Rekeying a system with USB flash drives
Rekeying is the process of creating a new key for the system. To create a new key, encryption must be enabled on the system; however, the rekey operation works whether there are encrypted objects or not. Only a single encryption method can be rekeyed at once.
If you have multiple methods of encryption configured on your system, ensure that the current rekey operation is completed before starting another rekey operation. If you are generating new keys for cloud storage, the cloud account must be online during the rekeying operation. Rekeying is a non-disruptive process and can be completed without any impact to availability of encrypted or non-encrypted storage.
Before creating a new key, ensure that at least one USB port contains a USB flash drive that contains the current key. During the rekey process, a new key is generated and copied to the USB flash drives. The new key is then used instead of the current key. The rekey operation fails unless at least one USB flash drive contains the current key. To complete a rekey of the system, you need at least three USB flash drives to store the copied key material.
Once a rekey of the system is complete, the old key material will no longer be of use and cannot be used to unlock the encrypted storage. If any USB flash drives which contained a copy of the old key were not plugged in during the rekey scenario, they will not contain a copy of the new master key and the key will have to be copied to the drive manually.
Using the management GUI
- In the management GUI, select .
- Expand USB Flash Drives to display all the detected USB flash drives on the system and select Rekey.
- In the wizard, you are prompted to insert the required number of USB flash drives into the system. If the system has three or more USB ports, at least three USB flash drives must be entered. If the system has less than three USB ports, a USB flash drive must be entered into every port on the system.
- When the system detects the USB flash drives, the encryption key is automatically copied to the USB flash drives. Ensure that you create any required extra copies for backups.
- If the system has less than three USB ports, the USB flash drives containing the new key must be removed from the system and new drives added until the number of key copies is three or more. When a new USB flash drive is added while the rekey is in progress, the key is copied onto it automatically.
- After all copies are completed, click Confirm to complete the rekey process.
- If errors occur during the rekey process, status messages display problems with the copy or creation of a new key. For example, if the minimum number of USB drives are inserted but none of them have an existing encryption key, the rekey operation fails. To determine and fix other possible errors, select .
Using the command-line interface
- Insert the required number of USB flash drives into the system. If the system has three or more USB ports, at least three USB flash drives must be entered. If the system has less than three USB ports, a USB flash drive must be entered into every port on the system.
-
To start the rekey process, run the following command to prepare a new master key:
chencryption -usb newkey -key prepare
The new key has been created successfully when the usb_rekey_filename field shows enabled upon executing lsencryption command.
- If the system has less than three USB ports, the USB flash drives containing the new key must be removed from the system and new drives added until the number of key copies is three or more. When a new USB flash drive is added while the rekey is in progress, the key is copied onto it automatically.
- After all copies are completed, run the following command to complete the rekey
process:
chencryption -usb newkey -key commit
The master key has been rekeyed successfully when the usb_key_filename field shows the name of the new key and the usb_rekey_filename is blank upon executing the lsencryption command. For more information, see lsencryption command.
- If an error occurs during the rekey process, it can be cancelled by running the following
command:
chencryption -usb newkey -key cancel
If the rekey is cancelled, the system will continue to use the existing master key. For more information, see chencryption.