Use data encryption and security commands to configure the DS8000® system.
For security purposes, encryption keys are stored on external key servers, not on the DS8000 system. The mkkeymgr, chkeymgr, rmkeymgr, and lskeymgr commands are used to specify the location of the external key servers and which servers are to be used by the DS8000 system. If multiple servers are specified, it is assumed that the servers themselves manage the process to ensure that the stored keys are synchronized. Because multiple manufacturers' products might be using the same key servers, the mkkeygrp, rmkeygrp, lskeygrp, and showkeygrp commands are used to specify a label for any specific encryption key.
In some environments, there might be two disjoint groups of external key servers that are defined and that cannot synchronize their stored keys securely. In this case, you can specify a second label, one label for each group of servers. Under certain unusual circumstances, losing access to the encrypted data on the DS8000 system might be possible. This loss of access might occur if all of the external keys servers go down, or if all physical connections are lost between the DS8000 system and the external key servers. To prevent any of these possibilities from becoming a permanent loss of data access, you are required to create an encryption data access recovery key that is managed with a dual control process described in the "User account and security commands" section. The encryption recovery key itself is manually managed with the managereckey, mkreckey, and rmreckey commands.