Enabling encryption with USB flash drives
The system supports enabling encryption that uses USB flash drives to store encryption keys. USB flash drive-based encryption requires physical access to the systems and is effective in environments with a minimal number of systems. For organizations that require strict security policies regarding USB flash drives, the system supports disabling these ports to prevent unauthorized transfer of system data to portable media devices.
If you have such security requirements, use key servers to manage encryption keys. In addition, if you are using USB flash drives to manage encryption keys but want to disable access to these ports for security reasons, you can migrate to encryption that uses key servers. For more information, see Enabling encryption with key servers.
- In addition to the copies that are generated on the USB flash drives when encryption is enabled on the system, make at least one more copy on another USB flash drive and store it in a secure location.
- In addition, copy the encryption key to other forms of storage to provide resiliency and to mitigate risk, if, for example, the USB flash drives are from a faulty batch of drives.
- Ensure that each copy of the encryption key is valid before writing any user data to the system. The system validates any key material on a USB flash drive when it is inserted into the canister. If the key material is not valid, the system logs an error. If the USB flash drive is not usable or failed, the system does not display the drive as an active USB flash drive.
- Securely store all copies of the encryption key. As an example, any USB flash drives that are not left inserted into the system might be locked in a safe. Comparable precautions should be taken to securely protect any other copies of the encryption key stored on other forms of storage.
Using the management GUI
To enable USB flash drive encryption that uses the management GUI, complete these steps:
- In the management GUI, select .
- Click Enable Encryption.
- On the Welcome window, select USB Flash Drives, then
click Next.Note: You can also select both Key Servers and USB Flash Drives to configure both methods to manage encryption keys. If either method becomes unavailable, you can use the other method to access encrypted data on your system.
- In the wizard, you are prompted to insert the required number of USB flash drives into the system. If the system has three or more USB ports, at least three USB flash drives must be entered. If the system has less than three USB ports, a USB flash drive must be entered into every port on the system.
- When the system detects the USB flash drives, the encryption key is automatically copied to the USB flash drives. Ensure that you create any required extra copies for backups.
- If the system has less than three USB ports, the USB flash drives containing the new key must be removed from the system and new drives added until the number of key copies is three or more. When a new USB flash drive is added while the rekey is in progress, the key is copied onto it automatically.
- After all copies are completed, click Confirm to complete the enablement
process.Note: You can leave the USB flash drives inserted into the system. However, the area where the system is located must be secure to prevent the USB flash drives from being lost or stolen. If the area where the system is located is not secure, remove all the USB flash drives from the system and store them in a secure location.
Using the command-line interface
- To enable the encryption that uses USB flash drives, enter the following
command:
chencryption -usb enableEncryption that uses USB flash drives has been enabled successfully when the status field shows enabled upon executing lsencryption command.
- Insert the required number of USB flash drives into the system. If the system has three or more USB ports, at least three USB flash drives must be entered. If the system has less than three USB ports, a USB flash drive must be entered into every port on the system.
- Enter the following command to prepare a new USB master
key:
chencryption -usb newkey -key prepareThe new key has been created successfully when the
usb_rekey_filenamefield shows the name of the new key upon executing lsencryption command.If the system has less than three USB ports, the USB flash drives containing the new key must be removed from the system and new drives added until the number of key copies is three or more. When a new USB flash drive is added while the rekey is in progress, the key is copied onto it automatically.
- After all copies are completed, run the following command to complete the enablement
process:
chencryption -usb newkey -key commitThe master key has been rekeyed successfully when the
usb_key_filenamefield shows the name of the new key and theusb_rekey_filenameis blank, upon executing lsencryption command. For more information, see lsencryption command. - If an error occurs during the creation of the initial master key creation process, it can be
cancelled by running the following
command:
chencryption -usb newkey -key cancelIf the key creation is cancelled, the process must be re-attempted before encryption with USB flash drives is fully enabled on the system. For more information, see chencryption.