You can use the management GUI or the command-line interface (CLI) to enable
encryption with key servers.
Configuring encryption with IBM Security Guardium Key Lifecycle Manager key
servers
Ensure that you complete the following tasks on the
IBM® Security Guardium® Key Lifecycle Manager before you enable encryption:
- The system supports only TLS versions 1.2 and 1.3. In the IBM Security Guardium Key Lifecycle
Manager, specify TLSv1.2 to use the TLS1.2 protocol, or TLSv1.3 to use the TLS1.3
protocol.
- Ensure that the DB2 database service is started automatically on startup.
- Ensure that a valid SSL certificate from IBM Security Guardium Key Lifecycle Manager is
installed on the system and in use. If automatic replication is configured on IBM Security Guardium
Key Lifecycle Manager, then this certificate needs to be uploaded to the system one time. However,
if automatic replication is not configured on the IBM Security Guardium Key Lifecycle Manager, a
certificate for each stand-alone key server must be uploaded to the system.
- Ensure that a device group exists on IBM Security Guardium Key Lifecycle Manager called
SPECTRUM_VIRT, which is based on the GPFS family. If you are configuring multiple key
servers, the SPECTRUM_VIRT device group must be defined on the primary and all secondary key
servers.
- If encryption is enabled with USB flash drives, insert at least one of the USB flash drives into
the system before key servers can be configured for managing keys.
For more information about completing these tasks, see the IBM Documentation for
IBM Security Guardium Key Lifecycle Manager.
To enable encryption with a IBM Security Guardium Key Lifecycle Manager key server in the
management GUI, complete these steps:
- In the management GUI, select .
- Click Enable Encryption.
- On the Welcome page, select Key Servers. Click
Next.
Note: You can also select both Key Servers and
USB flash drives to configure both methods to manage encryption keys. If
either method becomes disabled, you can use the other method to access encrypted data on your
system.
- Select IBM Security Guardium Key Lifecycle Manager
(with KMIP) for the key server type.
- Enter the name, IP address or domain name, and port for each key
server. If you are configuring multiple key servers, the first key server that you specify is the
primary key server. If you specify a fully qualified
domain name, a DNS server must be configured on your system. To configure a DNS server for the
system, select
.
You can also use the mkdnsserver command to configure DNS
servers.
- Select SPECTRUM_VIRT for the device group for the key servers. This
device group must also be configured on each of the key servers for the system.
- On the Key Server Certificate page, you must upload
all the necessary key server certificates to the system. The key server certificate can be the key
server endpoint certificate, the root CA certificate, or a file that contains all CA certificates
within that chain. This file does not need to include the key server certificate, it should only
have the intermediate and root CA certificates. In case both the endpoint certificate and the CA
certificate of key servers are installed on the system, the endpoint certificate takes priority over
the CA certificate. If the key servers are configured for automatic replication, the certificate is
copied from the primary key server to all secondary key servers. All the IBM Security Guardium Key Lifecycle Manager instances are connected
over secure connections with the same key server certificate. If replication is used on the IBM Security Guardium Key Lifecycle Manager, only one key server
certificate needs to be installed on the system. The IBM Security Guardium Key Lifecycle Manager uses this single
certificate to replicate keys with each other. If only one certificate is used and automatically
replicated to all configured key servers, select the certificate that you downloaded to the system
in the Certificate field. If automatic replication is not configured, select
all the valid certificates that you downloaded to the system for each of the configured key servers.
Click Next.
- On the System Certificate page, click
Export system certificate and download the system certificate. Copy the
system certificate to the truststore for the SPECTRUM_VIRT device group on
each configured key server. You must not upload the root certificate to the
key servers, as IBM Security Guardium Key Lifecycle Manager does
not support chain of trust checking for the SPECTRUM_VIRT device group. For more information,
see online documentation of IBM Security Guardium Key Lifecycle Manager.
- If you have USB flash drives configured as your encryption method, the
Disable USB Encryption page displays. If you want to migrate to key servers and
disable USB flash drives, select Yes. If you want keep both encryption
methods, click No.
- Click Next.
- On the Summary page, verify the configuration for the key servers and click
Finish.
To enable encryption with an
IBM Security Guardium Key Lifecycle Manager key server in the
command-line interface, complete the following steps:
- To enable encryption on your system, see chencryption command.
- To enable the key server type and supply the certificates of the key server, see chkeyserverisklm command.
- To use an internally signed certificate or an externally signed certificate, see satask exportrootcertificate command and chsystemcert command.
- To create the primary key server and up to three more secondary key servers and specify the key
server certificate, see mkkeyserver command.
- To verify that the system is prepared, see lsencryption command.
Configuring encryption with Thales CipherTrust Manager or Gemalto SafeNet
KeySecure key servers
For SafeNet KeySecure key servers, ensure that you complete the following
tasks before you enable encryption:
- Each key server must be configured to allow TLS 1.2 for secure communications.
- Ensure that a valid SSL certificate from each KeySecure key server is installed on the system
and in use. Either add the server certificate for each KeySecure key server, or add the root CA
certificate that was used to sign each server certificate.
