Adding nodes or enclosures to an encryption-enabled system

You can add nodes or enclosures to the IBM Storage Virtualize system to increase its capacity. If encryption is enabled on the system, you must manually copy the current encryption key.

The system automatically shares the current encryption key in memory with nodes or enclosure when they are added, but does not automatically write the key file to any new USB flash drives. The current encryption key file is automatically written to new USB flash drives only when you enable encryption for the first time or rekey the system. To copy the current encryption key, you can use either of the following methods:
  • Manually copy the current encryption key file from an existing USB flash drive to any new USB flash drives that were received with the new node or enclosure.
  • Rekey the system.

Copying the current encryption key by using a USB flash drive

If encryption is configured with USB flash drives, you can copy the existing key file from the USB flash drive that contains the current encryption key for the system. You can use either the management GUI or the command-line interface to identify the USB flash drive.

Identifying the USB flash drive with the current encryption key
If you have multiple USB flash drives, you must first identify the USB flash drive that has a valid copy of the current encryption key for the system.
Using the management GUI

To identify the USB flash drive with the current encryption key by using the management GUI, complete these steps:

  1. Insert a USB flash drive into an available USB port.
  2. In the management GUI, select Settings > Security > Encryption
  3. On the Encryption page, expand USB flash drives.
  4. Check the value for State. If the key on the USB flash drive is valid, validated is shown. If a different value is shown, the USB flash drive does not have the right key.
Using command-line interface
To identify the USB flash drive with current encryption key from command-line interface, enter the following command:
lsportusb
The output shows the details of the USB port where the USB flash drive is inserted and the state of the USB flash drive. If the key on the USB flash drive is valid, validated is shown for state. If a different value is shown, the USB flash drive does not have the right key. For more information, see lsportusb command.
Note: Insert only one USB flash drive at a time and repeat the procedure to copy the key for each USB flash drive separately.
Copying the encryption key to a new USB flash drive
  1. To identify the file name of the current encryption key for the system, enter the following command:
    lsencryption
    The key file name is displayed in the usb_key_filename field:
    encryptionkey_000000E03BA000F0_000701DD00000001_my-storage-system-name
  2. Insert the USB flash drive with the current encryption key into another system, such as your personal workstation or a server in your environment. Ensure that the drive is mounted.
  3. Navigate to the file system of the USB flash drive with the current encryption key, locate the file with file name identified using lsencryption command on the device, and copy the located file.
  4. Insert the new USB flash drive into the same system where you inserted the USB flash drive with the current encryption key. Ensure that the drive is mounted.
  5. Navigate to the file system of the new USB flash drive, copy the encryption key, and safely unmount and remove the drive from the system.
  6. Insert the new USB flash drive into the encryption-enabled system and run the lsportusb command to ensure that the copy of the key is valid and copied correctly.

Rekeying the system

You can rekey the system and manage the encryption keys when you use key server, USB flash drives, or both. Rekeying writes a new encryption key to all the USB flash drives currently inserted into the system. If encryption is configured with USB flash drives, it is possible to create new keys and store them on USB flash drives. If you configured key servers to manage encryption keys, you can generate new keys with the encryption key servers. If you use both a key server and USB flash drives, you must rekey each of them individually considering one at a time.
Tip: Before you rekey the system, ensure that the new nodes or enclosures are added to the system.
Key server
If you use a key server for encryption, see Rekeying a system with key servers.
USB flash drive
If you use USB flash drives for encryption, see Rekeying a system with USB flash drives.