mkkeygrp
The mkkeygrp command creates an entry for the key group on the storage system.
Parameters
- -dev storage_system_ID
- (Optional) The storage system ID, which includes manufacturer, machine type, and serial number.
For example, IBM.2107-75FA120.
Using the -dev parameter temporarily overrides any defined value for devid for the current command.
- -keyprotocol IPP | KMIP | LOCAL
- (Optional) The protocol used by the storage system to communicate with the key server when using
external key management (IPP, KMIP). When using local key management (LOCAL), an external key server
is not required.
- IPP
- The storage system supports the IBM Proprietary Protocol (IPP) to communicate with the Security Guardium Key Lifecycle Manager or Guardium Key Lifecycle Manager for key server management operations. This value is the default.
- KMIP
- The storage system supports the Key Management Interoperability Protocol (KMIP) to communicate with the key server for key server operations.
- LOCAL
- The storage system supports local key management. The storage system scrambles the data key using a cryptographic algorithm and stores it locally, rather than obtaining the data key as a secret managed by an external key server. If Local Data-at-Rest Encryption is used, it is not necessary to configure external key servers.
- -label key_label
- (Optional) The label for the key group data key. This parameter is required with the -keyprotocol IPP parameter. You can enter a maximum of 64 ASCII characters for the label.
- -label2 second_key_label
- (Optional) The second label for the key group data key. You can enter a maximum of 64 ASCII characters for the label.
- -type dar | tct | endpoint
- (Optional) The type of encryption that key group will use:
- dar
- Encryption for data at rest, which encrypts data that is stored on your storage system. This value is the default.
- tct
- Encryption for transparent cloud tiering, which ensures that data is encrypted
before it is transferred to cloud storage. The data remains encrypted in cloud storage and is
decrypted after it is transferred back to the storage system.Note: If the -type tct option is specified, the data at rest encryption recovery key for the storage system must be disabled. After the key group is created, the recovery key can be enabled. For details about managing a recovery key, see the managereckey command.
- endpoint
- Encryption for IBM Fibre Channel Endpoint Security, which establishes authenticated communication and encryption of data in flight for Fibre Channel connections between an IBM Z® host and the storage system. The connections are secured by Fibre Channel security protocols and key server authentication that uses communication certificates. If both the host and storage system use a connection with Fibre Channel ports that support encryption, the connection will transmit encrypted data between the ports.
- -name key_name
- (Optional) The user-specified name that is used to identify the key group.
- key_group_ID | -
- (Required) The ID for the key group. For key groups that use data at rest encryption, specify the numeral 1 as the ID. For key groups that use TCT encryption, specify a decimal number in the range 2 - 16. The default ID value is 1, which indicates a key group that is configured for data at rest encryption. Use the showsi command to determine this maximum number. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.
Example: Creating an entry for the key group on the storage system.
dscli> mkkeygrp -dev IBM.2107-75FA120 -label MyCompany -label2 MyCompany2 1Output:
The key server key group 1 has been created.