Decommissioning encryption

If encryption is no longer needed, you can disable the function on the system. This might be required when all encryption master keys for the system have been lost, when returning a loan system, or when repurposing a storage system for a different use. After decommissioning encryption on the system, all encrypted data and encryption configuration is removed.

During the disablement process, if the system is using key servers to manage keys, the master encryption keys remain on the key server but are not used again. The administrator of the key server is responsible for removing unused or expired keys from the key server. If the system is using USB flash drives to manage keys, the encryption key files remain on the USB flash drives but are not used again. The security administrator of the system is responsible for removing unused or expired encryption key files from the USB flash drives. If the system is using an encryption recovery key, any stored recovery keys are no longer used and can be discarded.
Note: All encrypted arrays, pools, and cloud accounts must be removed before disabling encryption.
You can use the management GUI or the command-line interface to fully disable encryption on the system.
Note: For security, encryption methods (including the recovery key) can only be disabled when physically connected to the technician port on the configuration node.

Before you begin

Follow these steps to connect to the technician port on the configuration node:
  1. Identify the configuration node of the system. See Configuration node for more details.
  2. Connect your computer to the technician port of the configuration node. For more information, see the Node canisters page in the relevant Hardware Guide.

Using the management GUI

To fully disable encryption in the management GUI, complete the following steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. On the Encryption page, change the State to Disabled.

Using the command-line interface

To fully disable encryption using the command-line interface, complete the following steps:
  1. In a terminal window, use Secure Shell (SSH) software to connect to the configuration node and authenticate using the credentials of any user with the SecurityAdmin role:
    ssh username@192.168.0.1
    For more information, see Connecting to the CLI with OpenSSH.
  2. To disable encryption on a system that uses an encryption recovery key, enter the following command:
    chencryption -recoverykey disable

    The recovery key has been disabled successfully. For more information, see chencryption command.

  3. To verify whether recovery key has been disabled successfully, run lsencryption command and check that the recovery_key_name field is blank and the recovery_key_status is licensed. For more information, see lsencryption command.
  4. To disable encryption on a system that uses key servers to manage encryption keys, enter the following command:
    chencryption -keyserver disable

    The encryption key that uses the key server has been disabled successfully. For more information, see chencryption command.

  5. To verify whether encryption key that uses the key server has been disabled successfully, run lsencryption command and check that the keyserver_pmk_uid field is blank and the keyserver_status is licensed. For more information, see lsencryption command.
  6. To disable encryption on a system that uses USB flash drives to manage encryption keys, enter the following command:
    chencryption -usb disable

    The encryption key that uses the USB flash drives has been disabled successfully. For more information, see chencryption command.

  7. To verify whether encryption key that uses the USB flash drives has been disabled successfully, run lsencryption command and check that the usb_key_filename field is blank and the status is licensed. For more information, see lsencryption command.
  8. To disable encryption on a system that uses internal key management to manage encryption keys, enter the following command:
    chencryption -internal disable

    The encryption key that uses the internal key management has been disabled successfully. For more information, see chencryption command.

  9. To verify whether encryption key that uses the internal key management has been disabled successfully, run lsencryption command and check that the internal_key_status is licensed. For more information, see lsencryption command.