Encryption actions
You can manage encryption keys, key labels, key servers, recovery keys, and certificates on the Encryption tab of the page. The actions that are available to you depend on your user role.
Administrator
If you have an administrator user role, you can use the following actions to manage encryption:- Encryption Key Management for SKLM and KMIP Key Server
- Enable Encryption Key
- Enable encryption of data on the storage system. This action must be done after the security administrator configures or disables a recovery key.
- Disable Encryption
- Disable encryption of data on the storage system. Disabling encryption deletes the key server definitions, encryption settings, and associated encryption keys from the storage system. This action does not require authorization by the security administrator. This task can only be done after arrays and pools have been removed.
- Rekey Encryption Key
- Obtain a new encryption key from the Key Server for use with a storage system on which encryption is enabled. For storage systems that communicate with SKLM key servers, this action does not require the label to change. For storage systems that communicate with KMIP key servers, this action results in a change of the encryption key UUID. This action might be done concurrent to running host I/O.
- Key Label Management for SKLM Key Servers
- Add Key Label
- Add a label that the storage system uses to retrieve an encryption key on the key servers. This action is only permitted if there is a single label.
- Modify Key Label
- Change one or both of the labels the storage system uses to retrieve the encryption key on the key servers.
- Remove Key Label
- Remove a key label that is no longer needed. This action is only permitted if there are two labels.
- Key servers
- Add Key Server
- Add the host name, IP address, port, and key protocol of the key server where an encryption key is located. If the key server type is KMIP or SSL enabled SKLM, specify the key server certificate.
- Test
- Test the key server to confirm that it is accessible from the storage system.
- Activate
- Activate a deactivated key server.
- Deactivate
- Deactivate a key server that is not needed for encryption.
- Remove
- Remove a key server that is no longer needed for encryption. If it is necessary to make changes to an existing key server, remove it, and create a new one with updated attributes.
- Certificate
- View the encryption certificate properties.
- Recovery keys
- Authorize
- Authorize the configuration, disablement, or rekeying of a recovery key by the administrator.
- Decline
- Decline the configuration, disablement, or rekeying of a recovery key by the security administrator.
Security Administrator
If you have a security administrator user role, you can use the following actions to manage encryption:- Recovery keys
- Configure
- Configure a recovery key that can be used to restore access to data if the encryption key server is unavailable. The administrator must authorize the recovery key after you configure and verify it.
- Verify
- After you configure or rekey a recovery key, you must verify it before the administrator can authorize it.
- Disable
- If a recovery key is not required to restore access to data, disable the recovery key. The administrator must confirm that the recovery key is disabled.
- Test
- Validate a recovery key to ensure that it is the correct recovery key for the storage system.
- Rekey
- Reconfigure a recovery key. The administrator must authorize the recovery key after you rekey and verify it.
- Recover
- If the key servers are not accessible, initiate the recovery process to access to the data on your storage system.
- Deconfigure
- Delete the recovery key. This action is available only if encryption is disabled.