- If you plan to use a username and password to authenticate the system
to these key servers, you must configure user credentials for authentication in the key server
management interface. For KeySecure versions of 8.10 and up, administrators can
configure a username and password to authenticate the system when it connects. Before version
KeySecure 8.10, the use of a password is optional. To set up authentication with a username and
password between the system and KeySecure key servers, disable global keys on the High
Security menu in the SafeNet KeySecure interface. When global keys are disabled, key
servers cannot authenticate clients to create or access keys without valid credentials.
- The Storage Virtualize certificate
must be trusted by the SafeNet KeySecure key servers. If the system's root CA is used to sign the
certificate, then the system's root certificate must be installed as an External CA in SafeNet
KeySecure and added to the list of CAs that can be used for KMIP. Alternatively, the system
certificate can be signed by a trusted third-party CA. The third-party root certificate must be
installed as an External CA in SafeNet KeySecure and added to the list of CAs that can be used for
KMIP. If Storage Virtualize
certificate is self-signed, then the self-signed certificate must be installed as an External CA in
SafeNet KeySecure and added to the list of CAs that can be used for KMIP. It is recommended to not
use a self-signed certificate, as the connection between Storage Virtualize and the key
servers is interrupted when the certificate is renewed, until the new certificate is added to the
key servers.
- If you currently have encryption that is enabled with USB flash drives, at
least one of the USB flash drives must be inserted into the system before key servers can be
configured for managing keys.
To enable encryption with a
Thales CipherTrust Manager or KeySecure key
server using the management GUI, complete these steps:
- In the management GUI, select .
- Click Enable Encryption.
- On the Welcome page, select Key Servers. Click
Next.
Note: You can also select both Key Servers and
USB Flash Drives to configure both methods to manage encryption keys. If
either method becomes unavailable, you can use the other method to access encrypted data on your
system.
- Select Thales CipherTrust Manager or
Gemalto SafeNet KeySecure for the key server type.
- Enter the name, IP address or domain name, and port for each key
server. If you are configuring multiple key servers, the first key server that you specify is the
primary key server. If you specify a fully qualified
domain name, a DNS server must be configured on your system. To configure a DNS server for the
system, select
.
You can also use the mkdnsserver command to configure DNS
servers.
- On the Key Server Credentials page, enter a user name
and password that is used to authenticate the system to the key servers.
- On the Key Server Certificate page, you must upload all the necessary key
server certificates to the system. The key servers can use either a certificate from a trusted third
party, a self-signed certificate, or a combination of these certificates. All instances are
connected over secure connections with the same key server certificate. Either the server
certificate for each key server, or the root CA certificate or a file that contains all CA
certificates within that chain. This file does not need to include the key server certificate, only
the intermediate and root CA certificates. Any server certificates take priority over any CA
certificate that is installed on the system for the key servers. Click
Next.
- If you are using Thales CipherTrust Manager, the Storage Virtualize certificate
must be signed by a CA.
- If the Storage Virtualize certificate is
signed by the system's root CA,
click
Export Root Certificate. Install the root certificate as an external CA on
the Thales CipherTrust Manager key servers and add it to the list of external CAs that can be used
for KMIP.
- If the Storage Virtualize certificate is
signed by a trusted third-party CA, install the third-party CA's root certificate as an external CA
on the Thales CipherTrust Manager key servers and add it to the list of external CAs that can be
used for KMIP.
If you are using SafeNet KeySecure:
- If the Storage Virtualize
certificate is signed by the system's root CA, click Export Root Certificate.
Install the root certificate as an external CA on the SafeNet KeySecure key servers and add it to
the list of external CAs that can be used for KMIP.
- If the Storage Virtualize
certificate is signed by a trusted third-party CA, install the third-party CA's root certificate as
an external CA on the SafeNet KeySecure key servers and add it to the list of external CAs that can
be used for KMIP.
- If the Storage Virtualize
certificate is self-signed, click Export System Certificate. Install the Storage Virtualize certificate as
an external CA on the SafeNet KeySecure key servers and add it to the list of external CAs that can
be used for KMIP.
- Select The system’s public key certificate has been transferred to each configured key
server.
- If you have USB flash drives configured as your encryption method, the
Disable USB Encryption page displays. If you want to migrate to key servers and
disable USB flash drives, select Yes. If you want both encryption methods
that are configured simultaneously, click No.
- Click Next.
- On the Summary page, verify the configuration for the key servers and click
Finish.
To enable encryption with
a Thales CipherTrust Manager or a KeySecure key
server in the command-line interface, complete the following steps:
- To enable encryption on your system, see chencryption command.
- To enable the key server type and supply the root certificate authority (CA) certificate, see
chkeyserverciphertrustmanager command.
- To use an internally signed certificate or an externally signed certificate, see satask exportrootcertificate command and chsystemcert command.
- To create the primary key server and up to three more secondary key servers and specify the key
server certificate, see mkkeyserver command.
- To verify that the system is prepared, see lsencryption command.