnolongertheonlyrequirementforaservertobootandanSED’sdatatobeaccessed.Theserver’sIMMnowmustcompleteacertificateandpasswordexchangewithakeymanagementserverfortheSEDtofunction.
WiththeSKLMserverinplace,theserver’sIMMnowcompletesacertificateexchangewithSKLM.4.SKLMsupersedestheauthorityofthecontrollerandrequiresanetworkconnectiontotheserver’sIMMuponstart.SKLMthenexchangestheencryptionkey(orkeys)withthecontrollerandprotectsagainstdrivetheftorretirementorreuseandservertheft,retirement,andreuse.
Withcentralizedkeymanagement,theSKLMserveranditsdatabasebecomecriticalcomponentsoftheSEDsolution.ThelossofSKLMresultsinthelossofaccesstothedataonallSEDsitismanaging.Forthisreason,itiscriticalthatabackupordisasterrecoveryprocessisinplace,andpreferablyhighavailability.ThedefaultSKLMlicenseallowsfortheinstallationoftwoinstances(onemasterandoneclone).SKLMcanreplicatetouptothreecloneinstancesofthesoftwarewithaSystemxenvironment.ThislimitationisbasedontheFoDlimitationoftheSystemxIMMs,nottheSKLMclonemaximum(whichisfive).
Inthe“Usagescenario”section,webuildonthefundamentalsthatareshowninFigure4withanexampleofacustomerproductionscenario.
Usage scenario
Manyorganizationsmustprotectdataontheirdiskdrivesthatareintheirdatacentersandinremotelocations.Bankinginstitutionsprovideanexcellentexampleofbusinessesthatbenefitfromlocalencryptionauthentication,butneedacentralizedauthenticationsolutiontooperateefficientlyandsecurely.
Companiesthatprovidebankingserversoftenhaveserversindatacentersandinlocalbranches,bothofwhichcontainsensitiveclientdata.Theuseofself-encryptingdrivesineachlocalbranchwithencryptionenabledonthecontrolleranditsvirtualdisksprotectsagainstdrivetheftandprovideseasydiskretirementviasecureinstanterase.However,thissolutionstillleavesclientsvulnerabletoservertheftandpresentsacomplexsolutionfromakeymanagementandbackupstandpoint.IBMSKLMcanalleviatetheseproblemsbycryptographicallysecuringdataoverthecompanynetwork.
Toprotectagainstservertheftorallowforsaferetirementorreuseofanentireserver,SKLMrequiresaconnectionbacktoSKLMtoaccessdataandboottheserverfromSEDs.WithcentralizedkeyauthenticationinplacewithSKLM,aserverthatisremovedfromthecompanynetworkhastheoptiontosecureinstanteraseitsdrivesuponbootonly,whichautomaticallyprotectsagainstsensitivedataformbeingexposed.Also,SKLMnowallowsholdsallofthedatathatmustbemanagedandbackedupupwithoutmuchmoresetupeffortthanalocallymanagedSEDsolution.WithSKLMinplace,backupsaresignificantlymoresimpleandservercertificatesordriveencryptionkeyscanberemovedsafelywhenserversordrivesmustberetired.
8/9/2019 Tips 1288
8/16
ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 8
Figure5showsmultiplebankbranchesthatareuseserverswithSEDs.ThoseserversconnecttoserversthatarerunningSKLMinthecorporatedatacenterstoauthenticateandallowaccesstothedrive’sdatainthelocalbranch.TheuseofSKLMclonestoreplicatedataprotectsagainstthecorruptionorlossofanSKLMinstance.Inaddition,theuseofaclusteredsolution(suchasaVMwarevSphereHighAvailabilitysetupwithESXiandvCenter)allowsforresiliencytoserverfailuresormaintenancethatcannormallyresultinadowntimeforyourSKLMsolution.TheexampleinFigure5alsoshowsreplicationtoadisasterrecovery(DR)siteforSKLM.ThisconfigurationisalsostronglyrecommendedbecauseofthecriticalnatureofthedatathatisstoredbySKLM.
