1 / 61

IBM Tape Encryption Jeff Ziehm Storage Systems Advanced Technical Skills

IBM Tape Encryption Jeff Ziehm Storage Systems Advanced Technical Skills. Accelerate with Americas Advanced Technical Skills webinars. ….a series of Customer directed technically oriented 90 minute webinars on various storage topics. 2010 Classes

Download Presentation

IBM Tape Encryption Jeff Ziehm Storage Systems Advanced Technical Skills

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IBM Tape EncryptionJeff ZiehmStorage Systems Advanced Technical Skills

  2. Accelerate with Americas Advanced Technical Skills webinars ….a series of Customer directed technically oriented 90 minute webinars on various storage topics • 2010 Classes • Tape Encryption with Tivoli Key Lifecycle Manager (TKLM) • TS7650 ProtecTier Solution Fundamentals • TS7700 Update – scheduled 10/12 • IBM System Storage TS3500 Tape Library Update • Ten Things for the new TPC Administrator to do to make TPC 4.1.1 more useful. • XIV Asynchronous Mirror • IBM Easy Tier Enables DS8700 Users to Optimize Use of Solid State Drives • Installing and Tailoring TPC Disk – Midrange Edition For further information and session notification please Subscribe to the ATS blog https://www.ibm.com/developerworks/mydeveloperworks/blogs/accelerate/?lang=en

  3. Agenda • Tape Encryption Overview • TKLM – Tivoli Key Lifecycle Manager • Implementation Considerations

  4. IBM Tape Data Encryption • LTO5 / LTO4 Tape Drive • Standard feature on all FC & SAS LTO5/4 Tape Drives • Supports “traditional” and “encrypted” modes of operation • TS1130 / TS1120 Tape Drive • Standard feature on all new TS1130 Tape Drives • Supports “traditional” and “encrypted” modes of operation • TKLM – Tivoli Key Lifecycle Manager • z/OS, AIX, Sun, Linux and Windows • Serves keys Tivoli Key Lifecycle Manager

  5. Library Managed Encryption Components Open Systems Host • TKLM/drive key exchange occurs over the LDI and TCP/IP paths Host – zOS, AIX, Linux, Windows, Solaris Fibre Key Store TKLM Crypto Services TCP/IP LDI Host – zOS, AIX, Linux, Windows, Solaris Key Store TCP/IP Proxy TKLM Crypto Services

  6. System Managed Encryption Components – zOS zOS Java Virtual Machine Key Store TKLM Crypto Services Host - zOS, AIX, zLinux, Linux, Windows, Sun TCP/IP And/Or FICON/ESCON Proxy Key Store TKLM TCP/IP Crypto Services DFSMS SMS Policy Data Class • TKLM/drive key exchange occurs over the fibre and FICON/ESCON paths • Encryption Policy defined by SMS policy, DD statement FICON/ESCON Fibre Control Unit

  7. Symmetric EncryptionPrivate Key, Secret Key, Data Key • User Data Encryption • Keystore Encryption • TKLM Backup Encryption

  8. Asymmetric EncryptionPublic Key, Public/Private Key Pair, Key Encrypting Key • Drive authentication • Session security • Encrypting Data Keys • SSL between TKLM and device • TKLM web GUI communications

  9. Built-in AES 256-bit data encryption engine Look-aside decryption & decompression help assure data integrity. <1%performance and capacity impact Authentication: TKLM queries drive certificate and uses public key to authenticate exchanges ear #*4msW Clear Clear w*q03!k3iKm4Aw^1* Decompression Cl TS1130, TS1120, LTO5 and LTO4 Encryption FC Port 0 FC Port 0 Tape Drive with Private Key Drive Firmware Clear Clear Clear Host Interface DMA Processor Application Specific Integrated Circuit  Compression Code Memory AES Decryption AES Encryption Buffer Drive Certificate with Drive’s Public Key ECC and Format Encoding @MA8%w*q03!k3iKm4*^Fj&fgtrSIaasl Read/Write Electronics Read/Write Head Tape Media

  10. Key Store & Configuration Files LTO5/4 Encryption Process (SME or LME) Write Request Tivoli Key Lifecycle Manager 1) LTO5/4 Receives Mount Request for write from BOT w/ Encryption 2) LTO5/4 Initiates Session w/ TKLM, passes session key to TKLM, requests Data Key (DK) or passes optional key label 3) TKLM Authenticates Drive in Drive Table 4) TKLM retrieves pre-generated AES-256 Data Key 5) TKLM Encrypts Data Key (DK) with drive session key to create the Session Encrypted Data Key (SEDK) 6) TKLM passes the SEDK and the Data Key identifier (DKi) to the LTO5/4 Tape drive. 7) LTO5/4 decrypts Data Key 8) LTO5/4 encrypts data and writes data and DKi to cartridge

