1 / 40

IBM Tape Encryption and TKLM v2.0.1

IBM Tape Encryption and TKLM v2.0.1. Agenda. Tape Encryption Overview TKLM – Tivoli Key Lifecycle Manager TKLM v2.0.1 Enhancements Implementation Considerations Demo. IBM Tape Data Encryption. LTO6 / LTO5 / LTO4 Tape Drive Standard feature on all FC & SAS LTO6/5/4 Tape Drives

lamar-bruce
Download Presentation

IBM Tape Encryption and TKLM v2.0.1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IBM Tape EncryptionandTKLM v2.0.1

  2. Agenda • Tape Encryption Overview • TKLM – Tivoli Key Lifecycle Manager • TKLM v2.0.1 Enhancements • Implementation Considerations • Demo

  3. IBM Tape Data Encryption • LTO6 / LTO5 / LTO4 Tape Drive • Standard feature on all FC & SAS LTO6/5/4 Tape Drives • Supports “traditional” and “encrypted” modes of operation • TS1140 / TS1130 / TS1120 Tape Drive • Standard feature on all new TS11xx Tape Drives • Supports “traditional” and “encrypted” modes of operation • TKLM – Tivoli Key Lifecycle Manager • AIX, Sun, Linux, Windows and z/OS • Serves keys • ISKLM – IBM Security Key Lifecycle Manager • z/OS Tivoli Key Lifecycle Manager

  4. FIPS 140-2 Certification • FIPS – Federal Information Processing Standard • Cryptographic Service Providers - certified • CE2 Card • IBM Java Cryptographic Extensions (JCE) • Tape Drives • TS1120 – Certified • TS1130 – Certified • TS1140 – In process • LTO4 – Certified • LTO5 - Certified • http://csrc.nist.gov/groups/STM/cmvp/validation.html

  5. Encryption Methods Library-Managed________ TS3500, TS3400, TS3310_________ TS3200, TS3100, 3494________ Policy Tivoli Key Lifecycle Manager System-Managed________ z/OS, AIX, Solaris__________ Windows & Linux_________ Policy Application-Managed (TSM, NBU, et. al.) Policy

  6. Library Managed Encryption Components Open Systems Host • TKLM/drive key exchange occurs over the LDI and TCP/IP paths Host – zOS, AIX, Linux, Windows, Solaris Fibre Key Store TKLM Crypto Services TCP/IP LDI Host – zOS, AIX, Linux, Windows, Solaris Key Store TCP/IP Proxy TKLM Crypto Services

  7. AME Allows TSM control Device Class 3584 Transparent Encryption feature code not required TKLM not required LME Transparent to Backup application No TSM Admin required No TSM Upgrade required Keystore is encrypted FIPS 140-2 certified Will work with other end points Tape, Disk, SAN, HBAs Keys encrypted in transit to tape drives Allows for separation of duties Not limited to TSM Backup/Archive only AME / LME Comparison

  8. System Managed Encryption Components – zOS zOS Java Virtual Machine Key Store ISKLM Crypto Services Host - AIX, Linux, Windows, Sun TCP/IP And/Or FICON/ESCON Proxy Key Store TKLM TCP/IP Crypto Services DFSMS SMS Policy Data Class • TKLM/drive key exchange occurs over the fibre and FICON/ESCON paths • Encryption Policy defined by SMS policy, DD statement FICON/ESCON Fibre Control Unit

  9. System Managed Encryption – TS7700 Host - zOS, AIX, Linux, Windows, Sun Host Key Store TKLM Crypto Services Network FICON Host - zOS, AIX, Linux, Windows, Sun TS7700 Key Store TKLM The proxy in the TS7700 provides the bridge between the drive FC and the network for TKLM exchanges. Crypto Services Proxy Encryption policy is based on Storage Pool which is controlled through Advanced Policy Management (APM): Storage Group and Management Class Fibre

  10. Symmetric EncryptionPrivate Key, Secret Key, Data Key • User Data Encryption • Keystore Encryption • TKLM Backup Encryption

  11. Asymmetric EncryptionPublic Key, Public/Private Key Pair, Key Encrypting Key • Drive authentication • Session security • Encrypting Data Keys • SSL between TKLM and device • SSL between TKLMs • TKLM web GUI communications

