Encryption of data and log files on MQ appliance

In order to comply with several regulatory requirements, we require our solutions to ensure that all data is encrypted while stored on disk.

Currently the only mechanism to achieve this on the MQ appliance is AMS, however AMS incurs significant CPU overheads due to the volume of PKI processing involved. A file based encryption mechanism (similar to GPFS/Spectrum Scale encryption) is desired to allow us to meet security mandates without creating performance issues.

Encryption would be needed for any file that contains message data, whether it is stored in the local drives or on a separate SAN.

Encryption per-file is preferred over volume encryption.

Symmetric key algorithms are preferred for the actual encryption of the file, however these keys must be additionally protected via a secure (i.e. PKI) mechanism.

A mechanism for rotating the symmetric keys is desirable. In a non-appliance install this would usually be achieved by creating new copies of the file under a different key, and replacing the originals - but the appliance does not offer this level of direct access

Mechanisms for rotating the PKI keys used to secure the symmetric keys would be required.

Strong ciphers - e.g. AES256 or higher, RSA, DSA or ElGamal

Signing/integrity mechanisms are not desired.

CBC or similar mechanisms are probably not viable due to random-access requirements.

An option to store keys on an external KMIP based key server would be desirable.

Support for an onboard HSM would also be desirable.