Figure5.SKLMbankingexample
8/9/2019 Tips 1288
9/16
ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 9
Integration and supported platforms
SeveralIBMplatformssupporttheuseofmanysizesandtypesofSEDs,notonlySystemx.SystemzandSystemp,aswellasmultipleIBMstorageplatforms,includingNAS,SAN,andtapestorage.EachoftheseplatformsaresupportedbySKLMtocentrallymanagetheexchangesthatarerequiredfortheir
encrypteddrivesinasimilarfashion,andallfromoneinterface.
System x instal lat ion requirements
Thefollowingcomponentsarerequiredforacentrallymanagedencryptionsolution:
IBMSKLMsoftware AtleastoneSEDRAIDcontrollersupportingencryptionSystemxserverthatsupportsencryptionandFoDenablementkeytoactivateexternalkeymanagementonthatserver
ThefollowingSKLMhardwarerequirementsmustbemet:
Systemmemory:4GBProcessorspeed:One3.0GHzCPUDiskspace:12GB
ThefollowingSKLMWindowsoperatingsystemsaresupported:
WindowsServer2008R2EnterpriseandStandardEditionsWindowsServer2012StandardEditionWindowsServer2012R2StandardEdition
ThefollowingSKLMLinuxoperatingsystemsaresupported:
SUSELinuxEnterpriseServer(SLES)11
SUSELinuxEnterpriseServer(SLES)10RedHatEnterpriseLinux(RHEL)Server6RedHatEnterpriseLinux(RHEL)Server5
8/9/2019 Tips 1288
10/16
ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 10
Ordering information
Orderinginformationislistedinthefollowingtables.
Atthetimeofthiswriting,theSystemxserversystemsthatarelistedinTable1aresupportedfor
externalkeymanagement.
Formoreinformationaboutsupportedconfigurations,seethefollowingServerProvenwebsite:
http://www.ibm.com/systems/info/x86servers/serverproven/compat/us/
Table1.Supportedservers
Server M achine Type
Systemx3100M5 5457
Systemx3250M5 5458
Systemx3300M4 7382
Systemx3500M4 7383
Systemx3500M4(E5-xxxxV2) 7383,E5-xxxxV2
Systemx3530M4 7160Systemx3530M4(E5-xxxxV2) 7160,E5-xxxxV2
Systemx3630M4 7158
Systemx3630M4(E5-xxxxV2) 7158,E5-xxxxV2
Systemx3550M4 7914
Systemx3550M4(E5-xxxxV2) 7914,E5-xxxxV2
Systemx3550M5 5463
Systemx3650M4 7915
Systemx3650M4(E5-xxxxV2) 7915,E5-xxxxV2
Systemx3650M4HD 5460
Systemx3650M5 5462
Systemx3750M4 8722/8733
Systemx3750M4 8752/8718Systemx3850X6/x3950X6 3837
NeXtScalenx360M5 5465
http://www.ibm.com/systems/info/x86servers/serverproven/compat/us/http://www.ibm.com/systems/info/x86servers/serverproven/compat/us/
8/9/2019 Tips 1288
11/16
ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 11
Table2liststhesupportedRAIDadaptersandthecorrespondingupgrades.
