Data encryption and security commands
Use data encryption and security commands to configure the storage system.
For security purposes, encryption keys are stored on external key servers, not on the storage system. The mkkeymgr, chkeymgr, rmkeymgr, and lskeymgr commands are used to specify the location of the external key servers and which servers are to be used by the storage system. If multiple servers are specified, it is assumed that the servers themselves manage the process to ensure that the stored keys are synchronized. Because multiple manufacturers' products might be using the same key servers, the mkkeygrp, rmkeygrp, lskeygrp, and showkeygrp commands are used to specify a label for any specific encryption key.
In some environments, there might be two disjointed groups of external key servers that are defined and that cannot synchronize their stored keys securely. In this case, you can specify a second label, one label for each group of servers. Under certain unusual circumstances, losing access to the encrypted data on the storage system might be possible. This loss of access might occur if all of the external keys servers go down, or if all physical connections are lost between the storage system and the external key servers. To prevent any of these possibilities from becoming a permanent loss of data access, you are required to create an encryption data access recovery key that is managed with a dual control process described in the "User account and security commands" section. The encryption recovery key itself is manually managed with the managereckey, mkreckey, and rmreckey commands.
- chkeymgr
- Updates the attributes of the key server entry on the storage complex.
- lskeygrp
- Displays a list of the key server encryption key group entries on the specified storage image.
- lskeymgr
- Displays a list of the key server entries that are on the storage complex.
- managekeygrp
- Allows you to manage an encryption key group.
- managekeymgr
- Allows you to manage an existing encryption key server.
- managereckey
- Allows you to manage an existing encryption recovery key.
- mkkeygrp
- Creates an entry for the key server encryption key group on the storage image.
- mkkeymgr
- Creates an entry for the key server on the storage complex.
- mkreckey
- Allows you to create an encryption recovery key.
- rmkeygrp
- Removes an entry for the key server encryption key group on a specified storage image.
- rmkeymgr
- Removes a key server entry on the storage complex.
- rmreckey
- Allows you to remove an encryption recovery key.
- showkeygrp
- Displays detailed information for a specified key server encryption key group entry on the storage image.
- showkeymgr
- Displays detailed properties of a specified key server entry.