  11. Key Store & Configuration Files TS1130/20 Encryption Process (SME or LME) Write Request Tivoli Key Lifecycle Manager 1) TS1130 / TS1120 Receives Mount Request for write from BOT w/ Encryption 2) TS1130 / TS1120 Initiates Session w/ TKLM, passes session key to TKLM, requests Data Key (DK) and optionally passes key label 3) TKLM Authenticates Drive in Drive Table 4) TKLM generates AES-256 random Data Key (DK). TKLM retrieves public key (KEK) from keystore. TKLM wraps Data Key (DK) w public key to create EEDK. 5) TKLM Encrypts Data Key (DK) with drive session key to create the Session Encrypted Data Key (SEDK) 6) TKLM passes the EEDK & SEDK to the TS1130 / TS1120Tape drive 7) TS1130 / TS1120 decrypts Data Key 8) TS1130/20 writes EEDK on tape leader and CM. TS1130/20 encrypts & writes data to cart.

  12. LTO5/4 Consortium based format • Standard LTO5/4 media • Entire volume is encrypted or non-encrypted • Common scratch pool with full re-format between encrypted and non-encrypted cartridge memory Control Structures End of Data Volume Label Encrypted Host Records and/or File Marks EOT BOT Data area symmetric encryption AES-256 with DK “KeyIdentifier” generated from Key Label/Alias or provided by the application is encoded in each Host Data Record & format recording element per LTO specification.

  13. TS1130 / TS1120 Media Format Elements • Standard 3592 media • Entire volume is encrypted or non-encrypted • Common scratch pool with full re-format between encrypted and non-encrypted • Full support for wrapping keys • Simplifies key management and DR/ BP scenarios • Two Wrapped Key Structures (EEDKs) may be active on a cartridge cartridge memory EEDK1/2 Control Structures Data area symmetric encryption AES-256 with DK End of Data Volume Label Encrypted Host Records and/or File Marks EOT BOT EEDK1/2 "wrapped keys" KEK[DK] Asymmetric encryption RSA-2048 with KEK

  14. Agenda • Tape Encryption Overview • TKLM – Tivoli Key Lifecycle Manager • TKLM v2 • Implementation Considerations

  15. TKLM – Tivoli Key Lifecycle Manager • Follow-on to EKM (Encryption Key Manager) • AIX, Windows, Linux, Solaris • November 4, 2008 GA • z/OS • March 6, 2009 GA • EKM – Functionally stabilized

  16. Tivoli Key Lifecycle Manager (TKLM) • IBM Licensed Program • Serves data keys to drive • TS1130 / TS1120 • LTO5 / LTO4 • DS8000 • Runs on the same or different server than the tape application AIX IP TKLM Other OS Fibre Channel SAS FICON Other OS

  17. IBM Tivoli Key Lifecycle Manager • Focused on device key serving • IBM encrypting tape – TS1120, TS1130, LTO5, LTO4 • IBM encrypting disk - DS8000 • Installer to simplify installation experience • Simple to use install for Windows, Linux, AIX, Solaris • z/OS SMP/E install with scripts for post install configuration • Designed to be Easy to use • Graphical User Interface • Lifecycle functions • Automated key rotation • Notification of certificate expiration • Easy backup and restore of TKLM files • One button, single jar file

  18. TKLM OS Support • z/OS 1.9, 1.10, 1.11 • AIX 5.3 or later • AIX 6.1 or later • Red Hat Enterprise Linux 4.0 (32 bit) • Red Hat Enterprise Linux 5.0 (32 bit and 64 bit) • SuSE Linux 9 (32 bit) • SuSE Linux 10 (32 bit and 64 bit) • Solaris 9 Sparc • Solaris 10 Sparc • Windows Server 2003 (32 bit and 64 bit) • Windows Server 2008 (32 bit and 64 bit),

  19. TKLM Resources • TKLM Website:www.ibm.com/software/tivoli/products/key-lifecycle-mgr • TKLM Info Center • TKLM Installation and Configuration Guide • Flash Demos • Information Infrastructure Security with IBM • TKLM GUI demo • TKLM Data Sheet • ftp://ftp.software.ibm.com/common/ssi/pm/sp/n/tid14031usen/TID14031USEN.PDF • White Paper: Simplifying Key Management with Tivoli Key Lifecycle Manager • ftp://ftp.software.ibm.com/common/ssi/sa/wh/n/tiw14026usen/TIW14026USEN.PDF • Red Book: IBM System Storage Tape Encryption Solutions • http://www.redbooks.ibm.com/abstracts/sg247320.html?Open • Red Paper: TKLM for z/OS • http://www.redbooks.ibm.com/abstracts/redp4472.html?Open

