Configuring client-side encryption for transparent cloud tiering
Client-side encryption for transparent cloud tiering ensures that data is encrypted before it is transferred to cloud storage. The data remains encrypted in cloud storage and is decrypted after it is transferred back to the DS8000® storage system.
You can use client-side encryption for transparent cloud tiering to download and decrypt data on any DS8000 storage system that uses the same set of key servers as the system that first encrypted the data.
Notes:
- Client-side encryption for transparent cloud tiering requires IBM® Security Key Lifecycle Manager v3.0.0.2 (or later) or Gemalto Safenet KeySecure V8.0.0 (or later). For more information, see Configuring key servers.
- Transparent cloud tiering supports the Key Management Interoperability Protocol (KMIP) only.
Setting up client-side encryption for transparent cloud tiering
To set up client-side encryption for transparent cloud tiering, you must configure a key manager
and create an encryption key group for transparent cloud tiering. Complete the following steps:
- Use the mkkeygrp command to create an encryption key group that is configured for transparent cloud tiering.
- Use the mkkeymgr command to configure a key server and assign the encryption key group to the key server.
- Use the key group as a parameter of the mkcloudserver command to define a cloud storage server connection that uses client-side encryption for transparent cloud tiering.
Note: To add a key group that is configured for transparent cloud tiering to an existing key
server, use the managekeymgr command.
- mkkeygrp
- To create a key group that is configured for transparent cloud tiering, use the
mkkeygrp command with the parameter -type tct (to specify
encryption for transparent cloud tiering) and a key group value that is a whole number in the range
2 - 16. In the following example, the -type tct parameter is specified with a
key group value of 3.
mkkeygrp -keyprotocol kmip -type tct -name demo 3
For more information, see mkkeygrp.
- mkkeymgr
- To define a key server and assign a key group to the key server, use the
mkkeymgr command with the parameters -type tct and
-keygrp
tct_keygrp (to specify a key group that is configured for transparent cloud
tiering). In the following example, the -type tct parameter is specified with a
key group value of 3 (-keygrp 3).
mkkeymgr -serverport 1234 -cert /home/hscroot/certs/cloud.crt -type tct -keygrp 3 -addr host.keymanager.com -keyprotocol kmip 4
For more information, see mkkeymgr.
- mkcloudserver
- To define a cloud storage server connection that uses client-side encryption for transparent
cloud tiering, use the mkcloudserver command with the
-keygrp
tct_keygrp parameter, which specifies the key group that is configured for
transparent cloud tiering. In the following example, a key group value of 3 is assigned to the cloud server.
mkcloudserver -type ibmcos -username cosusername -pw cospasswd -endpoint https://1.11.111.111 -loc ztct -keygrp 3 coschar
- managekeymgr
- To add a key group that is configured for transparent cloud tiering to an existing key server,
use the managekeymgr command with the -action addgrp and
-keygrp
tct_keygrp parameters. You must also specify the key_server_ID
and the -type tct parameters. In the following example, a key group with a
value of 3 is assigned to a key server with an ID value of 4.
managekeymgr -action addgrp -type tct -keygrp 3 4