Hi IBMi guys, do you have experience on IBMi disk encryption ? Due to NIS2 compliance some customer is looking for a way to encrypt the data disk on IBMi.

There are several ways to do, via software solutions like Fortra or Raz-Lee suite or 5770-SS1 Option 45 - Encrypted ASP and  hardware features like co processor or 5770-SS1 Option 45 - Encrypted ASP.

i did some POC on test customer environments but not in production .. do you have experiencing or suggestion related to the performance issues?

Some software's are mono thread approach and can be a problem on IFS data encryption and use exit points technologies.

Have a good day. 

------------------------------
Luca Maurizio Verzicco
IBMi Service and PreSales Manager
S2E - Solution to Enterprise
Milano - Italy
+39 380 6570039
------------------------------

Hello,

I have worked in a similar project for a customer in the past so sharing my feedback. As you know there are many options available to encrypt the disks on IBM i. The main point to note with 5770SS1 Option 45 is that it will generate overhead most likely and you might need to add more memory and processor in addition to what is assigned today. It also depends on the type of application used by the customer. If the system is already running the application doing high transactions or data exchange then it is worth to consider for more resources planning from the beginning. The more encrypted data processing is taking place the higher the performance impact will be.I don't recall of having issues with the exit points but if you are using any third party product please check with them regarding the functionality validations. 

On the other hand if you can have Cryptographic Coprocessor which is a hardware piece then the benefit is that encryption handling is done at a hardware level which reduces the overhead when it comes to memory and cores.  In this case the impact will be negligible. I think the latest supported Cryptographic Coprocessor card is 4769 in the market but 4770 should also be released in near future. 

------------------------------
Rohit Chauhan
Senior Technical Specialist
Norway

Original Message:
Sent: Thu October 24, 2024 03:35 AM
From: Luca Maurizio Verzicco
Subject: Performance impact on IBM i with Disk Encryption

Hi IBMi guys, do you have experience on IBMi disk encryption ? Due to NIS2 compliance some customer is looking for a way to encrypt the data disk on IBMi.

There are several ways to do, via software solutions like Fortra or Raz-Lee suite or 5770-SS1 Option 45 - Encrypted ASP and  hardware features like co processor or 5770-SS1 Option 45 - Encrypted ASP.

i did some POC on test customer environments but not in production .. do you have experiencing or suggestion related to the performance issues?

Some software's are mono thread approach and can be a problem on IFS data encryption and use exit points technologies.

Have a good day. 

------------------------------
Luca Maurizio Verzicco
IBMi Service and PreSales Manager
S2E - Solution to Enterprise
Milano - Italy
+39 380 6570039
------------------------------

Thank Rohit Chauhan for your experience. 

i did some POC with software solutions but the impact on performance is have if customer want to encrypt al the DB. 

I'm doing some investigation about Hardware solution. 

Have a good day. 

Hello,

I have worked in a similar project for a customer in the past so sharing my feedback. As you know there are many options available to encrypt the disks on IBM i. The main point to note with 5770SS1 Option 45 is that it will generate overhead most likely and you might need to add more memory and processor in addition to what is assigned today. It also depends on the type of application used by the customer. If the system is already running the application doing high transactions or data exchange then it is worth to consider for more resources planning from the beginning. The more encrypted data processing is taking place the higher the performance impact will be.I don't recall of having issues with the exit points but if you are using any third party product please check with them regarding the functionality validations. 

On the other hand if you can have Cryptographic Coprocessor which is a hardware piece then the benefit is that encryption handling is done at a hardware level which reduces the overhead when it comes to memory and cores.  In this case the impact will be negligible. I think the latest supported Cryptographic Coprocessor card is 4769 in the market but 4770 should also be released in near future. 

------------------------------
Rohit Chauhan
Senior Technical Specialist
Norway

Original Message:
Sent: Thu October 24, 2024 03:35 AM
From: Luca Maurizio Verzicco
Subject: Performance impact on IBM i with Disk Encryption

Hi IBMi guys, do you have experience on IBMi disk encryption ? Due to NIS2 compliance some customer is looking for a way to encrypt the data disk on IBMi.

There are several ways to do, via software solutions like Fortra or Raz-Lee suite or 5770-SS1 Option 45 - Encrypted ASP and  hardware features like co processor or 5770-SS1 Option 45 - Encrypted ASP.

i did some POC on test customer environments but not in production .. do you have experiencing or suggestion related to the performance issues?

Some software's are mono thread approach and can be a problem on IFS data encryption and use exit points technologies.

Have a good day. 

------------------------------
Luca Maurizio Verzicco
IBMi Service and PreSales Manager
S2E - Solution to Enterprise
Milano - Italy
+39 380 6570039
------------------------------

Hi @Luca Maurizio Verzicco,

It is still not clear to me. So that means you are doing investigation on the hardware solution,i.e, Cryptographic Coprocessor ?

Thank Rohit Chauhan for your experience. 

i did some POC with software solutions but the impact on performance is have if customer want to encrypt al the DB. 

I'm doing some investigation about Hardware solution. 

Have a good day. 

Hello,

I have worked in a similar project for a customer in the past so sharing my feedback. As you know there are many options available to encrypt the disks on IBM i. The main point to note with 5770SS1 Option 45 is that it will generate overhead most likely and you might need to add more memory and processor in addition to what is assigned today. It also depends on the type of application used by the customer. If the system is already running the application doing high transactions or data exchange then it is worth to consider for more resources planning from the beginning. The more encrypted data processing is taking place the higher the performance impact will be.I don't recall of having issues with the exit points but if you are using any third party product please check with them regarding the functionality validations. 

