IBM i Global

 View Only

 IBM i 7.6 SYSBAS encryption

David Vanmanshoven's profile image
David Vanmanshoven posted Fri March 13, 2026 07:15 AM

Hi IBM i community,

With IBM i 7.6, IBM released ASP 1 (*SYSBAS) encryption. I’ve been reviewing the related documentation, but I still have some questions.

As an IBM Business Partner, we host IBM i LPARs for several customers. We are all aware that cybercriminals are a real threat, and we all need to comply with new regulations such as GDPR, DORA, NIS2, and their U.S. counterparts.

We already use encryption on our FlashSystems, and our customers connect to their IBM i systems using encrypted protocols. However, there are scenarios where these measures still aren’t sufficient. For example, data from IBM i travels unencrypted over the SAN fabrics. If someone were to gain access to the FlashSystem, they could create a snapshot, attach it to an unmonitored LPAR, and gain access to customer data, and so on.

IBM i ASP encryption could be a solution to these threats. If you disagree, I’d be interested in hearing your comments.

Let’s assume we implement ASP and iASP encryption.

  • What would be the effect on capacity usage on our FlashSystems? The data would arrive already encrypted on the FlashSystem. I remember that encrypted data is difficult to compress and deduplicate, so my guess is that we’ll see an increase in usage by a factor of four. IBM i data is, on average, compressed by a factor of four in our environment.
  • Where is the encryption key stored? Is it stored in the Licensed Internal Code, or somewhere in the firmware of the Power server?
  • Can we still use Live Partition Mobility?
  • Can we still create a snapshot, attach it to another LPAR on the same Power server or on a different Power server, and IPL it for the purpose of creating offline backups?

Does anyone have experience with this new feature and is willing to share it with the community?

Thank you,

David

Tom Huntington's profile image
Tom Huntington IBM Champion posted Mon March 16, 2026 09:00 AM

David,

I am not familiar with this new offering.  You certainly are correct that the disk encryption is really only protecting you from someone stealing your drives and of course it keeps the auditors happy too as you can say  you are encrypting.   Our solution in our Powertech family can encrypt data at field/column levels in DB2 files/tables.  It also can encrypt IFS files.  We do have solutions for encrypting data in flight for FTP, SFTP, HTTPS, AS2 etc.

 https://power.fortra.com/products/database-encryption-software-ibm-i

This solution has been helping customers since 7.1 of IBM i.

Guido Martinez's profile image
Guido Martinez posted Mon March 16, 2026 01:50 PM
David,
 
That's right, many people think that by enabling encryption at the storage disk level, they're already safe, but the data at the database level remains clear and readable.
 
I haven't tried it, but I've seen encryption at the IBM i level. First, you should keep in mind that database queries will be up to 2x slower, and using "Content Manager OnDemand for i," the keys are stored in the QUSROND library.
You could take a look at this:
 
I understand that several companies develop their own encryption solutions, for example, Fortra.

Regards.

Related Content