The nzkey command
Use the nzkey command to manage and apply the authentication keys to auto-lock the SEDs for the host drives or the storage array drives that are managed by the SPUs.
Syntax
The nzkey command has the following syntax.
nzkey [-h | -rev] [-hc] <subcmd> [<subcmd options>]
nzkey change -spukey -file <file> -backupDir <path>
nzkey check -spukey [-progress]
nzkey create -spukey -file <file> -backupDir <path>
nzkey extract -label <label> -file <file>
nzkey generate -spukey -file <file>
nzkey list -spukey
nzkey dump
nzkey resume [-backupDir <path>]
Inputs
The nzkey command takes the following inputs:
| Input | Description |
|---|---|
| change | Changes the host or SPU AEK. The system must be in the Paused or Offline state to change a SPU key, or in the Stopped state to change a host key. |
| check |
Checks the status of the keys on the SPUs. The command displays messages about whether the system is AEK-enabled or not, whether the AEKs for the SPUs are set, and the progress of the key enablement if keys are being set or changed. |
| create | Applies the host or SPU and/or host AEK and auto-locks the SEDs. You should not use this command option to auto-lock the drives. If you want to auto-lock your drives, contact IBM Support for assistance. There is a process for auto-locking the SEDs and ensuring that the keys and drives are locked correctly. |
| extract | Extracts the host or SPU keys defined in the keystore. You can use this option to extract a specific host key or SPU key to a file specified in the -file option. This operation can be performed at any time as long as a key change operation is not in progress. |
| generate | Generates a host or SPU key. The generate -spukey option generates an AES256 key to the file specified in -file and can be performed as long as a key change operation is not in progress. The result can be used as a SPU key. |
| list | Lists the host or SPU key labels to standard output. The key values are not printed. This operation can be performed as long as a key change operation is not in progress. |
| dump | When the system is configured to use IBM Security Key Lifecycle Manager server to manage the AEKs, saves the ISKLM keys into a local GSKit keystore. You use this option if you are planning to return to a local GSKit keystore to manage the AEKs for your N3001 system. This option displays an error when the system is configured to use a local GSkit keystore. |
| resume | Resumes an interrupted host key operation. If
the process to apply the host keys is paused or interrupted for any
reason, you can use the resume option to restart
the process to apply the AEK. If you run the command and the system detects that there is no work to resume, the command displays the message Nothing to resume. |
Options
The nzkey command takes the following options:
| Input | Description |
|---|---|
| -spukey | Performs the requested operation for the SPU AEKs. |
| -file <file> | Specifies the file that you want to write a host or SPU key to (in the case of generate or extract) or from which you want to read a key value (for create or change operations). |
| -label <label> | Specifies the label of the key to extract such as spuaek, spuaekOld, hostkey1, hostkey1Old, hostkey2 or hostkey2Old. |
| -backupDir <path> | Specifies a pathname to save the current keystore as a backup. |
| -progress | When used with nzkey check -spukey, if a key change is in progress, the command displays and updates the progress percentage until the key change completes. |
Description
You use the nzkey command to create and manage the authentication keys (AEKs) for the SED drives in the host and in the storage arrays of the IBM® PureData® System for Analytics N3001 systems. The command logs information when it runs to the /nz/kit/log/keydb/keydb.log.
The nzkey command is installed in /nz/kit/bin/adm. You
must be logged in to the system as the root user to run the command. You must
either change to the adm directory and run the command from that location or
have that directory in your root user's path to run the command.
Usage
- To generate a hostkey:
[root@nps-1-npshost nzscratch]# /nz/kit/bin/adm/nzkey generate -spukey -file /nzscratch/spukey.txt SPU key written to file