Managing file system encryption passphrases

You can manage the passphrases that are stored in the encrypted flash storage on the appliance.

About this task

When you encrypt a queue manager or system file system you specify a passphrase. The appliance stores the passphrase in its encrypted flash storage, and uses the passphrase when the file system needs to be mounted by the firmware.

You can view information about the passphrases stored on the appliance (although you cannot view the passphrases themselves). You can update or clear existing passphrases and manually store a passphrase.

When viewing passphrases, the following information is displayed:
Passphrase type
Whether the passphrase is for a queue manager or system file system, and the name of the queue manager or type of system file system.
Passphrase status
The status of the passphrase, is one of the following values:
Normal
The stored passphrase is either correct or it has not yet been used.
File system not found
The file system for the stored passphrase does not exist, so the stored passphrase is not required. This status might occur if the SSD disks are replaced after a hardware failure.
File system not encrypted
The file system for the stored passphrase is not encrypted, so the stored passphrase is not required. This status might occur if the SSD disks are swapped with those from another appliance after a hardware failure.
Passphrase not valid
The stored passphrase was not correct when it was last used to access the file system.
Passphrase last updated
The date and time that the passphrase was last stored on the appliance. (This might not be when the passphrase was last updated for the file system.)

Clearing a stored passphrase does not remove the requirement for an encrypted file system to have a passphrase, it just clears the stored copy of the passphrase on the internal flash device that the appliance uses to access the file system when it needs to mount it. If a stored passphrase is cleared then the firmware is not able to mount the file system next time it needs to do this. The file system remains unavailable until the passphrase is stored on the internal flash device so it is available to the firmware again.

You must manually store a passphrase on the recovery appliance of a disaster recovery (DR) configuration so that the appliance can mount the file system for the queue manager if you need to fail it over. You might also need to store the passphrase for an encrypted file system if the SSDs are transferred to a replacement appliance after a hardware failure.

For high availability (HA) configurations, the passphrase is automatically stored on the HA secondary appliance when you create an HA queue manager. If you subsequently update the passphrase on the main appliance, the new passphrase is automatically stored on the HA secondary appliance if it is available. If it is not available, you must manually store the new passphrase on the HA secondary appliance. You must also store the new passphrase on the recovery appliance if the queue manager is configured for disaster recovery.

Procedure

  • To view information about all current passphrases that are stored on the appliance:
    dspfspass
  • To view information about the passphrase stored for a particular queue manager:
    dspfspass -m QueueManager
  • To view information about the passphrase stored for a particular system file system:
    dspfspass -f File_system

    Where File_system is one of root, backup, diag, errors, or trace.

  • To update a file system passphrase:
    setfspass -u -p passphrase -n NewPassphrase
    Where passphrase is the passphrase that you want to change and NewPassphrase is the value that you want to change it to. Passphrases are between 1 and 512 characters in length and you should keep a copy of them somewhere safe. If you do not specify the old and new passphrases on the command line, you are prompted for them when you run the command. This command changes both the passphrase for the file system, and the passphrase that is stored on the appliance flash drive.
  • To clear a passphrase for a particular queue manager from the appliance flash storage:
    setfspass -m QueueManager -c 
    You are prompted to confirm that clearing the passphrase is your intended action.
  • To clear a passphrase for a system file system from the appliance flash storage:
    setfspass -f File_system -c 

    Where File_system is one of root, backup, diag, errors, or trace.

    You are prompted to confirm that clearing the passphrase is your intended action.

  • To manually store a passphrase for a queue manager:
    setfspass -m QueueManager -s -p passphrase
    If you do not specify the passphrase on the command line, you are prompted for it when you run the command.
  • To manually store a passphrase for a system file system:
    setfspass -f File_system -s -p passphrase

    Where File_system is one of root, backup, diag, errors, or trace.

    If you do not specify the passphrase on the command line, you are prompted for it when you run the command.