File and Object Storage

File and Object Storage

Software-defined storage for building a global AI, HPC and analytics data platform 

 View Only

SED Enhancements in Storage Scale System 7.0.0.0

By SAI VAMSEE KRISHNA LANKISETTI posted 27 days ago

  

Data security has become a top priority for organizations managing large-scale storage environments. Protecting data at rest—without compromising performance or operational simplicity is essential in modern enterprise infrastructures. Self-Encrypting Drives (SED's) play a critical role in achieving this goal by providing hardware-based encryption with minimal performance overhead.

With the release of IBM Storage Scale System 7.0.0.0, SED support has been significantly enhanced. This release introduces broader drive coverage, expanded key-management options, and improved flexibility, enabling organizations to deploy enterprise-grade encryption more easily across diverse storage environments.

In this blog, we explore what’s new in SED support in Storage Scale System 7.0.0.0, how these enhancements strengthen data protection strategies, and the key considerations for enabling them successfully.

What’s New in SED Support in Storage Scale System 7.0.0.0?

Storage Scale System 7.0.0.0 expands SED capabilities across three major areas:

  • FCM SED support introduced
    (Starting with FCM4 drives running firmware 4.4.4.122 or later)

  • New key server support
    Thales CipherTrust Manager (CTM) versions 2.5.x and 2.8+

  • TPM-based SED support extended to Storage Scale System 3500
    (Requires RHEL 9.x or later)

FCM SED Support

One of the most significant enhancements in Storage Scale System 7.0.0.0 is the introduction of SED support for Flash Core Modules (FCMs). Previously, SED functionality was limited to HDDs and NVMe drives. This release extends SED Support for FCM's, enabling comprehensive data-at-rest protection across all major drive types.

SED support for FCMs is available starting with FCM4 drives running firmware version 4.4.4.122 or higher, allowing organizations to fully encrypt high-performance flash storage without affecting workload performance.

Flexible Key Server Support

FCM-based SEDs can be enabled using multiple key management solutions, including:

  • Guardium Key Lifecycle Manager (GKLM)

  • Thales CipherTrust Manager (CTM)

  • Trusted Platform Module (TPM)

This multi-vendor flexibility allows organizations to align encryption deployments with existing security architectures and compliance requirements.

Seamless Key Server Switching

Storage Scale System supports non-disruptive switching between key servers, enabling transitions between GKLM, CTM, and TPM without downtime. This capability is particularly valuable during infrastructure migrations or key-management consolidation efforts.

Non-Disruptive SED Migration

SED migration is fully supported on systems with active workloads. Organizations can enable encryption on existing deployments without downtime or data loss, making it easy to retrofit encryption into production environments.

Drive Reuse and Lifecycle Management

If a drive has been crypto-erased, it must be formatted before reuse. This ensures proper drive initialization for new workloads while enabling secure repurposing of hardware across environments.

New Key Server: Thales CipherTrust Manager (CTM)

Storage Scale System 7.0.0.0 adds Thales CipherTrust Manager (CTM) to its roster of supported key servers, complementing existing support for GKLM and TPM. This allows organizations to align storage security with their existing enterprise key management infrastructure.

  • Supported Versions: CTM v2.5.x and v2.8 or later.
  • Seamless Switching: Organizations can switch between GKLM, CTM, and TPM key servers without downtime or service restarts.
  • Consistent Configuration: Configuring CTM on the Storage Scale System mirrors the regular setup of Storage Scale. Users simply create the RKM.conf configuration file with the required permissions and distribute it to all relevant nodes.

TPM-Based SED Support for Storage Scale System 3500

Storage Scale System 7.0.0.0 extends TPM-based SED support to the Storage Scale System 3500, bringing cost-effective encryption to mid-range deployments. TPM-based SED support was originally introduced in version 6.2.2.0 for the Storage Scale System 6000, and this expansion makes the feature accessible to a broader range of customers.

Cost-Effective Encryption for the 3500

Unlike external key server solutions such as GKLM or CTM, TPM-based SED leverages the built-in Trusted Platform Module available on modern servers. This eliminates the need for additional key management infrastructure or licensing, making encryption more affordable and easier to deploy.

Hardware-Based Encryption at Rest

With TPM-based SED enabled, all drives attached to Storage Scale System 3500 nodes are encrypted using AES 256-bit hardware encryption, protecting sensitive data if drives are lost or physically removed.

Simplified Key Management

Encryption keys are securely stored within the TPM hardware on each node. This localized key management model reduces operational complexity and administrative overhead by removing the need for external key servers.

Operating System Requirements

TPM-based SED support on Storage Scale System 3500 requires a minimum of RHEL 9.x. This ensures compatibility with modern cryptographic standards and provides the necessary kernel-level TPM support.

TPM Key Backup and Restore for High Availability

To enhance resiliency, Storage Scale System 3500 supports creating a third copy of the encryption key and storing it in the Utility Node’s TPM via EMS. This protects against rare scenarios where both canisters and their TPM's fail simultaneously.

Key backup and restore operations are performed using:

  • esstpmkey backup

  • esstpmkey restore

These commands are executed from the EMS VM node, ensuring encryption keys remain accessible even during disaster recovery scenarios.

Resources and Documentation

For detailed guidance on enabling and managing SEDs in Storage Scale System 7.0.0.0, refer to the following resources:

0 comments
24 views

Permalink

https://community.ibm.com/community/user/blogs/sai-vamsee-krishna-lankisetti/2026/01/08/sed-enhancements-for-ess-7000