Enabling encryption with key servers

You can use the management GUI or the command-line interface (CLI) to enable encryption with key servers.

Configuring encryption with IBM Security Guardium Key Lifecycle Manager key servers

Ensure that you complete the following tasks on the IBM® Security Guardium® Key Lifecycle Manager before you enable encryption:
  1. The system supports only TLS versions 1.2 and 1.3. In the IBM Security Guardium Key Lifecycle Manager, specify TLSv1.2 to use the TLS1.2 protocol, or TLSv1.3 to use the TLS1.3 protocol.
  2. Ensure that the DB2 database service is started automatically on startup.
  3. Ensure that a valid SSL certificate from IBM Security Guardium Key Lifecycle Manager is installed on the system and in use. If automatic replication is configured on IBM Security Guardium Key Lifecycle Manager, then this certificate needs to be uploaded to the system one time. However, if automatic replication is not configured on the IBM Security Guardium Key Lifecycle Manager, a certificate for each stand-alone key server must be uploaded to the system.
  4. Ensure that a device group exists on IBM Security Guardium Key Lifecycle Manager called SPECTRUM_VIRT, which is based on the GPFS family. If you are configuring multiple key servers, the SPECTRUM_VIRT device group must be defined on the primary and all secondary key servers.
  5. If encryption is enabled with USB flash drives, insert at least one of the USB flash drives into the system before key servers can be configured for managing keys.
For more information about completing these tasks, see the IBM Documentation for IBM Security Guardium Key Lifecycle Manager.
To enable encryption with a IBM Security Guardium Key Lifecycle Manager key server in the management GUI, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. Click Enable Encryption.
  3. On the Welcome page, select Key Servers. Click Next.
    Note: You can also select both Key Servers and USB flash drives to configure both methods to manage encryption keys. If either method becomes disabled, you can use the other method to access encrypted data on your system.
  4. Select IBM Security Guardium Key Lifecycle Manager (with KMIP) for the key server type.
  5. Enter the name, IP address or domain name, and port for each key server. If you are configuring multiple key servers, the first key server that you specify is the primary key server. If you specify a fully qualified domain name, a DNS server must be configured on your system. To configure a DNS server for the system, select Settings > Network > DNS. You can also use the mkdnsserver command to configure DNS servers.
  6. Select SPECTRUM_VIRT for the device group for the key servers. This device group must also be configured on each of the key servers for the system.
  7. On the Key Server Certificate page, you must upload all the necessary key server certificates to the system. The key server certificate can be the key server endpoint certificate, the root CA certificate, or a file that contains all CA certificates within that chain. This file does not need to include the key server certificate, it should only have the intermediate and root CA certificates. In case both the endpoint certificate and the CA certificate of key servers are installed on the system, the endpoint certificate takes priority over the CA certificate. If the key servers are configured for automatic replication, the certificate is copied from the primary key server to all secondary key servers. All the IBM Security Guardium Key Lifecycle Manager instances are connected over secure connections with the same key server certificate. If replication is used on the IBM Security Guardium Key Lifecycle Manager, only one key server certificate needs to be installed on the system. The IBM Security Guardium Key Lifecycle Manager uses this single certificate to replicate keys with each other. If only one certificate is used and automatically replicated to all configured key servers, select the certificate that you downloaded to the system in the Certificate field. If automatic replication is not configured, select all the valid certificates that you downloaded to the system for each of the configured key servers. Click Next.
  8. On the System Certificate page, click Export system certificate and download the system certificate. Copy the system certificate to the truststore for the SPECTRUM_VIRT device group on each configured key server. You must not upload the root certificate to the key servers, as IBM Security Guardium Key Lifecycle Manager does not support chain of trust checking for the SPECTRUM_VIRT device group. For more information, see online documentation of IBM Security Guardium Key Lifecycle Manager.
  9. If you have USB flash drives configured as your encryption method, the Disable USB Encryption page displays. If you want to migrate to key servers and disable USB flash drives, select Yes. If you want keep both encryption methods, click No.
  10. Click Next.
  11. On the Summary page, verify the configuration for the key servers and click Finish.
To enable encryption with an IBM Security Guardium Key Lifecycle Manager key server in the command-line interface, complete the following steps:
  1. To enable encryption on your system, see chencryption command.
  2. To enable the key server type and supply the certificates of the key server, see chkeyserverisklm command.
  3. To use an internally signed certificate or an externally signed certificate, see satask exportrootcertificate command and chsystemcert command.
  4. To create the primary key server and up to three more secondary key servers and specify the key server certificate, see mkkeyserver command.
  5. To verify that the system is prepared, see lsencryption command.