Formoreinformationaboutthesupportedcontrollersandoptions,seethefollowingServerProvenwebsite:
http://www.ibm.com/systems/info/x86servers/serverproven/compat/us/
Table2.SupportedRAIDadaptersandthecorrespondingupgrades
O ption part num ber Description
Supported RAID adapters M5110
81Y4481 ServeRAIDM5110SAS/SATAControllerforSystemx
Onboard ServeRAIDM5110eSAS/SATAControllerforSystemx
One of the upgrades be low is required to support SEDs with the M5 110 RAID co ntrol ler
81Y4544 ServeRAIDM5100SeriesZeroCache/RAID5UpgradeforSystemx
81Y4484 ServeRAIDM5100Series512MBCache/RAID5UpgradeforSystemx
81Y4487 ServeRAIDM5100Series512MBFlash/RAID5Upgradefor
Systemx81Y4559 ServeRAIDM5100Series1GBFlash/RAID5Upgradefor
Systemx
47C8670 ServeRAIDM5100Series2GBFlash/RAID5UpgradeforSystemx
Supported RAID adapters M5210
46C9110 ServeRAIDM5210SAS/SATAControllerforSystemx
Onboard ServeRAIDM5210eSAS/SATAControllerforSystemx
One of the upgrades be low is required to support SEDs with the M5 210 RAID co ntrol ler
47C8708 ServeRAIDM5200SeriesZeroCache/RAID5UpgradeforIBMSystems-FoD
47C8656 ServeRAIDM5200Series1GBCache/RAID5UpgradeforIBMSystems
47C8660 ServeRAIDM5200Series1GBFlash/RAID5UpgradeforIBMSystems
47C8664 ServeRAIDM5200Series2GBFlash/RAID5UpgradeforIBMSystems
47C8668 ServeRAIDM5200Series4GBFlash/RAID5UpgradeforIBMSystems
Supported RAID adapters M1215
46C9114 ServeRAIDM1215SAS/SATAControllerforSystemx
The upgrade below is required to support SEDs with the M 1215 RAID control ler
46C9114 ServeRAIDM1215SAS/SATAControllerforIBMSystemx
http://www.ibm.com/systems/info/x86servers/serverproven/compat/us/http://www.ibm.com/systems/info/x86servers/serverproven/compat/us/
8/9/2019 Tips 1288
12/16
ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 12
Table3liststhesupportedSEDsasofthiswriting.Thisrapidlygrowinglistofdevicesshouldbeconsideredasasub-setofsupportedoptionsonly.FormoreinformationaboutthesupportedSEDsforaspecificservermodel,seethefollowingIBMServerProvenwebsite:
http://www.ibm.com/systems/info/x86servers/serverproven/compat/us/
Table3.SupportedSEDs
O ption part num ber Description
90Y8944 IBM146GB15K6GbpsSAS2.5"SFFG2HSSED
00AJ116 IBM146GB15K6GbpsSAS2.5"G3HSSED
00NA281 IBM300GB15K12GbpsSAS2.5"G3HS512eSED
00NA286 IBM600GB15K12GbpsSAS2.5"G3HS512eSED
90Y8913 IBM300GB10K6GbpsSAS2.5"SFFG2HSSED
00AJ106 IBM300GB10K6GbpsSAS2.5"G3HSSED
90Y8908 IBM600GB10K6GbpsSAS2.5"SFFG2HSSED
00AJ101 IBM600GB10K6GbpsSAS2.5"G3HSSED
00NA291 IBM600GB10K12GbpsSAS2.5"G3HS512eSED
81Y9662 IBM900GB10K6GbpsSAS2.5"SFFG2HSSED
00AJ076 IBM900GB10K6GbpsSAS2.5"G3HSSED00NA296 IBM900GB10K12GbpsSAS2.5"G3HS512eSED
00AD085 IBM1.2TB10K6GbpsSAS2.5''G2HSSED
00AJ151 IBM1.2TB10K6GbpsSAS2.5''G3HSSED
00NA301 IBM1.2TB10K12GbpsSAS2.5''G3HS512eSED
00NA476 IBM1.8TB10K6GbpsSAS2.5''G2HS512eSED
00NA306 IBM1.8TB10K12GbpsSAS2.5''G3HS512eSED
00W1533 IBM2TB7.2K6GbpsNLSAS3.5''G2HSSED
00ML218 IBM2TB7.2K6GbpsNLSAS3.5"G2HS512eSED
00FN238 IBM2TB7.2K12GbpsNLSAS3.5"G2HS512eSED
00W1543 IBM4TB7.2K6GbpsNLSAS3.5''G2HSSED
00ML223 IBM4TB7.2K6GbpsNLSAS3.5"G2HS512eSED
00FN248 IBM4TB7.2K12GbpsNLSAS3.5"G2HS512eSED00ML228 IBM6TB7.2K6GbpsNLSAS3.5"G2HS512eSED
00FN258 IBM6TB7.2K12GbpsNLSAS3.5"G2HS512eSED
Notalldrivesaresupportedinallservers.Formoreinformationaboutthesupporteddrives,seetheServerProvenwebsite.