  20. TKLM v2 • Enhancements • Device Groups • Role Based Access Control • KMIP • Additional device support • UI Improvements • Not serving keys that are not backed up • Metadata command • Version command • Installation • Migration • From EKM • From TKLM v1 20

  21. TKLM V2 Constructs TIPAdmin • User Groups • klmSecurityOfficerGroup • LTOAdmin • LTOOperator • Roles • klmView • klmCreate • Device Group Name • Users • TKLMAdmin • User1 (user defined) Devices • Device Groups • Devices • Certificates • Key Groups • Keys • Rollover Policy RSA Key Pairs Key Groups Symmetric Keys

  22. Pre-defined Device Groups LTO LTO device family TS3592 3592 device family DS8000 DS8000 device family DS5000 DS5000 device family BRCD_ENCRYPTOR BRCD_ENCRYPTOR device group ONESECURE ONESECURE device group GENERIC Objects in the GENERIC device family. Userdevicegroup A user-defined instance such as myLTO that you manually create, based on a predefined device family such as LTO.

  23. User Defined Device Groups • Subset of existing device families • LTO • 3592 • DS5000 • Unique key or key group • Unique rollover policy • Unique Key and Device Management page • klmAdminDeviceType role can create and delete new device groups. • Every key group, certificate and device is associated with a device group

  24. Role Based Access Control • Device Groups • Pre-defined, eg. LTO, TS3592 • User defined. Eg. MyLTODrives • User Groups • Pre-defined, eg. LTOAdmin • User defined • Users • TIPAdmin: Controls Users, User Groups, and Roles • TKLMAdmin: Controls Device Groups, Keys, Certificates • User defined • Permissions (Roles)

  25. Pre-defined User Groups • klmSecurityOfficerGroup • Permissions: klmSecurityOfficer, suppressmonitor • klmBackupRestoreGroup • Permissions: klmBackup, klmRestore, suppressmonitor • LTOAdmin • Permissions: LTO, klmCreate, klmModify, klmDelete, klmView, klmGet, klmAudit, klmBackup, klmConfigure, suppressmonitor • LTOOperator • Permissions: LTO, klmCreate, klmModify, klmDelete, klmView, klmBackup, suppressmonitor • LTOAuditor • Permissions: LTO, klmView, klmAudit, suppressmonitor

  26. Permissions • Super user permission • klmSecurityOfficer • Device group specific action permissions • klmView, klmCreate, klmModify, klmDelete, klmGet(to export a key or certificate) • Stand-alone permissions • klmAdminDeviceGroup (to create, view or delete a new device group), klmConfigure, klmBackup, klmRestore, klmAudit (to view audit data) • Permissions corresponding to device groups • Each pre-defined device group has a matching permission: LTO, TS3592, DS5000, DS8000, GENERIC, BRCD_ENCRYPTOR, ONESECURE. • Permission for new user-defined device group must be created manually using TIP role management panel.

  27. Default Users • TKLM installs two default users: • tipadmin: has TIP/WAS administrative authority • tklmadmin: is TKLM administrator, has klmSecurityOfficer role

  28. TKLM V2 Constructs TIPAdmin • User Groups • klmSecurityOfficerGroup • LTOAdmin • LTOOperator • Roles • klmView • klmCreate • Device Group Name • Users • TKLMAdmin • User1 (user defined) Devices • Device Groups • Devices • Certificates • Key Groups • Keys • Rollover Policy RSA Key Pairs Key Groups Symmetric Keys

  29. Production Database eCommerce Applications Disk Arrays WAN LAN VPN Backup Tape Enterprise Applications Business Analytics Replica Backup System File Server Staging Portals Dev/Test Obfuscation Backup Disk Collaboration & Content Mgmt Systems Today’s Cryptographic Environment Enterprise Cryptographic Environments CRM Email Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System

  30. KMIP Overview • Key Management Interoperability Protocol (KMIP) • Key-management to encryption client protocol • Enables key lifecycle management • Generation, submission, retrieval, and deletion • Supports • Symmetric keys • Asymmetric keys • Digital certificates • http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip

  31. IBM Tape Drives LTO4 / LTO5 TS1120 / TS1130 IBM Tape Libraries TS3500 3494 TS3400 TS3310 TS3200 / TS3100 TS2900 Non-IBM Tape Libraries Quantum (ADIC) i2000 Quantum (ADIC) i500 IBM Disk Drives DS8000 DS5000 KMIP Supported Devices Emulex OneSecure HBAs Brocade (IBM OEM) IBM SAN32B-E4 (2498-E32) FC: 3895 - Encryption Blade TKLM v2 Supported Devices

  32. TKLM Welcome Page

  33. Do not serve keys unless backed up • Prevent keys from being served for write requests, until a backup is performed • Read requests are not affected • Prevents potential data loss • Configuration file, true/false • backup.keycert.before.serving • Default: true • Automatic backup script provided • At fixed intervals.