Configuring encryption with Thales CipherTrust Manager or Gemalto SafeNet KeySecure key servers

For SafeNet KeySecure key servers, ensure that you complete the following tasks before you enable encryption:
  1. Each key server must be configured to allow TLS 1.2 for secure communications.
  2. Ensure that a valid SSL certificate from each KeySecure key server is installed on the system and in use. Either add the server certificate for each KeySecure key server, or add the root CA certificate that was used to sign each server certificate.
  3. If you plan to use a username and password to authenticate the system to these key servers, you must configure user credentials for authentication in the key server management interface. For KeySecure versions of 8.10 and up, administrators can configure a username and password to authenticate the system when it connects. Before version KeySecure 8.10, the use of a password is optional. To set up authentication with a username and password between the system and KeySecure key servers, disable global keys on the High Security menu in the SafeNet KeySecure interface. When global keys are disabled, key servers cannot authenticate clients to create or access keys without valid credentials.
  4. The Storage Virtualize certificate must be trusted by the SafeNet KeySecure key servers. If the system's root CA is used to sign the certificate, then the system's root certificate must be installed as an External CA in SafeNet KeySecure and added to the list of CAs that can be used for KMIP. Alternatively, the system certificate can be signed by a trusted third-party CA. The third-party root certificate must be installed as an External CA in SafeNet KeySecure and added to the list of CAs that can be used for KMIP. If Storage Virtualize certificate is self-signed, then the self-signed certificate must be installed as an External CA in SafeNet KeySecure and added to the list of CAs that can be used for KMIP. It is recommended to not use a self-signed certificate, as the connection between Storage Virtualize and the key servers is interrupted when the certificate is renewed, until the new certificate is added to the key servers.
  5. If you currently have encryption that is enabled with USB flash drives, at least one of the USB flash drives must be inserted into the system before key servers can be configured for managing keys.
To enable encryption with a Thales CipherTrust Manager or KeySecure key server using the management GUI, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. Click Enable Encryption.
  3. On the Welcome page, select Key Servers. Click Next.
    Note: You can also select both Key Servers and USB Flash Drives to configure both methods to manage encryption keys. If either method becomes unavailable, you can use the other method to access encrypted data on your system.
  4. Select Thales CipherTrust Manager or Gemalto SafeNet KeySecure for the key server type.
  5. Enter the name, IP address or domain name, and port for each key server. If you are configuring multiple key servers, the first key server that you specify is the primary key server. If you specify a fully qualified domain name, a DNS server must be configured on your system. To configure a DNS server for the system, select Settings > Network > DNS. You can also use the mkdnsserver command to configure DNS servers.
  6. On the Key Server Credentials page, enter a user name and password that is used to authenticate the system to the key servers.
  7. On the Key Server Certificate page, you must upload all the necessary key server certificates to the system. The key servers can use either a certificate from a trusted third party, a self-signed certificate, or a combination of these certificates. All instances are connected over secure connections with the same key server certificate. Either the server certificate for each key server, or the root CA certificate or a file that contains all CA certificates within that chain. This file does not need to include the key server certificate, only the intermediate and root CA certificates. Any server certificates take priority over any CA certificate that is installed on the system for the key servers. Click Next.
  8. If you are using Thales CipherTrust Manager, the Storage Virtualize certificate must be signed by a CA.
    • If the Storage Virtualize certificate is signed by the system's root CA, click Export Root Certificate. Install the root certificate as an external CA on the Thales CipherTrust Manager key servers and add it to the list of external CAs that can be used for KMIP.
    • If the Storage Virtualize certificate is signed by a trusted third-party CA, install the third-party CA's root certificate as an external CA on the Thales CipherTrust Manager key servers and add it to the list of external CAs that can be used for KMIP.
    If you are using SafeNet KeySecure:
    • If the Storage Virtualize certificate is signed by the system's root CA, click Export Root Certificate. Install the root certificate as an external CA on the SafeNet KeySecure key servers and add it to the list of external CAs that can be used for KMIP.
    • If the Storage Virtualize certificate is signed by a trusted third-party CA, install the third-party CA's root certificate as an external CA on the SafeNet KeySecure key servers and add it to the list of external CAs that can be used for KMIP.
    • If the Storage Virtualize certificate is self-signed, click Export System Certificate. Install the Storage Virtualize certificate as an external CA on the SafeNet KeySecure key servers and add it to the list of external CAs that can be used for KMIP.
  9. Select The system’s public key certificate has been transferred to each configured key server.
  10. If you have USB flash drives configured as your encryption method, the Disable USB Encryption page displays. If you want to migrate to key servers and disable USB flash drives, select Yes. If you want both encryption methods that are configured simultaneously, click No.
  11. Click Next.
  12. On the Summary page, verify the configuration for the key servers and click Finish.
To enable encryption with a Thales CipherTrust Manager or a KeySecure key server in the command-line interface, complete the following steps:
  1. To enable encryption on your system, see chencryption command.
  2. To enable the key server type and supply the root certificate authority (CA) certificate, see chkeyserverciphertrustmanager command.
  3. To use an internally signed certificate or an externally signed certificate, see satask exportrootcertificate command and chsystemcert command.
  4. To create the primary key server and up to three more secondary key servers and specify the key server certificate, see mkkeyserver command.
  5. To verify that the system is prepared, see lsencryption command.