Formoreinformationaboutwhichdrivesaresupportedinaserver,seetheConfigurationandOptionsGuidethatispublishedquarterlyandisavailableatthiswebsite:
http://www.ibm.com/systems/xbc/cog/
http://www.ibm.com/systems/info/x86servers/serverproven/compat/us/http://www.ibm.com/systems/xbc/cog/http://www.ibm.com/systems/xbc/cog/http://www.ibm.com/systems/info/x86servers/serverproven/compat/us/
8/9/2019 Tips 1288
13/16
ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 13
Related information
Formoreinformation,seethefollowingresources:
IBMRedbooks:CentrallyManagingAccesstoSelf-EncryptingDrivesinSystemxServersUsingIBM
SecurityKeyLifecycleManager ,SG24-8247:http://www.redbooks.ibm.com/redpieces/abstracts/sg248247.html
IBMRedbooksProductGuide:Self-EncryptingDrivesforIBMSystemX ,TIPS0761:http://www.redbooks.ibm.com/abstracts/tips0761.html?Open
IBMSecurityKeyLifecycleManagerproductpage:http://www.ibm.com/software/products/en/key-lifecycle-manager/
IBMSecurityKeyLifecycleManagerforSystemXservices:
http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=FY&infotype=PM&appname=STGE_QL_QL_USEN&htmlfid=QLF12409USEN&attachment=QLF12409USEN.PDF#loaded
http://www.redbooks.ibm.com/redpieces/abstracts/sg248247.htmlhttp://www.redbooks.ibm.com/abstracts/tips0761.html?Openhttp://www.ibm.com/software/products/en/key-lifecycle-manager/http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=FY&infotype=PM&appname=STGE_Qhttp://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=FY&infotype=PM&appname=STGE_Qhttp://www.ibm.com/software/products/en/key-lifecycle-manager/http://www.redbooks.ibm.com/abstracts/tips0761.html?Openhttp://www.redbooks.ibm.com/redpieces/abstracts/sg248247.html
8/9/2019 Tips 1288
14/16
ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 14
NoticesLenovomaynotoffertheproducts,services,orfeaturesdiscussedinthisdocumentinallcountries.ConsultyourlocalLenovorepresentativeforinformationontheproductsandservicescurrentlyavailableinyourarea.AnyreferencetoaLenovoproduct,program,orserviceisnotintendedtostateorimplythatonlythatLenovoproduct,
program,orservicemaybeused.Anyfunctionallyequivalentproduct,program,orservicethatdoesnotinfringeanyLenovointellectualpropertyrightmaybeusedinstead.However,itistheuser'sresponsibilitytoevaluateandverifytheoperationofanyotherproduct,program,orservice.Lenovomayhavepatentsorpendingpatentapplicationscoveringsubjectmatterdescribedinthisdocument.Thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents.Youcansendlicenseinquiries,inwriting,to:
Lenovo(UnitedStates),Inc.1009ThinkPlace-BuildingOne Morrisville,NC27560 U.S.A. Attention:LenovoDirectorofLicensing
LENOVOPROVIDESTHISPUBLICATION“ASIS”WITHOUTWARRANTYOFANYKIND,EITHEREXPRESSORIMPLIED,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDWARRANTIESOFNON-INFRINGEMENT,MERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE.Somejurisdictionsdonotallowdisclaimerof
expressorimpliedwarrantiesincertaintransactions,therefore,thisstatementmaynotapplytoyou.
Thisinformationcouldincludetechnicalinaccuraciesortypographicalerrors.Changesareperiodicallymadetotheinformationherein;thesechangeswillbeincorporatedinneweditionsofthepublication.Lenovomaymakeimprovementsand/orchangesintheproduct(s)and/ortheprogram(s)describedinthispublicationatanytimewithoutnotice.