  12. Built-in AES 256-bit data encryption engine Look-aside decryption & decompression help assure data integrity. <1%performance and capacity impact Authentication: TKLM queries drive certificate and uses public key to authenticate exchanges ear #*4msW Clear Clear w*q03!k3iKm4Aw^1* Decompression Cl TS11xx and LTO Encryption FC Port 0 FC Port 0 Tape Drive with Private Key Drive Firmware Clear Clear Clear Host Interface DMA Processor Application Specific Integrated Circuit  Compression Code Memory AES Decryption AES Encryption Buffer Drive Certificate with Drive’s Public Key ECC and Format Encoding @MA8%w*q03!k3iKm4*^Fj&fgtrSIaasl Read/Write Electronics Read/Write Head Tape Media

  13. LTO Consortium based format • Standard LTO media • Entire volume is encrypted or non-encrypted • Common scratch pool with full re-format between encrypted and non-encrypted cartridge memory Control Structures End of Data Volume Label Encrypted Host Records and/or File Marks EOT BOT Data area symmetric encryption AES-256 with DK “KeyIdentifier” generated from Key Label/Alias or provided by the application is encoded in each Host Data Record & format recording element per LTO specification.

  14. TS11xx Media Format Elements • Standard 3592 media • Entire volume is encrypted or non-encrypted • Common scratch pool with full re-format between encrypted and non-encrypted • Full support for wrapping keys • Simplifies key management and DR/ BP scenarios • Two Wrapped Key Structures (EEDKs) may be active on a cartridge cartridge memory EEDK1/2 Control Structures Data area symmetric encryption AES-256 with DK End of Data Volume Label Encrypted Host Records and/or File Marks EOT BOT EEDK1/2 "wrapped keys" KEK[DK] Asymmetric encryption RSA-2048 with KEK

  15. Agenda • Tape Encryption Overview • TKLM – Tivoli Key Lifecycle Manager • TKLM v2.0.1 • Implementation Considerations • Demo

  16. Tivoli Key Lifecycle Manager (TKLM) • IBM Licensed Program • Serves data keys to drive • TS11xx • LTO • DS8000 • Runs on the same or different server than the tape application AIX IP TKLM Other OS Fibre Channel SAS FICON Other OS

  17. TKLM OS Support • AIX 5.3 or later • AIX 6.1 or later • Red Hat Enterprise Linux 4.0 (32 bit) • Red Hat Enterprise Linux 5.0 (32 bit and 64 bit) • SuSE Linux 9 (32 bit) • SuSE Linux 10 (32 bit and 64 bit) • Solaris 9 Sparc • Solaris 10 Sparc • Windows Server 2003 (32 bit and 64 bit) • Windows Server 2008 (32 bit and 64 bit) • z/OS 1.9, 1.10, 1.11 (TKLM v1 only)

  18. Release History • EKM (z/OS and Open) • Sept 2006 • Bundled with IBM Java • TKLM 1.0 (z/OS and Open) • Nov 2008 • DB2 and browser based GUI • TKLM 2.0 (Open only) • Aug 2010 • RBAC • KMIP 1.0 • ISKLM 1.1 (z/OS only) • Apr 2011 • Built on EKM for z/OS • No DB2 or Websphere • New device support • Service path for EKM for z/OS • TKLM 2.0.1 • Oct 2012 • Automatic cloning • KMIP 1.1 • HSM support

  19. Automated clone replication • Up to 5 Clones • Clones • Keystore • DB2 tables • Config file • Replication is encrypted • Master and clone systems must be identical

  20. KMIP v1.1 support Device Credentials – how does a consumer of keys identify itself • Serial number identifying the client or device • Network address • Instance or volume identifier • Group • Shared secret Device Credentials are used: • To help with PCI-DSS compliance, only serve keys to known devices • Ease of use for deployment – can use certificates as a right to connect rather than managing a certificate per device Improved asymmetric key support • Major contributions from PGP and RSA • Will be the basis for managing the key material in certificates Grouping of keys • Default and fresh attributes now supported • Useful for pools of shared media • Useful for key rotation

  21. TKLM Resources • TKLM Website:www.ibm.com/software/tivoli/products/key-lifecycle-mgr • TKLM Info Center • TKLM Installation and Configuration Guide • Flash Demos • Information Infrastructure Security with IBM • TKLM GUI demo • TKLM Data Sheet • ftp://ftp.software.ibm.com/common/ssi/pm/sp/n/tid14031usen/TID14031USEN.PDF • White Paper: Simplifying Key Management with Tivoli Key Lifecycle Manager • ftp://ftp.software.ibm.com/common/ssi/sa/wh/n/tiw14026usen/TIW14026USEN.PDF • Red Book: IBM System Storage Tape Encryption Solutions • http://www.redbooks.ibm.com/abstracts/sg247320.html?Open • Red Paper: ISKLM for z/OS • http://www.redbooks.ibm.com/redpapers/abstracts/redp4646.html?Open

