Adding nodes or enclosures to an encryption-enabled system
You can add nodes or enclosures to the IBM Storage Virtualize system to increase its capacity. If encryption is enabled on the system, you must manually copy the current encryption key.
The
system automatically shares the current encryption key in memory with nodes or enclosure when they
are added, but does not automatically write the key file to any new USB flash drives. The current
encryption key file is automatically written to new USB flash drives only when you enable encryption
for the first time or rekey the system. To copy the current encryption key, you can use either of
the following methods:
- Manually copy the current encryption key file from an existing USB flash drive to any new USB flash drives that were received with the new node or enclosure.
- Rekey the system.
Copying the current encryption key by using a USB flash drive
If encryption is configured with USB flash drives, you can copy the existing key file from the USB flash drive that contains the current encryption key for the system. You can use either the management GUI or the command-line interface to identify the USB flash drive.
- Identifying the USB flash drive with the current encryption key
- If you have multiple USB flash drives, you must first identify the USB flash drive that has a valid copy of the current encryption key for the system.
- Copying the encryption key to a new USB flash drive
-
- To identify the file name of the current encryption key for the system, enter the following
command:
The key file name is displayed in the usb_key_filename field:lsencryption
encryptionkey_000000E03BA000F0_000701DD00000001_my-storage-system-name
- Insert the USB flash drive with the current encryption key into another system, such as your personal workstation or a server in your environment. Ensure that the drive is mounted.
- Navigate to the file system of the USB flash drive with the current encryption key, locate the file with file name identified using lsencryption command on the device, and copy the located file.
- Insert the new USB flash drive into the same system where you inserted the USB flash drive with the current encryption key. Ensure that the drive is mounted.
- Navigate to the file system of the new USB flash drive, copy the encryption key, and safely unmount and remove the drive from the system.
- Insert the new USB flash drive into the encryption-enabled system and run the lsportusb command to ensure that the copy of the key is valid and copied correctly.
- To identify the file name of the current encryption key for the system, enter the following
command:
Rekeying the system
You can rekey the system and manage the encryption keys when you use key server, USB flash
drives, or both. Rekeying writes a new
encryption key to all the USB flash drives currently inserted into the system. If encryption is
configured with USB flash drives, it is possible to create new keys and store them on USB flash
drives. If you configured key servers to manage encryption keys, you can generate new keys with the
encryption key servers. If you use both a key server and USB flash drives, you must rekey each of
them individually considering one at a
time.
Tip: Before you rekey the system, ensure that the new nodes or enclosures are added to the
system.
- Key server
- If you use a key server for encryption, see Rekeying a system with key servers.
- USB flash drive
- If you use USB flash drives for encryption, see Rekeying a system with USB flash drives.