Migrating between key management methods

Once encryption has been configured on the system, migrating between key management methods is nondisruptive and does not require any stored data-at-rest to be reencrypted. You can migrate between USB flash drive and key server-based encryption by using the management GUI or the command-line interface.

The migration between different key server types cannot be performed directly from one type of key server to another. USB flash drives encryption must be used to facilitate this process. If you want to migrate from one type of key server to another, you first must migrate from your current key servers to USB encryption, and then, migrate from USB to the other type of key servers.

To migrate from key servers to USB flash drives, use the command-line interface only. During migration, the system supports simultaneous configuration of both key management methods. After the migration completes, you can disable the old key management method.

Using the management GUI

During migration, the system does not disable the currently configured key management method until the new method is configured completely. Therefore, encrypted data can still be accessed with the current key until the migration is completed. For example, if you were migrating from USB flash drives to key servers, the old keys on the USB flash drive are still available until the key server encryption is configured. However, at least one of the USB flash drives with the current encryption key must be inserted into the system before you can migrate to the key server. After the key servers are configured, the old keys on the USB flash drive can no longer decrypt data on the system. Dispose of any old USB flash drives according to your recommended procedures for disposal of sensitive information. For organizations that require strict security policies regarding USB flash drives, the system supports disabling these ports to prevent unauthorized transfer of system data to portable media devices. After keys are migrated to the key servers, you can use the command-line interface to disable USB ports.
Note: The management GUI supports migration from USB flash drives to a key server encryption method only. To migrate from key servers to USB flash drives, you must use the command-line interface.
Before migrating to key server-based encryption, ensure that at least one USB flash drive with the current encryption key is inserted into the system. To migrate encryption from a USB flash drive to key servers, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. On the Encryption page, verify the following information:
    1. Expand USB Flash Drives and verify that USB flash drives are configured and detected in the system.
    2. Expand Key Servers and verify that key servers are not configured on the system.
  3. Under Key Servers, click Configure.
    Note: To enable key servers to manage encryption keys on versions 8.1.0.0 or later, a USB rekey operation must be performed.
  4. Select the type of key server that you are using to manage encryption keys. The system supports IBM® Security Guardium® Key Lifecycle Manager and Generic KMIP server key servers to handle key management on the system. If you currently use Gemalto SafeNet Key Secure key servers, you can migrate to Thales CipherTrust Manager.
    Note: If you want to migrate to a Generic KMIP key server, select Generic KMIP server. For more information on the supported Generic KMIP key servers, see IBM Storage Virtualize Supported Key Servers.
  5. Enter the name, IP address or fully qualified domain name, and port for each key server. If you are configuring multiple key servers, the first key server that you specify is the primary key server. If you specify a fully qualified domain name, a DNS server must be configured on your system. To configure a DNS server for the system, select Settings > Network > DNS. You can also use the mkdnsserver command to configure DNS servers.
  6. If you selected IBM SGKLM (with KMIP), the Key Server Options page displays. Select SPECTRUM_VIRT for the device group for the key servers. This device group must also be configured on each of the key servers for the system.
  7. If you selected Generic KMIP server, the Key Server Credentials page displays. If you enabled authentication to the key server that uses a username and password, enter that username and password. These credentials are used to authenticate the system each time it connects to the key server. The username and password must match the credentials that are configured on the key server.
  8. On the Key Server Certificate page, you must upload all the necessary key server certificates to the system.
    Note: It is recommended to use a certificate signed by a certificate authority (CA) for all Generic KMIP key servers.
  9. If using IBM Security Guardium Key Lifecycle Manager, export the system certificate and install that on the key servers.

  10. If you are using Generic KMIP servers, then the IBM Storage Virtualize certificate must be signed by a CA.
    • If IBM Storage Virtualize certificate is signed by the system's root CA, complete these steps:
      1. Select Settings > Security > Certificates.
      2. Click Export Root Certificate.
      3. Install the root certificate as an external CA on the key servers and add it to the list of external CAs that can be used for Key Management Interoperability Protocol (KMIP).
    • If IBM Storage Virtualize certificate is signed by a trusted third-party CA, install the third-party CA's root certificate as an external CA on the key servers and add it to the list of external CAs that can be used for KMIP.
  11. Return to the System Encryption Certificate page and select The system’s public key certificate has been transferred to each configured key server.
  12. On the Disable USB Encryption page, select Yes and click Next.
  13. On the Summary page, verify the configuration for the key servers and click Finish. After the configuration completes, keys that were stored on the USB flash drives are not valid. Ensure that you dispose of all USB flash drives securely.

