Configuring client-side encryption for transparent cloud tiering

Client-side encryption for transparent cloud tiering ensures that data is encrypted before it is transferred to cloud storage. The data remains encrypted in cloud storage and is decrypted after it is transferred back to the DS8000® storage system.

You can use client-side encryption for transparent cloud tiering to download and decrypt data on any DS8000 storage system that uses the same set of key servers as the system that first encrypted the data.

Notes:
  • Client-side encryption for transparent cloud tiering requires IBM® Security Key Lifecycle Manager v3.0.0.2 (or later) or Gemalto Safenet KeySecure V8.0.0 (or later). For more information, see Configuring key servers.
  • Transparent cloud tiering supports the Key Management Interoperability Protocol (KMIP) only.

Setting up client-side encryption for transparent cloud tiering

To set up client-side encryption for transparent cloud tiering, you must configure a key manager and create an encryption key group for transparent cloud tiering. Complete the following steps:
  1. Use the mkkeygrp command to create an encryption key group that is configured for transparent cloud tiering.
  2. Use the mkkeymgr command to configure a key server and assign the encryption key group to the key server.
  3. Use the key group as a parameter of the mkcloudserver command to define a cloud storage server connection that uses client-side encryption for transparent cloud tiering.
Note: To add a key group that is configured for transparent cloud tiering to an existing key server, use the managekeymgr command.
mkkeygrp
To create a key group that is configured for transparent cloud tiering, use the mkkeygrp command with the parameter -type tct (to specify encryption for transparent cloud tiering) and a key group value that is a whole number in the range 2 - 16. In the following example, the -type tct parameter is specified with a key group value of 3.
mkkeygrp -keyprotocol kmip -type tct -name demo 3

For more information, see mkkeygrp.

mkkeymgr
To define a key server and assign a key group to the key server, use the mkkeymgr command with the parameters -type tct and -keygrp tct_keygrp (to specify a key group that is configured for transparent cloud tiering). In the following example, the -type tct parameter is specified with a key group value of 3 (-keygrp 3).
mkkeymgr -serverport 1234 -cert /home/hscroot/certs/cloud.crt -type tct -keygrp 3 -addr host.keymanager.com -keyprotocol kmip 4

For more information, see mkkeymgr.

mkcloudserver
To define a cloud storage server connection that uses client-side encryption for transparent cloud tiering, use the mkcloudserver command with the -keygrp tct_keygrp parameter, which specifies the key group that is configured for transparent cloud tiering. In the following example, a key group value of 3 is assigned to the cloud server.
mkcloudserver -type ibmcos -username cosusername -pw cospasswd -endpoint https://1.11.111.111 -loc ztct -keygrp 3 coschar
For more information, see mkcloudserver.
managekeymgr
To add a key group that is configured for transparent cloud tiering to an existing key server, use the managekeymgr command with the -action addgrp and -keygrp tct_keygrp parameters. You must also specify the key_server_ID and the -type tct parameters. In the following example, a key group with a value of 3 is assigned to a key server with an ID value of 4.
managekeymgr -action addgrp -type tct -keygrp 3 4
For more information, see managekeymgr.