Managing file system encryption passphrases
You can manage the passphrases that are stored in the encrypted flash storage on the appliance.
About this task
When you encrypt a queue manager or system file system you specify a passphrase. The appliance stores the passphrase in its encrypted flash storage, and uses the passphrase when the file system needs to be mounted by the firmware.
You can view information about the passphrases stored on the appliance (although you cannot view the passphrases themselves). You can update or clear existing passphrases and manually store a passphrase.
- Passphrase type
- Whether the passphrase is for a queue manager or system file system, and the name of the queue manager or type of system file system.
- Passphrase status
- The status of the passphrase, is one of the following values:
- Normal
- The stored passphrase is either correct or it has not yet been used.
- File system not found
- The file system for the stored passphrase does not exist, so the stored passphrase is not required. This status might occur if the SSD disks are replaced after a hardware failure.
- File system not encrypted
- The file system for the stored passphrase is not encrypted, so the stored passphrase is not required. This status might occur if the SSD disks are swapped with those from another appliance after a hardware failure.
- Passphrase not valid
- The stored passphrase was not correct when it was last used to access the file system.
- Passphrase last updated
- The date and time that the passphrase was last stored on the appliance. (This might not be when the passphrase was last updated for the file system.)
Clearing a stored passphrase does not remove the requirement for an encrypted file system to have a passphrase, it just clears the stored copy of the passphrase on the internal flash device that the appliance uses to access the file system when it needs to mount it. If a stored passphrase is cleared then the firmware is not able to mount the file system next time it needs to do this. The file system remains unavailable until the passphrase is stored on the internal flash device so it is available to the firmware again.
You must manually store a passphrase on the recovery appliance of a disaster recovery (DR) configuration so that the appliance can mount the file system for the queue manager if you need to fail it over. You might also need to store the passphrase for an encrypted file system if the SSDs are transferred to a replacement appliance after a hardware failure.
For high availability (HA) configurations, the passphrase is automatically stored on the HA secondary appliance when you create an HA queue manager. If you subsequently update the passphrase on the main appliance, the new passphrase is automatically stored on the HA secondary appliance if it is available. If it is not available, you must manually store the new passphrase on the HA secondary appliance. You must also store the new passphrase on the recovery appliance if the queue manager is configured for disaster recovery.