IBM FlashSystem

 View Only

 Guidance on Encryption Using USB - FS9500

MAILVAGANAM VELAYUTHAM's profile image
MAILVAGANAM VELAYUTHAM posted Sun August 03, 2025 11:28 PM

Hi All,

I’d like to seek some advice regarding encryption using a USB stick.

Once encryption is enabled, is it safe to remove the USB stick from the canister? Due to datacenter compliance requirements, USB devices cannot remain visibly connected.

The USB stick will be stored securely and only reinserted if a power cycle occurs.

Regards,
Shanker V

Nezih Boyacioglu's profile image
Nezih Boyacioglu IBM Champion posted Mon August 04, 2025 02:18 AM

Hi, 

If you use USB encryption, you will need at least three USBs: one for yourself and one for each controller. The USB for each controller should remain with that controller.
Upgrading your FlashSystem to v9.1 allows you to use encryption with internal key management. Check the IBM Docs for details. With this new method, you don't need to use usb. 

Uwe Schreiber's profile image
Uwe Schreiber IBM Champion posted Mon August 04, 2025 03:22 AM

Hi,

as long as you don't power-off both nodecanisters it is possible to remove the USB sticks from the controllers.

During startup of a controller the stored encryption key is required to unlock the access to the encrypted data. During a restart/reboot of a single nodecanister, the canister is requesting the key from its partner canister.

Storage Virtualize version 9.1.0 provide the possibility to implement encryption based on an internal key management without having the need for USB sticks or external key servers.

Darren Sanders's profile image
Darren Sanders IBM Champion posted Mon August 04, 2025 04:52 AM

Hi,

Here is some information from the online documentation. But basically, yes you can remove them but they will need to be re-inserted during a power cycle.

Two options are available for accessing key information on USB flash drives:

USB flash drives are left inserted in the system at all times
If you want the system to bring encrypted data online automatically after a system restart, a USB flash drive must be left installed in one or more canisters in the system. When the system powers on, the encryption key is read from any available USB flash drive installed in the system. This method requires that the physical environment where the system is located is secure. If the location is secure, it prevents an unauthorized person from stealing the USB flash drives to make copies of the encryption keys, as well as stealing system components such as drives. The risk with this approach is that if the location isn’t secure and the master encryption keys are attached to the system, then stealing both the system and the USB flash drives means the encrypted data at rest can be accessed.
USB flash drives are not left inserted in the system
For the most secure operation, do not keep the USB flash drives inserted into the canisters in the system. However, this method requires that you manually install the USB flash drives containing the encryption master key in the canisters during certain operations when the system requires an encryption key to be present. USB flash drives that contain the current master key must be stored securely to prevent theft or loss. During operations where the system requires an encryption key to be present, one or more USB flash drives must be installed manually into any canister so data can be accessed. After the system reads the encryption key from USB flash drives, the system will be unlocked and encrypted data will be accessible. After the system is online, the USB flash drives must be removed and stored securely to prevent theft or loss. The advantage of this approach is that even if the system or drives are stolen, the encrypted data at rest cannot be accessed because the master keys are not present.

Regards

Darren

Related Content