On the other hand if you can have Cryptographic Coprocessor which is a hardware piece then the benefit is that encryption handling is done at a hardware level which reduces the overhead when it comes to memory and cores.  In this case the impact will be negligible. I think the latest supported Cryptographic Coprocessor card is 4769 in the market but 4770 should also be released in near future. 

------------------------------
Rohit Chauhan
Senior Technical Specialist
Norway

Original Message:
Sent: Thu October 24, 2024 03:35 AM
From: Luca Maurizio Verzicco
Subject: Performance impact on IBM i with Disk Encryption

Hi IBMi guys, do you have experience on IBMi disk encryption ? Due to NIS2 compliance some customer is looking for a way to encrypt the data disk on IBMi.

There are several ways to do, via software solutions like Fortra or Raz-Lee suite or 5770-SS1 Option 45 - Encrypted ASP and  hardware features like co processor or 5770-SS1 Option 45 - Encrypted ASP.

i did some POC on test customer environments but not in production .. do you have experiencing or suggestion related to the performance issues?

Some software's are mono thread approach and can be a problem on IFS data encryption and use exit points technologies.

Have a good day. 

------------------------------
Luca Maurizio Verzicco
IBMi Service and PreSales Manager
S2E - Solution to Enterprise
Milano - Italy
+39 380 6570039
------------------------------

Hi IBMi guys, do you have experience on IBMi disk encryption ? Due to NIS2 compliance some customer is looking for a way to encrypt the data disk on IBMi.

There are several ways to do, via software solutions like Fortra or Raz-Lee suite or 5770-SS1 Option 45 - Encrypted ASP and  hardware features like co processor or 5770-SS1 Option 45 - Encrypted ASP.

i did some POC on test customer environments but not in production .. do you have experiencing or suggestion related to the performance issues?

Some software's are mono thread approach and can be a problem on IFS data encryption and use exit points technologies.

Have a good day. 

Hi Luca - Just to be clear - are you looking for encryption at rest or looking at encryption in flight ? For us, we use encryption at REST and leverage external storage, in particular Flash Storage to accomplish our encryption needs.  Maybe this could be a solution for you/your customer as well. ?  Using the CRYPTO card does have some downsides to it and without knowing the environment , it would be difficult to gauge whether or not those downsides are pertinent to your customer. Hope this helps and Good luck - Rich

------------------------------
Rich Malloy

Original Message:
Sent: Thu October 24, 2024 03:35 AM
From: Luca Maurizio Verzicco
Subject: Performance impact on IBM i with Disk Encryption

Hi IBMi guys, do you have experience on IBMi disk encryption ? Due to NIS2 compliance some customer is looking for a way to encrypt the data disk on IBMi.

There are several ways to do, via software solutions like Fortra or Raz-Lee suite or 5770-SS1 Option 45 - Encrypted ASP and  hardware features like co processor or 5770-SS1 Option 45 - Encrypted ASP.

i did some POC on test customer environments but not in production .. do you have experiencing or suggestion related to the performance issues?

Some software's are mono thread approach and can be a problem on IFS data encryption and use exit points technologies.

Have a good day. 

------------------------------
Luca Maurizio Verzicco
IBMi Service and PreSales Manager
S2E - Solution to Enterprise
Milano - Italy
+39 380 6570039
------------------------------

Hi Rich, thanks for your info. 

Customer want to use an on the fly encryption. 

They are using two 9009 41G machine with internal SSD disk and not external storage.

i'm looking also for NVME disk costs  with Self Encrypting Drives (SED) solution  and if it can be enought to solve the situation.

Thanks for your help. 

------------------------------
Luca Maurizio Verzicco
IBMi Service and PreSales Manager
S2E - Solution to Enterprise
Milano - Italy
+39 380 6570039

Original Message:
Sent: Thu October 24, 2024 08:37 AM
From: Rich Malloy
Subject: Performance impact on IBM i with Disk Encryption

Hi Luca - Just to be clear - are you looking for encryption at rest or looking at encryption in flight ? For us, we use encryption at REST and leverage external storage, in particular Flash Storage to accomplish our encryption needs.  Maybe this could be a solution for you/your customer as well. ?  Using the CRYPTO card does have some downsides to it and without knowing the environment , it would be difficult to gauge whether or not those downsides are pertinent to your customer. Hope this helps and Good luck - Rich

------------------------------
Rich Malloy

Original Message:
Sent: Thu October 24, 2024 03:35 AM
From: Luca Maurizio Verzicco
Subject: Performance impact on IBM i with Disk Encryption

Hi IBMi guys, do you have experience on IBMi disk encryption ? Due to NIS2 compliance some customer is looking for a way to encrypt the data disk on IBMi.

There are several ways to do, via software solutions like Fortra or Raz-Lee suite or 5770-SS1 Option 45 - Encrypted ASP and  hardware features like co processor or 5770-SS1 Option 45 - Encrypted ASP.

i did some POC on test customer environments but not in production .. do you have experiencing or suggestion related to the performance issues?

Some software's are mono thread approach and can be a problem on IFS data encryption and use exit points technologies.

Have a good day. 

------------------------------
Luca Maurizio Verzicco
IBMi Service and PreSales Manager
S2E - Solution to Enterprise
Milano - Italy
+39 380 6570039
------------------------------

Hi IBMi guys, do you have experience on IBMi disk encryption ? Due to NIS2 compliance some customer is looking for a way to encrypt the data disk on IBMi.

There are several ways to do, via software solutions like Fortra or Raz-Lee suite or 5770-SS1 Option 45 - Encrypted ASP and  hardware features like co processor or 5770-SS1 Option 45 - Encrypted ASP.

i did some POC on test customer environments but not in production .. do you have experiencing or suggestion related to the performance issues?

Some software's are mono thread approach and can be a problem on IFS data encryption and use exit points technologies.

Have a good day.