Rekeying an encryption-enabled system by using a key server

Edit online

If you configured key servers to manage encryption keys, you can generate new keys with the encryption key servers.

Rekeying is the process of creating a new key for the system. To create a new key, encryption must be enabled on the system; however, the rekey operation works whether or not there are encrypted objects. If you have both methods of encryption configured on your system, completely rekey one method before rekeying the other. If you are generating new keys for cloud storage, the cloud account must be online during the rekeying operation.

Using the management GUI

During the rekey process, the key server generates a new key and the existing key becomes obsolete. If you are using multiple master or active-active key servers, new keys are automatically replicated to all configured key servers. In configurations with a single primary key server and multiple secondary key servers, only the primary key server is updated during the rekey operation. Any additional key servers go offline and the system reports an error against those key servers until the new key is replicated from the primary to the secondary key servers.
Note: To avoid data loss, back up your data on the key server management application every time that you rekey.

Before creating a new key on all configured key servers, the key servers must be online and connected to the system. In the management GUI, select Settings > Security > Encryption. Expand Key Servers to display details on all the configured key servers on the system. Verify that the status of the key servers is online and available to the system. In the command-line interface, enter lskeyserver to verify whether the key servers are online and available to the system.

To rekey the system that uses key server encryption, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. Expand Key Servers to display all the configured key servers on the system and select Rekey.
  3. Click OK on the message dialog. The encryption key is generated by the primary key server and is copied to the primary key server. If errors occur during the rekey process, status messages display problems with the copy or creation of a new key. To determine and fix other possible errors, select Monitoring > Events.
After the rekey operation completes, the new keys are replicated instantly if you have multiple primary or active-active key server configurations. If you have USB flash drives configured in addition to a key server, you can now rekey the USB flash drives.

Using the command-line interface

To rekey the system that uses key servers, complete these steps:
  1. Verify that encryption is enabled on the system by entering this command: 
    lsencryption
    Ensure that the status indicates that the encryption is enabled.
  2. After verifying that encryption is enabled, verify that the key servers are online and available by entering this command:
    lskeyserver name_id
    where name_id is the name or ID of the key server. Ensure that the status for all available key servers is online.
  3. After verifying that encryption is enabled and the key servers are online, you need to prepare the system to rekey the encryption keys that are currently being used on the system. To prepare the rekey operation, enter the following command:
    chencryption -keyserver newkey -key prepare
    Note: This command creates the new key on the primary key server only. All additional key servers go offline until the key is replicated from the primary key server to the other key servers with the IBM® Security Guardium® Key Lifecycle Manager.
  4. To verify that the system is prepared, enter the following command:
    lsencryption
    Check that the keyserver_rekey parameter has the value prepared. The prepared value indicates that the new key is ready to be committed.
  5. To commit the key, enter the following command:
    chencryption -keyserver newkey -key commit
    This command makes the prepared key the current key and stores the key values on the primary key server.
  6. Verify that the new key is committed by entering the following command:
    lsencryption
    Ensure that the value in the keyserver_rekey parameter is no
The rekey operation completes, the new keys are replicated instantly if you have multiple master or active-active key server configurations. If you have USB flash drives configured in addition to a key server, you can now rekey USB flash drives. If you have USB flash drives configured in addition to a key server, you can now rekey USB flash drives.