If encryption is configured with USB flash drives, it is possible to create new keys and
store them on USB flash drives. Rekeying is the process of creating a new
key for the system. To create a new key, encryption must be enabled on the system; however, the
rekey operation works whether or not there are encrypted objects.
If you have both methods of encryption configured on
your system, completely rekey one method before rekeying the other. If you are generating new keys for cloud storage, the cloud
account must be online during the rekeying operation.
Before creating a new key, ensure
that at least one USB port contains a USB flash drive that contains the current key. During the
rekey process, a new key is generated and copied to the USB flash drives. The new key is then used
instead of the current key. The rekey operation fails unless at least one USB flash drive contains
the current key. To rekey the system you need at least three USB flash drives
to store the copied key material.
Using the management GUI
To rekey the system in the management
GUI, complete these steps:
- In the management GUI, select .
- Expand USB Flash Drives to display all the detected USB flash drives on
the system and select Rekey.
- When the system detects the required number of USB flash drives with at least one drive that
contains an existing key, the new key is generated and copied to the USB flash drives. Click
Commit after the key is created to complete the rekey operation. If errors
occur during the rekey process, status messages display problems with the copy or creation of a new
key. For example, if the minimum number of USB drives are inserted but none of them have an existing
encryption key, the rekey operation fails. To determine and fix other possible errors, select .
Note: If you have key servers configured in addition to USB flash drives, you can now
rekey the key server.
Using the command-line interface
To rekey the system in the command-line
interface, complete these steps:
- Verify that encryption is enabled on the system by entering this command:
lsencryption
Ensure that the status indicates that the encryption is enabled.
- Verify that encryption is enabled, you need to prepare the system to rekey the encryption keys
that are currently being used on the system. Ensure that at least one of the USB flash drives that contain the current key is inserted
into the configuration node. The current key is necessary; otherwise, the rekey process fails. To prepare the rekey
operation and copy the new key to
all inserted USB flash drives on the system, enter the following
command:
chencryption -usb newkey -key prepare
This command
confirms at least one of the USB flash
drives contain the current encryption key. It also generates a new encryption key for the system and
copies the key to all USB flash drives that are inserted into the system. Optionally, you can make
more copies of the encryption keys for backups if the USB flash drives are lost or damaged.
- To verify
that the system is prepared and the keys are copied to the other USB flash drives, enter the
following command:
lsencryption
Check that the
usb_rekey parameter has the value
prepared.
Note: The
prepared value indicates that the new key is ready to be committed.
If
USB flash drives are already inserted into the canisters, the encryption key is copied
automatically. If USB flash drives are not present in the canister, insert them to begin copying the
key to the drives. To verify that copies to the USB flash drive are successful, enter
lsencryption to check the value in the
usb_key_copies. Each
successful copy to a USB flash drive increments this value. This value must match the number of USB
flash drives that you inserted into the system to create the new encryption keys. Before the keys
can be committed, this value must be greater than the minimum required amount.
- To commit the key, enter the following
command:
chencryption -usb newkey -key commit
This
command makes the prepared key the current key and stores the key values on the USB flash drives.
- Verify that the new key is committed by entering the following
command:
lsencryption
Ensure that the value in the
usb_rekey parameter is no and the
usb_key_copies has the minimum required number of USB flash drives with copies
of the keys. The system needs at least
USB flash drives, each with one copy of the
key. It is recommended that extra copies of the keys are made and stored securely.