Once encryption has been configured on the system, migrating between key
management methods is nondisruptive and does not require any stored data-at-rest to be reencrypted.
You can migrate between USB flash drive and key server-based encryption by using the management GUI
or the command-line interface.
The migration between
different key server types cannot be performed directly from one type of key server to another. USB
flash drives encryption must be used to facilitate this process. If you want to migrate from one
type of key server to another, you first must migrate from your current key servers to USB
encryption, and then, migrate from USB to the other type of key servers.
To migrate from key servers to USB flash drives, use the command-line interface only.
During migration, the system supports simultaneous configuration of both key management methods.
After the migration completes, you can disable the old key management method.
Using the management GUI
During migration, the system does not disable the currently
configured key management method until the new method is configured completely. Therefore, encrypted
data can still be accessed with the current key until the migration is completed. For example, if
you were migrating from USB flash drives to key servers, the old keys on the USB flash drive are
still available until the key server encryption is configured. However, at least one of the USB
flash drives with the current encryption key must be inserted into the system before you can migrate
to the key server. After the key servers are configured, the old keys on the USB flash drive can no
longer decrypt data on the system. Dispose of any old USB flash drives according to your recommended
procedures for disposal of sensitive information. For organizations that require strict security
policies regarding USB flash drives, the system supports disabling these ports to prevent
unauthorized transfer of system data to portable media devices. After keys are migrated to the key
servers, you can use the command-line interface to disable USB ports.
Note: The management GUI
supports migration from USB flash drives to a key server encryption method only. To migrate from key
servers to USB flash drives, you must use the command-line interface.
Before migrating to key server-based encryption, ensure that at least
one USB flash drive with the current encryption key is inserted into the system. To migrate
encryption from a USB flash drive to key servers, complete these steps:
- In the management GUI, select .
- On the Encryption page, verify the following information:
- Expand USB Flash Drives and verify that USB flash drives are configured
and detected in the system.
- Expand Key Servers and verify that key servers are not configured on the
system.
- Under Key Servers, click
Configure.
Note: To enable key
servers to manage encryption keys on versions 8.1.0.0 or later, a USB rekey operation must be
performed.
- Select the type of key server that you
are using to manage encryption keys. The system supports IBM® Security Guardium® Key Lifecycle Manager and Generic KMIP server key servers to handle key management on the
system.
If you currently use Gemalto SafeNet Key Secure key servers, you can migrate
to Thales CipherTrust Manager.
- Enter
the name, IP address or fully qualified domain name, and port for each
key server. If you are configuring multiple key servers, the first key server that you specify is
the primary key server. If you specify a fully qualified
domain name, a DNS server must be configured on your system. To configure a DNS server for the
system, select
.
You can also use the mkdnsserver command to configure DNS
servers.
- If you selected IBM SGKLM
(with KMIP), the Key Server Options page displays. Select
SPECTRUM_VIRT for the device group for the key servers. This device group
must also be configured on each of the key servers for the system.
-
If you selected
Generic
KMIP server, the Key Server Credentials page displays. If you
enabled authentication to the key server that uses a username and password, enter that username and
password. These credentials are used to authenticate the system each time it connects to the key
server. The username and password must match the credentials that are configured on the key
server.
- On the Key Server Certificate page, you must upload all the necessary key
server certificates to the system.
Note: It
is recommended to use a certificate signed by a certificate authority (CA) for all Generic KMIP key
servers.
-
If using IBM Security Guardium Key Lifecycle Manager, export the system
certificate and install that on the key servers.
- If you are using Generic KMIP servers, then the IBM Storage Virtualize certificate must be
signed by a CA.
- If IBM Storage Virtualize
certificate is signed by the system's root CA, complete these steps:
- Select .
- Click Export Root Certificate.
- Install the root certificate as an external CA on the key servers and add it to the list of
external CAs that can be used for Key Management Interoperability Protocol (KMIP).
- If IBM Storage Virtualize
certificate is signed by a trusted third-party CA, install the third-party CA's root certificate as
an external CA on the key servers and add it to the list of external CAs that can be used for
KMIP.
- Return to the System Encryption Certificate page and select
The system’s public key certificate has been transferred to each configured key
server.
- On the Disable USB Encryption page, select Yes and
click Next.
