Data at rest Encryption actions

You can manage encryption keys, key labels, key servers, recovery keys, and certificates on the Data at rest Encryption tab of the Settings > Security page. The actions that are available to you depend on your user role.

Administrator

If you have an administrator user role, you can use the following actions to manage encryption:
Encryption Key Management for SKLM and KMIP Key Server
Enabling data at rest encryption
Click Enable Encryption to open the Encryption wizard and enable data at rest encryption. For more information, see Enabling data at rest encryption. This action must be done after the security administrator configures or disables a recovery key.
Disabling data at rest encryption
To disable data at rest encryption, select Disable from the State list. Disabling encryption deletes the key server definitions, encryption settings, and associated encryption keys from the storage system. This action does not require authorization by the security administrator. This task can only be done after arrays and pools have been removed.
Rekeying the encryption key
Click Rekey to obtain a new encryption key from the key server (if encryption is enabled). For storage systems that communicate with SKLM key servers, this action does not require the label to change. For storage systems that communicate with KMIP key servers, this action results in a change of the encryption key UUID. This action might be done concurrent to running host I/O.
Key Label Management for SKLM Key Servers
Add Key Label
Add a label that the storage system uses to retrieve an encryption key on the key servers. This action is only permitted if there is a single label.
Modify Key Label
Change one or both of the labels the storage system uses to retrieve the encryption key on the key servers.
Remove Key Label
Remove a key label that is no longer needed. This action is only permitted if there are two labels.
Key servers
Add Key Server
Add the host name, IP address, port, and key protocol of the key server where an encryption key is located. If the key server type is KMIP or SSL enabled SKLM, specify the key server certificate.
Test
Test the key server to confirm that it is accessible from the storage system.
Activate
Activate a deactivated key server.
Deactivate
Deactivate a key server that is not needed for encryption.
Remove
Remove a key server that is no longer needed for encryption. If it is necessary to make changes to an existing key server, remove it, and create a new one with updated attributes.
Certificate
View the encryption certificate properties.
Recovery keys
Authorize
Authorize the configuration, disablement, or rekeying of a recovery key.
Decline
Decline the configuration, disablement, or rekeying of a recovery key.

Security Administrator

If you have a security administrator user role, you can use the following actions to manage encryption:
Recovery keys
Configure
Configure a recovery key that can be used to restore access to data if the encryption key server is unavailable. The administrator must authorize the recovery key after you configure and verify it.
Verify
After you configure or rekey a recovery key, you must verify it before the administrator can authorize it.
Disable
If a recovery key is not required to restore access to data, disable the recovery key. The administrator must confirm that the recovery key is disabled.
Test
Validate a recovery key to ensure that it is the correct recovery key for the storage system.
Rekey
Reconfigure a recovery key. The administrator must authorize the recovery key after you rekey and verify it.
Recover
If the key servers are not accessible, initiate the recovery process to access to the data on your storage system.
Deconfigure
Delete the recovery key. This action is available only if encryption is disabled.