The article you referenced seems to assume whole-disk encryption is always implemented using software on your computer, since it says "the operating system has the decryption key to access the disk". That is not true, of course, for self-encrypting disk drives (or tape drives) where the encryption key never leaves the hardware device in unencrypted form. As I recall, the key is served to the mainframe disk drives using a secure process such that it is never available in the clear. Regardless, it is true that the #1 benefit of encrypted disk and tape drives is the case where the device can be stolen. For tape, the usual example is that someone loses or steals a tape when it is going out of your facility for off-site backup. For disk, the biggest risk scenario is a laptop, which can be stolen or lost. Obviously, it's a lot less likely that someone is going to walk out of your data center with a disk drive that was in use by your mainframe. I think whole-disk encryption has value in all cases, but it has the most value for devices or media that can easily move around.
---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
