Troubleshooting
Problem
This document contains ASP Encryption Basics.
Resolving The Problem
This document contains ASP Encryption Basics.
There are two types of encryption as follows:
- Disk encryption using basic or independent ASP (Option 45)
- BRMS encrypted backup (if need to encrypt backup tapes) (Option 44)
Note: 5761SS1 Option 45 is not delivered with the standard set of media. It must be ordered, and will be delivered on an F2924_01 CD or can be downloaded from the ESS site. It has a tiered pricing model.
Basics for ASP Encryption:
| o | Requires IBM i V6R1M0 or above |
| o | Must have 57xx-SS1 Option 45 - Encrypted ASP Enablement installed. |
| o | Reduces the need to sanitize disks. |
| o | Protects transmitted data in a geo-mirrored environment. |
| o | Only basic ASPs (ASP numbers 2-32) and independent ASPs (ASP numbers 33-225) can be encrypted. System ASP (ASP number 1) cannot be encrypted. Disk encryption uses an AES with 256 bit key in CBC mode. |
| o | When you set up an encrypted disk pool, the system generates a data key, which encrypts the data written to that storage pool and decrypts data read from that storage pool. The data keys for independent storage pools are kept with the storage pool and are protected with the ASP master key. Basic ASPs are protected with a data key that is stored in the Licensed Internal Code. The ASP master key is not required for creating an encrypted user ASP. However, it is required to create an encrypted iASP. If you are creating an iASP you must first set the ASP Master Key. There are three different ways to set the ASP Master Key. You can use iSeries Navigator. You go under Security and Cryptographic Services. You first load key parts and then set the ASP master key. The ASP master key is used for protecting data in the independent auxiliary storage pool. The other ways to set the ASP Master key is by using CL command ADDMSTPART MSTKEY(*ASP) and SETMSTKEY MSTKEY(*ASP). The third way to set it is by using API's QC3LDMKP or Qc3LoadMasterKeyPart and QC3SETMK or Qc3SetMasterKey. |
| o | Data privacy for SAN environment. |
| o | Prior to IBM i 7.1 Technology Refresh 7 (TR7), the only way to encrypt was during ASP creation. However, at 7.1 TR7 and above, ASP encryption can be stopped/started through Service Tools:http://www.redbooks.ibm.com/redbooks/pdfs/sg247858.pdf Encryption keys can also be changed in service tools at 7.1 TR7 and beyond. |
| o | Two to three times longer to create encrypted ASP versus a non-encrypted ASP. |
| o | Slower backup as the data has to be decrypted before it saves. Reference Section 15.18 of the IBM Power Systems Performance Capabilities Reference located at the following URL: http://www-03.ibm.com/systems/power/software/i/management/performance/resources.html |
| o o |
Note: Encryption of basic ASPs can be performed through green screen interfaces; however, encryption of independent ASPs can be performed only through graphical user interfaces (IBM Systems Director Navigator for i5/OS and System i Navigator). Note: If the iASP being encrypted exists in a Cluster/PowerHA environment, the ADD and SET commands should be identically run on ALL nodes in the cluster which will be associated with that iASP |
| o | IBM i 7.1 TR6 and below: Disk encryption cannot encrypt existing disk pools or independent disk pools and cannot be turned off once a disk pool or independent disk pool has been created, even if Option 45 is removed from the system or partition. |
| o | Any processing of encrypted data incurs a performance impact. The more encrypted data processing, the larger the performance impact. Thus, while always securing your objects and the processing rights on that object, you should encrypt only data that needs to be encrypted according to your security policies and performance requirements. Depending upon the amount of encrypted data being processed and processor capacity you have, the performance impact could be close to negligible or significant. |
| o | However, the drive can be moved/added to an unencrypted ASP. When a drive with encrypted data is added to the configuration of an unencrypted ASP, the data will be zeroed and encryption removed. When an encrypted drive is removed from an encrypted ASP and added to some other encrypted ASP, data will be zeroed and the original encryption removed, then new encryption/key added/used. As with all encryption/decryption, there will be extra CPU consumption during the encryption/decryption process. |
For additional information on ASP encryption, reference the following Redbooks (Section 8):
http://www.redbooks.ibm.com/abstracts/sg247680.html?Open
For more information on security:
http://www.redbooks.ibm.com/abstracts/sg247399.html?Open
If you have problems creating an encrypted ASP, you should collect DSMINFO -all
[{"Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m3p000000PCSOAA4","label":"Internal LIC and Partitions-\u003EDisk"}],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions","Type":"MASTER"}]
Historical Number
516298314
Was this topic helpful?
Document Information
Modified date:
22 May 2024
UID
nas8N1013136