- On the Summary page, verify the configuration for the key servers and click
Finish. After the configuration completes, keys that were stored on the USB
flash drives are not valid. Ensure that you dispose of all USB flash drives securely.
Using the CLI
Before you can migrate to key server-based encryption,
ensure that at least one USB flash drive with the current encryption key is inserted into the
system. To migrate from a USB flash drive to key servers to manage encryption keys, complete the
following steps:
- Migrating from USB flash drives to IBM Security Guardium Key Lifecycle Manager key servers
-
- Enter the following command to verify that encryption is enabled on the system with USB flash
drives:
lsencryption
- Enter the following CLI command to enable encryption with key servers on your
system:
chencryption -keyserver enable
- Enable your key server type and supply the root certificate authority (CA) certificate if one is
necessary:
chkeyserverisklm -enable -sslcert /tmp/rootCA.crt
- Create the primary key server and specify the key server
certificate:
mkkeyserver -ip ip_address_or_domain_name -port port -primary
- If you plan to use multiple key servers, enter the
following command multiple times to specify up to three more secondary key servers that use the same
key server
certificate:
mkkeyserver -ip ip_address_or_domain_name -port port -primary
- Create the system encryption key and write the key to the specified key
server:
chencryption -keyserver newkey -key prepare
This
command makes the prepared key the current key and stores the key values on all configured key
servers.
- To verify that the system is prepared, enter the following
command:
lsencryption
Verify that
the keyserver_rekey parameter has the
value prepared. The prepared value
indicates that the new key is ready to be committed.
- To commit the key, enter the following
command:
chencryption -keyserver newkey -key commit
- After the new key for the key server is committed, disable encryption for the USB flash drive by
entering the following
command:
chencryption -usb disable
- Migrating from USB flash drives to
Generic KMIP key servers
-
- Enter the following command to verify that encryption is enabled on the system with USB flash
drives:
lsencryption
- Enter the following CLI command to enable encryption on your
system:
chencryption -keyserver enable
- Enable the key server type and supply the root certificate authority (CA) certificate if one is
required:
chkeyserverciphertrustmanager -enable -sslcert /tmp/CASigned.crt
Note: The chkeyserverciphertrustmanager is used
for
Generic KMIP key servers.
- Configure the username and password that is used to the system to the key servers if one is
required:
chkeyserverciphertrustmanager -username admin -password 'examplepassword'
- Create
the primary key server and specify the key server certificate, if one is required:
mkkeyserver -ip ip_address_or_domain_name -port port -sslcert /tmp/ServerCert.crt -primary
- Create
up to three secondary key servers and specify the key server certificate if one is
required.
mkkeyserver -ip ip_address_or_domain_name -port port -sslcert /tmp/ServerCert.crt
- To verify that the system is prepared, enter the following
command:
lsencryption
Check that
the keyserver_rekey parameter has the
value prepared. The prepared value
indicates that the new key is ready to be committed.
- To commit the key, enter the following
command:
chencryption -keyserver newkey -key commit
This command makes the new key the current key and copies it to the primary key server.
- After the new key for the key server is committed, disable encryption for the USB flash drive by
entering the following
command:
chencryption -usb disable
If encryption is already enabled on the
system with key servers, ensure that the primary key server is connected to the system and can
provide the current encryption key. To migrate from a key server to USB flash drives to manage
encryption, complete the following steps:
- Enter the following command to verify that encryption is enabled on the system with key
servers:
lsencryption
- Enter the following CLI command to enable encryption on your
system:
chencryption -usb enable
- Ensure that sufficient flash drives are
installed:
lsportusb
Check that the value for the status
parameter is active. This status indicates that the flash drive is
inserted in the canister and can be used by the system.
- Create system encryption keys and write
those keys to all system-attached flash
drives:
chencryption -usb newkey -key prepare
- Commit the prepared key as the current
key. Use this command when the lsencryption value for
usb_rekey is set to prepared and the number of
encryption keys is greater than the minimum number
required.
chencryption -usb newkey -key commit
Without the key that is
written to the flash device, access to the encrypted arrays is not possible, and the data is lost.
It is vitally important to have sufficient copies of keys for availability and extra backups during
disaster. You can copy key material by making backups of the created files.
- After the new key is committed, disable encryption for the key server by entering the following
command:
chencryption -keyserver disable