  22. Production Database eCommerce Applications Disk Arrays WAN LAN VPN Backup Tape Enterprise Applications Business Analytics Replica Backup System File Server Staging Portals Dev/Test Obfuscation Backup Disk Collaboration & Content Mgmt Systems Today’s Cryptographic Environment Enterprise Cryptographic Environments CRM Email Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System

  23. KMIP Overview • Key Management Interoperability Protocol (KMIP) • Key-management to encryption client protocol • Enables key lifecycle management • Generation, submission, retrieval, and deletion • Supports • Symmetric keys • Asymmetric keys • Digital certificates • http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip

  24. IBM Tape Drives LTO4 / LTO5 / LTO6 TS1120 / TS1130 / TS1140 IBM Tape Libraries TS3500 3494 TS3400 TS3310 TS3200 / TS3100 TS2900 Non-IBM Tape Libraries Quantum (ADIC) i2000 Quantum (ADIC) i500 IBM Disk Drives DS8000 DS5000 DS3000 KMIP Supported Devices Emulex OneSecure HBAs Brocade (IBM OEM) IBM SAN32B-E4 (2498-E32) FC: 3895 - Encryption Blade NetApp FAS2040 FAS3200 FAS6200 TKLM v2 Supported Devices

  25. Agenda • Tape Encryption Overview • TKLM – Tivoli Key Lifecycle Manager • Implementation Considerations • Design Considerations • TS3500 (3584) Implementation • Demo

  26. TKLM Design Considerations • What Operating System? • Server sizing? • Dedicated Server or LPAR? • Dedicated LPAR or Shared LPAR? • TKLM - Local or Remote? • How implement HA? • Moving keys offsite • What to Encrypt? • Key rotation? • Number of Keys?

  27. TKLM What Operating System? • AIX • Linux • Solaris • Windows • z/OS Keystore and Crypto Services Drive Table Configuration

  28. What Size Server? • CPU • Memory • Disk

  29. TKLM TKLM High Availability Keystore and Crypto Services Keystore and Crypto Services Drive Table Drive Table Configuration Configuration

  30. Dedicated Server or LPAR? Option 1 Option 2 Option 3 Option 4 TKLM Other Apps TKLM TKLM Tape Application Tape Application Tape Application TKLM Tape Application

  31. TKLM – Local or Remote? Option 1 TKLM Tape Application TKLM Tape Application Tape Application Tape Application Option 2 TKLM Tape Application TKLM Tape Application TKLM

  32. TKLM Deployment – DR Site Main Site Disaster Recovery site Second production site • Cold DR site: • - 2:0, Go to 0:2 after disaster • Hot DR site: • - 1:1 or 1:2 If you have high network availability • - 2:1 or 2:2 If you have concerns about network outages.

  33. Moving Keys Offsite

  34. What to Encrypt? • Selective Encryption • Encrypt All • Recovery = AES xR%pW@7

  35. Key Rotation • My_2012_Key My_2013_Key My_2014_Key • My_1Q-2012_Key My-2Q-2012-Key My-3Q-2012-Key

  36. Internal or External Perform Resource? • IBM Implementation Services for tape systems - tape encryption and key management • Tasks Performed • Planning session meeting • Architecture and Design • Implementation • Procedure Development • Skills transfer • IBM Benefits • Proven methodology • Support from IBM’s dedicated storage specialists • Basic skills instruction for client staff • Accelerated implementation

  37. Agenda • Tape Encryption Overview • Tape Encryption Process • Tape Encryption Implementation • Design Considerations • TS3500 (3584) Implementation • Demo

  38. TS3500 Library Implementation • Install or upgrade tape drives • Upgrade drive firmware • Update TS3500 firmware • Enable drives for encryption (LME) • Set up TKLM IP address • Update drive encryption method • Setup Barcode Encryption Policy (Optional) • Run Key Path Diagnostic Test • Enable drives for encryption (SME) • Update drive encryption method

  39. Questions?

  40. Demo

More Related