Theproductsdescribedinthisdocumentarenotintendedforuseinimplantationorotherlifesupportapplicationswheremalfunctionmayresultininjuryordeathtopersons.TheinformationcontainedinthisdocumentdoesnotaffectorchangeLenovoproductspecificationsorwarranties.NothinginthisdocumentshalloperateasanexpressorimpliedlicenseorindemnityundertheintellectualpropertyrightsofLenovoorthirdparties.Allinformationcontainedinthisdocumentwasobtainedinspecificenvironmentsandispresentedasanillustration.Theresultobtainedinotheroperatingenvironmentsmayvary.Lenovomayuseordistributeanyoftheinformationyousupplyinanywayitbelievesappropriatewithoutincurringanyobligationtoyou.
Anyreferencesinthispublicationtonon-LenovoWebsitesareprovidedforconvenienceonlyanddonotinanymannerserveasanendorsementofthoseWebsites.ThematerialsatthoseWebsitesarenotpartofthematerialsforthisLenovoproduct,anduseofthoseWebsitesisatyourownrisk.Anyperformancedatacontainedhereinwasdeterminedinacontrolledenvironment.Therefore,theresultobtainedinotheroperatingenvironmentsmayvarysignificantly.Somemeasurementsmayhavebeenmadeondevelopment-levelsystemsandthereisnoguaranteethatthesemeasurementswillbethesameongenerallyavailablesystems.Furthermore,somemeasurementsmayhavebeenestimatedthroughextrapolation.Actualresultsmayvary.Usersofthisdocumentshouldverifytheapplicabledatafortheirspecificenvironment.
© Copyr ight Lenovo 2015 Al l r ights reserved
8/9/2019 Tips 1288
15/16
ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 15
ThisdocumentwascreatedorupdatedonMarch9,2015.
Sendusyourcommentsinoneofthefollowingways:UsetheonlineContact us reviewformfoundat:ibm com /redbooksSendyourcommentsinane-mailto:
Thisdocumentisavailableonlineathttp://www.ibm.com/redbooks/abstracts/tips1288.html.
Trademarks
Lenovo,ForThoseWhoDoandtheLenovologoaretrademarksorregisteredtrademarksofLenovointheUnitedStates,othercountries,orboth.TheseandotherLenovotrademarkedtermsaremarkedontheirfirstoccurrenceinthisinformationwiththeappropriatesymbol(®or™),indicatingUSregisteredorcommonlawtrademarksownedbyLenovoatthetimethisinformationwaspublished.Suchtrademarksmayalsoberegisteredorcommonlawtrademarksinothercountries.AcurrentlistofLenovotrademarksisavailableontheWebathttp://www.lenovo.com/legal/copytrade.html.
ThefollowingtermsaretrademarksofLenovointheUnitedStates,othercountries,orboth:
AdvancedSettingsUtility™BladeCenter®BootableMediaCreator™DynamicSystemAnalysis™eX5™eXFlash™FlashCache™FlashCacheStorageAccelerator™FlexSystem™Lenovo®
Lenovo(logo)®ServeRAID™ServerGuide™ServerProven®Systemx®ToolsCenter™UpdateXpressSystemPacks™vNIC™X5™xSeries®
mailto:[email protected]://www.ibm.com/redbooks/abstracts/tips1288.htmlhttp://www.lenovo.com/legal/copytrade.html.http://www.lenovo.com/legal/copytrade.html.http://www.lenovo.com/legal/copytrade.html.http://www.ibm.com/redbooks/abstracts/tips1288.htmlmailto:[email protected]
8/9/2019 Tips 1288
16/16
ImplementingDiskEncryptiononSystemxServerswithIBMSecurityKeyLifecycleManager 16
Thefollowingtermsaretrademarksofothercompanies:
Intel,IntelXeon,Intellogo,IntelInsidelogo,andIntelCentrinologoaretrademarksorregisteredtrademarksofIntelCorporationoritssubsidiariesintheUnitedStatesandothercountries.LinuxisatrademarkofLinusTorvaldsintheUnitedStates,othercountries,orboth.Microsoft,Windows,andtheWindowslogoaretrademarksofMicrosoftCorporationintheUnitedStates,othercountries,orboth.Linux®IntelXeon®Intel®Windows®Microsoft®Othercompany,product,orservicenamesmaybetrademarksorservicemarksofothers.