Encryption deadlock

An encryption deadlock occurs when all key servers that are within an account cannot become operational because some part of the data in each key server is stored on an encrypting device that is dependent on one of these key servers to access the data.

The key server provides an operating environment for the key server application to run in, to access its keystore on persistent storage, and to interface with client storage devices that require key server services. The keystore data is accessed by the key server application by using your specified password. The keystore data is encrypted independently of where it is stored. However, any online data that is required to initiate the key server cannot be stored on storage that has a dependency on the key server to enable access. If this constraint is not met, the key server cannot perform an initial program load (IPL) and therefore cannot become operational. This data includes the boot image for the operating system that runs on the key server and any data that is required by that operating system and its associated software stack to run the key server application, to allow it to access its keystore and to allow the key server to communicate with its storage device clients. Similarly, any backups of the key server environment and data must not be stored on storage that has a dependency on a key server to restore or access the backup data.

While an encryption deadlock exists, you cannot access any encrypted data that is managed by the key servers. If all backups of the keystore are also stored on encrypting storage that is dependent on a key server, and you do not have the recovery keys that would unlock the storage devices, the encryption deadlock can become a permanent encryption deadlock such that all encrypted data that is managed by the key servers is permanently lost.

Note: To avoid encryption deadlock situations, ensure that you follow the guidelines that are outlined in Encryption deadlock prevention.

With encryption-capable disks, the probability of an encryption deadlock increases significantly because of the following factors:

There are a number of layers of virtualization in the I/O stack hierarchy that make it difficult for you to determine where all the files that are necessary to make the key server and its associated keystore available are stored. The key server can access its data through a database that runs on a file system on a logical volume manager, which communicates with a storage subsystem that provisions logical volumes with capacity that is obtained from other subordinate storage arrays. The data that is required by the key server might end up provisioned over various storage devices, each of which might be independently encryption-capable or encryption-enabled.
Various layers within this I/O stack hierarchy can provide transparent data relocation either autonomically or because of a user-initiated operation.
As the availability of encryption-capable devices becomes more pervasive, more data is migrated from non-encrypted storage to encrypted storage. Even if the key servers are initially configured correctly, it is possible that a storage administrator might accidentally migrate some data that is required by the key server from non-encrypted to encrypted storage.
Consolidation of servers and storage tends to drive data migration and tends to move more data under a generalized shared storage environment, which tends to be encryption-capable as time goes on.
The ability to detect that the data access of a key server are compromised cannot be detected except by power cycling the entire environment, which results in the deadlock if the access of a key server are compromised. Even with multiple key servers, it might not be possible to detect that all key servers except one are dependent on the operation of the last key server such that a single additional change that compromises the access of the last key server is all that is required to enable the encryption deadlock.
All IBM® server platforms support fabric-attached boot devices and storage. Some IBM servers do not support internal boot devices. It is common for boot devices to be present within the generalized storage environment and accessible to generalized storage management tools that support data management and relocation.

To reduce the risk of encountering an encryption deadlock, you must be directly involved in managing the encryption environment.