The Data at rest Encryption tab on the Security page displays
information about key servers, key labels and key Universally Unique
Identifiers (UUIDs), recovery keys, and certificates
that are used for encrypting data at rest on the storage system. If you have an administrator or
security administrator role, you can complete the encryption actions that are enabled for your user
role.
Enabling data at rest encryption
To open the Encryption wizard and enable encryption, click Enable
Encryption. For more information, see Enabling data at rest encryption.
Enabling encryption includes the following prerequisites:
- The key servers must be online and accessible.
- IBM SKLM and IMB SKLM Transport Layer Security (TLS) key servers must have key labels
available.
- IBM SKLM (TLS) and KMIP compatible key servers must have the SSL certificate available.
- A recovery key was configured or disabled by the security administrator.
Managing encryption
After encryption is enabled, use the
Data at rest Encryption
page to manage encryption settings.
- State
- Indicates whether encryption is enabled or disabled.
To enable encryption after is disabled,
click Enabled to open the Encryption wizard.
To disable encryption,
select
Disabled.
Note: Disabling encryption deletes the key
server definitions, encryption settings, and associated encryption keys from the storage
system.
- Key Servers
- View the properties of the external key server where encryption keys are stored.
- Host name
- The name or IP address of the key server where the encryption key is located.
- State
- The status of the key server.
- Critical
- Only one Hardware Management Console (HMC) has access to the
specified key server and it represents a potential single point of failure.
Use the
showkeymgr command with the -access parameter to determine the
status of each HMC.
Note: For storage systems with only one HMC configured, the
showkeymgr command displays the status as normal.
- Deactivated
- The key server was deactivated by a user on the storage system.
- Inaccessible
- The storage system cannot access the key server.
- Online
- The key server can be accessed by the storage system.
- Unwrap failing
- The storage system is unable to obtain the encryption key from the key server.
- Port
- The I/O port on the key server that the storage system uses to access the encryption key.
- Type
- The type of the key server.
- IBM SKLM (IPP)
- IBM Proprietary Protocol (IPP) that is used to communicate with the IBM Security Key Lifecycle
Manager (SKLM) for encryption management.
- IBM SKLM (TLS)
- The SKLM server that supports Transport Layer Security (TLS) for encryption management.
- KMIP compatible
- The Key Management Interoperability Protocol (KMIP) server used for encryption management.
- Encryption key
- View the status of the encryption key or obtain a new key.
Click Rekey
to obtain a new encryption key from the key server. For storage systems that use SKLM key servers,
this action does not require the label to change. For storage systems that use KMIP key servers,
this action results in a change of the encryption key UUID. This action might be done concurrent to
running host I/O.
The storage system uses a key label to identify an encryption key on a key
server. You must specify at least one and no more than two key labels.
An encryption key has
one of the following statuses:
- Accessible
- The storage system received an encryption key from the key server. Encrypted data on the storage
system can be accessed.
- Inaccessible
- The storage system did not receive an encryption key from the key server. The key server might
be offline. Encrypted data on the storage system cannot be accessed.
- Not applicable
- A key server was not configured for the storage system.
- Recovery Key
- The status of the recovery key, which is used by the security administrator to restore access to
encrypted data if the key servers are unavailable.
- Configured
- The recovery key was requested and verified by the security administrator and authorized by the
administrator.
- Disabled
- The recovery key was disabled by the security administrator and authorized by the
administrator.
- Not configured
- The recovery key was not configured.
- Key verification pending
- The recovery key was configured by the security administrator but not verified. The security
administrator must verify the recovery key.
- Authorization Pending (key disabled)
- The recovery key was disabled by the security administrator but the disablement was not
authorized. The administrator must authorize the disabled recovery key.
- Authorization Pending (rekey)
- The recovery was rekeyed and verified by the security administrator, but not authorized. The
administrator must authorize the rekeyed recovery key.
- Authorization Pending (recovery initiated)
- The security administrator used the recovery key to restore access to encrypted data, but the
recovery was not authorized by the administrator. The administrator must authorize the use of the
recovery key to restore access to data.
- Authorization Pending (key configured)
- The recovery key was configured and verified by the security administrator, but not authorized.
The administrator must authorize the configured recovery key.
- Encryption Communication Certificates
-
- DS8000 Encryption Communication Certificate
-
- Certificate
- The certificate that is installed on the key server: a system defined Gen2, system
defined Gen3, or a customer defined certificate.
- Expires
- The expiration date for the certificate.
- Export Public Key
- Export the DS8000® encryption certificate to a file on the local system.
- Update Certificate
- Update the DS8000 encryption certificate to a system defined (Gen2 or Gen3) or customer defined certificate. This action is only performed after
encryption is configured.
This action will also update the encryption certificate for IBM® Fibre
Channel Endpoint Security and transparent cloud tiering, if either option is enabled.
For more information about updating encryption certificates, see Updating encryption certificates.
- View Certificate
- View the encryption certificate.
- Key Server Communication Certificates
- Certificates from Key Management Interoperability Protocol (KMIP) compatible key servers or IBM®
SKLM servers that provide encryption.
- Update Certificate
- Update the key server certificate.
- View Certificate
- View the encryption certificate. (Not available for SKLM servers without TLS.)