Configuring encryption for Global Data Platform storage

You can configure the encryption in IBM Storage Fusion to access an encrypted remote IBM Spectrum Scale file system. You can set the encryption for the IBM Storage Fusion storage.

Before you begin

Prepare IBM® Security Guardium® Key Lifecycle Manager (GKLM) server for IBM Storage Fusion. To establish an encryption-enabled environment, see Simplified setup: Using GKLM with a self-signed certificate.

Ensure you go through the firewall recommendations for GKLM. See Firewall recommendations for IBM GKLM

To know more about encryption in IBM Spectrum Scale, see Encryption in IBM Spectrum Scale documentation.

About this task

The Encryption algorithm field is available only for IBM Storage Fusion.

The File system tenants field is available only for remote mount. For remote filesystem in IBM Storage Fusion the remote file system has already been encrypted by the IBM Spectrum Scale admin, and the IBM Storage Fusion user must connect to the same key management server so that encrypted data can be accessed.

Procedure

  1. Click Settings menu in IBM Storage Fusion user interface.
  2. In the Encryption section, click Connect.
  3. Enter the following details:
    Host name
    The Security Key Lifecycle Manager host name to connect.
    Backup host name
    Optionally, enter secondary GKLM server host name.
    Port number (optional)
    The REST port number connects IBM Storage Fusion to Security Key Lifecycle Manager REST admin interface. The default port number is 9443.
    Note: It can depend on Security Key Lifecycle Manager version. See Firewall recommendations for GKLM.
    User name
    The administrator user name for GKLM Server. The default value is GKLMAdmin.
    Password
    The administrator password for the GKLM Server.
    Certificates
    Note: TLS/KMIP Certificates for secure communication on the KMIP port, only require when the key server is running with a certificate chain from a Certificate Authority (CA) rather than with a self-signed server certificate. The certificates must be formatted as PEM-encoded X.509 certificates.
    Root certificate
    The root CA certificate from the Certificate Authority.
    Endpoint certificate
    The server certificate that is signed by a CA.
    Intermediate certificate (optional)
    The intermediate CA certificates are required only when the server certificate is signed by one of them. If you have more intermediate certificates, then click Add intermediate certificate to add them.
    File system tenants
    Set up tenant and remote key management ID pairs for remote file system. Enter Encryption tenant and Remote key management ID.

    Click Add pair to add additional file system tenants.

    Run the following commands on the remote scale cluster to retrieve the values:
    mmkeyserv client show
    This command gives the tenant name. If the tenant name is displayed as (none), then first register client using mmkeyserv client register command. For more details about this command, see mmkeyserv command.
    To get Remote key management ID, run the following command on the remote scale cluster:
    mmkeyserv tenant show
    Encryption algorithm
    For IBM Storage Fusion, choose an encryption algorithm for encrypting data. The available options are NIST SP 800-131A and NIST SP 800-131AFAST.
  4. Click Save.