Decommissioning encryption
If encryption is no longer needed, you can disable the function on the system. This might be required when all encryption master keys for the system have been lost, when returning a loan system, or when repurposing a storage system for a different use. After decommissioning encryption on the system, all encrypted data and encryption configuration is removed.
Before you begin
- Identify the configuration node of the system. See Configuration node for more details.
- Connect your computer to the technician port of the configuration node. For more information, see the Node canisters page in the relevant Hardware Guide.
Using the management GUI
- In the management GUI, select .
- On the Encryption page, change the State to Disabled.
Using the command-line interface
- In a terminal window, use Secure Shell (SSH) software to connect to the configuration node and
authenticate using the credentials of any user with the SecurityAdmin
role:
For more information, see Connecting to the CLI with OpenSSH.ssh username@192.168.0.1 - To disable encryption on a system that uses an encryption recovery key, enter the following
command:
chencryption -recoverykey disableThe recovery key has been disabled successfully. For more information, see chencryption command.
- To verify whether recovery key has been disabled successfully, run
lsencryption command and check that the
recovery_key_namefield is blank and therecovery_key_statusis licensed. For more information, see lsencryption command. - To disable encryption on a system that uses key servers to manage encryption keys, enter the
following command:
chencryption -keyserver disableThe encryption key that uses the key server has been disabled successfully. For more information, see chencryption command.
- To verify whether encryption key that uses the key server has been disabled successfully, run
lsencryption command and check that the
keyserver_pmk_uidfield is blank and thekeyserver_statusis licensed. For more information, see lsencryption command. - To disable encryption on a system that uses USB flash drives to manage encryption keys, enter
the following command:
chencryption -usb disableThe encryption key that uses the USB flash drives has been disabled successfully. For more information, see chencryption command.
- To verify whether encryption key that uses the USB flash drives has been disabled successfully,
run lsencryption command and check that the
usb_key_filenamefield is blank and thestatusis licensed. For more information, see lsencryption command. - To disable encryption on a system that uses internal key management
to manage encryption keys, enter the following
command:
chencryption -internal disableThe encryption key that uses the internal key management has been disabled successfully. For more information, see chencryption command.
- To verify whether encryption key that uses the internal key
management has been disabled successfully, run lsencryption command and check
that the
internal_key_statusis licensed. For more information, see lsencryption command.