  34. MetaData command • Adds meta data for existing asymmetric keys in the keystore • Shows up in TKLM as a new certificate • Only available through the CLI • tklmKeyStoreEntryMetaDataCreate Uses • Quickly create meta data for existing keys (e.g. reusing existing keystore) • Previously, required to export from keystore and import into TKLM.

  35. Version Command • Displays version of TKLM and associated middleware. • TKLM Version • TKLM Build Level • Tivoli Integrated Portal version • Embedded Websphere Application Server version • Java version • DB2 version • IBM Deployment Engine version • Only available through CLI

  36. Syntax and Parameters • tklmVersionInfo() • There are no parameters. • Required permission is klmConfigure.

  37. Installation • Launch install by • install.exe (windows) • install.sh (Unix and Linux) • 3 modes available: GUI, Console, Silent • Support for more languages 37

  38. Installation - continued • Bundled software: • DB2 • DB2 v9.7 fp2 (Windows, AIX, Solaris, Linux) • DB2 v9.5 fp4 (SuSE9 and RHL4) • Tivoli Integrated Portal v1.1.1.2 plus TIP fixpack 1.1.1.11 which includes: • eWAS 6.1.0.29 • Runtime Java 1.5 SR10a • DE (Deployment Engine) 1.4.0.6 • WebSphere Update Installer v7.0.0.7 38

  39. Installation - continued • Disk Space checking • DB2 improvements: • Detect all copies of DB2 9.5 or DB2 9.7 on appropriate platforms • User allowed to select from list of valid DB2 copies or install new copy • If DB2TKLMV2 copy name present on Windows this is used • Auto start eWAS and DB2 • Windows start menu link for Tivoli Integrated Portal and DB2 • TKLMAdmin panel to prompt for password for TKLMAdmin ID • Password for any TIP user cannot be saved in browser 39

  40. Migration to TKLM V2 • EKM 2.1 to V2. If you are using earlier versions of EKM(1.0, 2.0) you must migrate to EKM 2.1 before migrating to TKLM V2. • TKLM V1 – V2 • Apply TKLM V1, latest recommended fixpack (1.0.0.3) before starting migration.

  41. TKLM V1 to TKLM V2 • Migration tool performs the following steps: • Validates V1 and V2 passwords • V1 tipadmin, Database instance owner,V2 tipadmin, V2 tklmadmin • Migrates TKLMgrConfig.properties • Copies user keystore from V1 location to V2 location • If Keystore is located outside of V1 TIP then, then after V2, the keystore location will not change. • Migrates the instance from DB2 V9.1 to DB2 V9.7 • Migrates the database

  42. Pricing • TKLM pricing consists of three components • Server install • Encrypting device capacity measured in TBs (RVUs) • Service and support • Server install • No charge for warm backups or test instances • Does not include first two VRUs • Charge for secondary / DR copies if the tape libraries are configured to automatically failover and the secondary / DR TKLM is up and running 42

  43. Pricing - continued • Encrypting device capacity measured in TBs • Jag3 (3592-E06) = 1TB = 1 RVU • LTO5 = 1.5TB = 1 RVU (discounted) • LTO4 = 800GB = .8 RVU • Jag2 (3592-E05) = 700GB = .7 RVU • Optionally: 1 tape drive = 1TB = 1 RVU • Real physical tape drives • Not the number of cartridges • Not the amount of data • Service and support • Entitles customers for support • Also entitled customers for free upgrades • V2 is free for TKLM V1 customers who are current with support 43

  44. Agenda • Tape Encryption Overview • TKLM – Tivoli Key Lifecycle Manager • Implementation Considerations • Design Considerations • TS3500 (3584) Implementation

  45. TKLM Design Considerations • What Keystore? • What Operating System? • Dedicated Server or LPAR? • Dedicated LPAR or Shared LPAR? • TKLM - Local or Remote? • How implement HA? • Moving keys offsite • What to Encrypt? • Key rotation? • Number of Keys?

  46. Choose Keystore

  47. TKLM What Operating System? • AIX • Linux • Solaris • Windows • z/OS Keystore and Crypto Services Drive Table Configuration

  48. What Size Server? • CPU • Memory • Disk

  49. TKLM TKLM High Availability Keystore and Crypto Services Keystore and Crypto Services Drive Table Drive Table Configuration Configuration

  50. Dedicated Server or LPAR? Option 1 Option 2 Option 3 Option 4 TKLM Other Apps TKLM TKLM Tape Application Tape Application Tape Application TKLM Tape Application

More Related