Using the CLI

Before you can migrate to key server-based encryption, ensure that at least one USB flash drive with the current encryption key is inserted into the system. To migrate from a USB flash drive to key servers to manage encryption keys, complete the following steps:
Migrating from USB flash drives to IBM Security Guardium Key Lifecycle Manager key servers
  1. Enter the following command to verify that encryption is enabled on the system with USB flash drives:
    lsencryption
  2. Enter the following CLI command to enable encryption with key servers on your system:
    chencryption -keyserver enable
  3. Enable your key server type and supply the root certificate authority (CA) certificate if one is necessary:
    chkeyserverisklm -enable -sslcert /tmp/rootCA.crt
  4. Create the primary key server and specify the key server certificate:
    mkkeyserver -ip ip_address_or_domain_name -port port -primary
  5. If you plan to use multiple key servers, enter the following command multiple times to specify up to three more secondary key servers that use the same key server certificate:
    mkkeyserver -ip ip_address_or_domain_name -port port -primary
  6. Create the system encryption key and write the key to the specified key server:
    chencryption -keyserver newkey -key prepare 
    This command makes the prepared key the current key and stores the key values on all configured key servers.
  7. To verify that the system is prepared, enter the following command:
    lsencryption
    Verify that the keyserver_rekey parameter has the value prepared. The prepared value indicates that the new key is ready to be committed.
  8. To commit the key, enter the following command:
    chencryption -keyserver newkey -key commit
  9. After the new key for the key server is committed, disable encryption for the USB flash drive by entering the following command:
    chencryption -usb disable 
Migrating from USB flash drives to Generic KMIP key servers
  1. Enter the following command to verify that encryption is enabled on the system with USB flash drives:
    lsencryption
  2. Enter the following CLI command to enable encryption on your system:
    chencryption -keyserver enable
  3. Enable the key server type and supply the root certificate authority (CA) certificate if one is required:
    chkeyserverciphertrustmanager -enable -sslcert /tmp/CASigned.crt
    
    Note: The chkeyserverciphertrustmanager is used for Generic KMIP key servers.
  4. Configure the username and password that is used to the system to the key servers if one is required:
    chkeyserverciphertrustmanager -username admin -password 'examplepassword'
  5. Create the primary key server and specify the key server certificate, if one is required:
    mkkeyserver -ip ip_address_or_domain_name -port port -sslcert /tmp/ServerCert.crt -primary
  6. Create up to three secondary key servers and specify the key server certificate if one is required.
    mkkeyserver -ip ip_address_or_domain_name -port port -sslcert /tmp/ServerCert.crt
  7. To verify that the system is prepared, enter the following command:
    lsencryption
    Check that the keyserver_rekey parameter has the value prepared. The prepared value indicates that the new key is ready to be committed.
  8. To commit the key, enter the following command:
    chencryption -keyserver newkey -key commit
    This command makes the new key the current key and copies it to the primary key server.
  9. After the new key for the key server is committed, disable encryption for the USB flash drive by entering the following command:
    chencryption -usb disable 
If encryption is already enabled on the system with key servers, ensure that the primary key server is connected to the system and can provide the current encryption key. To migrate from a key server to USB flash drives to manage encryption, complete the following steps:
  1. Enter the following command to verify that encryption is enabled on the system with key servers:
    lsencryption
  2. Enter the following CLI command to enable encryption on your system:
    chencryption -usb enable
  3. Ensure that sufficient flash drives are installed:
    lsportusb
    Check that the value for the status parameter is active. This status indicates that the flash drive is inserted in the canister and can be used by the system.
  4. Create system encryption keys and write those keys to all system-attached flash drives:
    chencryption -usb newkey -key prepare
  5. Commit the prepared key as the current key. Use this command when the lsencryption value for usb_rekey is set to prepared and the number of encryption keys is greater than the minimum number required.
    chencryption -usb newkey -key commit 

    Without the key that is written to the flash device, access to the encrypted arrays is not possible, and the data is lost. It is vitally important to have sufficient copies of keys for availability and extra backups during disaster. You can copy key material by making backups of the created files.

  6. After the new key is committed, disable encryption for the key server by entering the following command:
    chencryption -keyserver disable