chencryption

Use the chencryption command to manage the encryption state of the system.

Syntax

Read syntax diagramSkip visual syntax diagram chencryption -usbenabledisablevalidatenewkey-keypreparecommitcancel
Read syntax diagramSkip visual syntax diagramchencryption-keyserverenabledisablenewkey-keypreparecommitcancel
Read syntax diagramSkip visual syntax diagram chencryption-recoverykeyenabledisablevalidatenewkey-keyprepareconfirmcommitcancel

Parameters

-usb enable | disable | validate | newkey
(Required if you do not specify -keyserver, -recoverykey) Specifies whether encryption with USB flash drives is enabled (or disabled) or the encryption keys are validated. You can also create new encryption keys that are stored on Universal Serial Bus (USB) flash drives.
-usb enable
Enables encryption capability on the system with USB flash drives. Then specify -usb newkey to create new keys. Use this command when the system has encryption hardware and encryption licenses (for example, the lsencryption value for status is set to licensed).
-usb disable
Disables the encryption capability of the system with USB flash drives. If no encryption key is prepared this operation is complete and no further action is needed. Do not use this command if an encryption key is prepared or encrypted objects exist.
Remember: This removes all knowledge of the encryption keys from the system, but does not remove any encryption key files from USB flash drives.
-usb validate
Verifies that encryption keys are present on the USB flash drive and makes sure that the keys match the system encryption keys. Use this command when encryption is enabled and encryption keys exist (for example, lsencryption value for usb_rekey is set to no).
-usb newkey
Generates a new encryption key on USB flash drives that are attached to the system. Use this command only if the minimum number of USB flash drives that can be used as key material stores are attached to the system (as reported by lsportusb). When you specify this parameter, the -key option must also be supplied.
-keyserver enable | disable | newkey
(Required if you do not specify -usb, -recoverykey) Specifies whether encryption with key servers is enabled (or disabled). You can also create new encryption keys that are stored on key servers.
-keyserver enable
Enables encryption capability on the system with key servers. Use this command when the system has encryption hardware and encryption licenses (for example, the lsencryption value for keyserver_status is set to licensed).
-keyserver disable
Disables the encryption capability of the system with key servers. If no encryption key is prepared this operation is complete and no further action is needed. Do not use this command if an encryption key is prepared or encrypted objects exist.
-keyserver newkey
Generates a new encryption key on the primary key server that is attached the system. You must also specify -key when you specify this parameter.
-recoverykey enable | disable | validate | newkey
(Required if you do not specify -usb, -recoverykey) Specifies the encryption task to be performed for the encryption recovery key. You can enable, disable, or validate the encryption recovery key. You can also create a new encryption recovery key for the system.
Note: The -recoverykey parameter can only be entered when at least one of USB flash drives or key servers have been configured already.
-key prepare | confirm | commit | cancel
Manages the creation of a new key for the system. When you specify the value confirm, the -recoverykey option must also be supplied.

Description

Use this command to manage the encryption state of the system. You must specify either -usb, -keyserver, -internal, or -recoverykey.

You can use this command to enable or disable encryption using USB flash drives or key servers (but you cannot disable encryption if there are any encrypted objects). You can also enable or disable the encryption recovery key for the system. There are four possible arguments:
  • enable, which enables encryption
  • disable, which disables encryption
  • validate, which validates encryption key files on all of the USB flash drives currently installed in the system. The lsportusb command should be used to check the results of this command when -usb is specified. Refer to lsportusb for more information. When -recoverykey is specified, this validates the recovery key entered matches the system’s recovery key.
    Note: The validate option does not apply to key server encryption.
  • newkey, which specifies a new key for encryption
You can also perform a rekey of the external USB key or key server key material, which is divided into three stages:
  • prepare, which generates new keys and sets up the system to change encryption keys during apply
  • confirm, which confirms that the supplied recovery key matches the correct key for the system (only specify this with the -recoverykey option)
  • commit, which includes applying new keys (and copying key material)
  • cancel, which rolls back the key setup that is performed during the prepare and cancels the rekey request

You can use both USB flash drive and key server encryption in parallel on the same system. However, you must configure and administer these encryption methods independently.

An invocation example

chencryption -usb enable

The resulting output:

No feedback