Data at rest Encryption

The Data at rest Encryption tab on the Security page displays information about key servers, key labels and key Universally Unique Identifiers (UUIDs), recovery keys, and certificates that are used for encrypting data at rest on the storage system. If you have an administrator or security administrator role, you can complete the encryption actions that are enabled for your user role.

Enabling data at rest encryption

To open the Encryption wizard and enable encryption, click Enable Encryption. For more information, see Enabling data at rest encryption.

Enabling encryption includes the following prerequisites:
  • The key servers must be online and accessible.
  • IBM SKLM and IMB SKLM Transport Layer Security (TLS) key servers must have key labels available.
  • IBM SKLM (TLS) and KMIP compatible key servers must have the SSL certificate available.
  • A recovery key was configured or disabled by the security administrator.

Managing encryption

After encryption is enabled, use the Data at rest Encryption page to manage encryption settings.
State
Indicates whether encryption is enabled or disabled.

To enable encryption after is disabled, click Enabled to open the Encryption wizard.

To disable encryption, select Disabled.
Note: Disabling encryption deletes the key server definitions, encryption settings, and associated encryption keys from the storage system.
Key Servers
View the properties of the external key server where encryption keys are stored.
Host name
The name or IP address of the key server where the encryption key is located.
State
The status of the key server.
Critical
Only one Hardware Management Console (HMC) has access to the specified key server and it represents a potential single point of failure.

Use the showkeymgr command with the -access parameter to determine the status of each HMC.

Note: For storage systems with only one HMC configured, the showkeymgr command displays the status as normal.
Deactivated
The key server was deactivated by a user on the storage system.
Inaccessible
The storage system cannot access the key server.
Online
The key server can be accessed by the storage system.
Unwrap failing
The storage system is unable to obtain the encryption key from the key server.
Port
The I/O port on the key server that the storage system uses to access the encryption key.
Type
The type of the key server.
IBM SKLM (IPP)
IBM Proprietary Protocol (IPP) that is used to communicate with the IBM Security Key Lifecycle Manager (SKLM) for encryption management.
IBM SKLM (TLS)
The SKLM server that supports Transport Layer Security (TLS) for encryption management.
KMIP compatible
The Key Management Interoperability Protocol (KMIP) server used for encryption management.
Encryption key
View the status of the encryption key or obtain a new key.

Click Rekey to obtain a new encryption key from the key server. For storage systems that use SKLM key servers, this action does not require the label to change. For storage systems that use KMIP key servers, this action results in a change of the encryption key UUID. This action might be done concurrent to running host I/O.

The storage system uses a key label to identify an encryption key on a key server. You must specify at least one and no more than two key labels.

An encryption key has one of the following statuses:
Accessible
The storage system received an encryption key from the key server. Encrypted data on the storage system can be accessed.
Inaccessible
The storage system did not receive an encryption key from the key server. The key server might be offline. Encrypted data on the storage system cannot be accessed.
Not applicable
A key server was not configured for the storage system.
Recovery Key
The status of the recovery key, which is used by the security administrator to restore access to encrypted data if the key servers are unavailable.
Configured
The recovery key was requested and verified by the security administrator and authorized by the administrator.
Disabled
The recovery key was disabled by the security administrator and authorized by the administrator.
Not configured
The recovery key was not configured.
Key verification pending
The recovery key was configured by the security administrator but not verified. The security administrator must verify the recovery key.
Authorization Pending (key disabled)
The recovery key was disabled by the security administrator but the disablement was not authorized. The administrator must authorize the disabled recovery key.
Authorization Pending (rekey)
The recovery was rekeyed and verified by the security administrator, but not authorized. The administrator must authorize the rekeyed recovery key.
Authorization Pending (recovery initiated)
The security administrator used the recovery key to restore access to encrypted data, but the recovery was not authorized by the administrator. The administrator must authorize the use of the recovery key to restore access to data.
Authorization Pending (key configured)
The recovery key was configured and verified by the security administrator, but not authorized. The administrator must authorize the configured recovery key.
Encryption Communication Certificates
DS8000 Encryption Communication Certificate
Certificate
The certificate that is installed on the key server: a system defined Gen2, system defined Gen3, or a customer defined certificate.
Expires
The expiration date for the certificate.
Export Public Key
Export the DS8000® encryption certificate to a file on the local system.
Update Certificate
Update the DS8000 encryption certificate to a system defined (Gen2 or Gen3) or customer defined certificate. This action is only performed after encryption is configured.

This action will also update the encryption certificate for IBM® Fibre Channel Endpoint Security and transparent cloud tiering, if either option is enabled.

For more information about updating encryption certificates, see Updating encryption certificates.

View Certificate
View the encryption certificate.
Key Server Communication Certificates
Certificates from Key Management Interoperability Protocol (KMIP) compatible key servers or IBM® SKLM servers that provide encryption.
Update Certificate
Update the key server certificate.
View Certificate
View the encryption certificate. (Not available for SKLM servers without TLS.)