Data encryption and security commands

Use data encryption and security commands to configure the storage system.

For security purposes, encryption keys are stored on external key servers, not on the storage system. The mkkeymgr, chkeymgr, rmkeymgr, and lskeymgr commands are used to specify the location of the external key servers and which servers are to be used by the storage system. If multiple servers are specified, it is assumed that the servers themselves manage the process to ensure that the stored keys are synchronized. Because multiple manufacturers' products might be using the same key servers, the mkkeygrp, rmkeygrp, lskeygrp, and showkeygrp commands are used to specify a label for any specific encryption key.

In some environments, there might be two disjointed groups of external key servers that are defined and that cannot synchronize their stored keys securely. In this case, you can specify a second label, one label for each group of servers. Under certain unusual circumstances, losing access to the encrypted data on the storage system might be possible. This loss of access might occur if all of the external keys servers go down, or if all physical connections are lost between the storage system and the external key servers. To prevent any of these possibilities from becoming a permanent loss of data access, you are required to create an encryption data access recovery key that is managed with a dual control process described in the "User account and security commands" section. The encryption recovery key itself is manually managed with the managereckey, mkreckey, and rmreckey commands.

The following data encryption and security commands are available:
chkeymgr
Updates the attributes of the key server entry on the storage complex.
lskeygrp
Displays a list of the key server encryption key group entries on the specified storage image.
lskeymgr
Displays a list of the key server entries that are on the storage complex.
managekeygrp
Allows you to manage an encryption key group.
managekeymgr
Allows you to manage an existing encryption key server.
managereckey
Allows you to manage an existing encryption recovery key.
mkkeygrp
Creates an entry for the key server encryption key group on the storage image.
mkkeymgr
Creates an entry for the key server on the storage complex.
mkreckey
Allows you to create an encryption recovery key.
rmkeygrp
Removes an entry for the key server encryption key group on a specified storage image.
rmkeymgr
Removes a key server entry on the storage complex.
rmreckey
Allows you to remove an encryption recovery key.
showkeygrp
Displays detailed information for a specified key server encryption key group entry on the storage image.
showkeymgr
Displays detailed properties of a specified key server entry.