Restoring master encryption key from database backup

If the file that contains the master encryption key is lost or corrupted, the IBM Spectrum® Protect server can no longer encrypt new data or decrypt existing data in the encrypted cloud-container storage pools. In this case, you can restore the master encryption key from a database backup.

About this task

If the server cannot access the master encryption key, and encrypted cloud-container storage pools are defined to the server, the server makes the pools unavailable. You can set an encrypted pool's access mode back to READWRITE by restoring the master encryption key from a database backup.

Procedure

To restore a master encryption key and to make the encrypted pools available again, complete the following steps:

  1. Halt the server.
  2. Issue the RESTORE DB command to restore the master encryption key.
    Tip: To restore only the master key and not the database, specify the RESTOREKEYS=ONLY parameter.
    • For versions earlier than 8.1.8: Specify the password on the command line.
      DSMSERV RESTORE DB RESTOREKEYS=ONLY PASSWORD=password
    • For versions 8.1.8 and later: Specify the PROMPT=YES parameter on the command line. When you issue the command, it prompts for the password.
      DSMSERV RESTORE DB RESTOREKEYS=ONLY PROMPT=YES
      Important: The password that you specify must be the same password that was used when the database was backed up. By using the SET DBRECOVERY command, or by specifying a password when you define the pool by using the Operations Center, you set the default password for recovering the master encryption key. However, you can also override this default password by specifying a password on the BACKUP DB command. If you are restoring from a full plus incremental database backup, specify the password that was used for the incremental backup.
  3. Restart the server.
  4. Change the access state of the encrypted cloud-container storage pools, using the following steps:
    • Using the Operations Center
      1. On the Operations Center menu bar, click Storage > Storage Pools.
      2. On the Storage Pools page, select a cloud-container storage pool and click Details.
      3. On the Details page, click the Properties tab.
      4. From the Access list, select READWRITE.
      5. Click Save.
    • Using the command-line administrative client:
      1. Issue the UPDATE STGPOOL command with the ACCESS=READWRITE parameter.
        UPDATE STGPOOL poolname ACCESS=READWRITE