Encryption and external pools

Encrypted files are migrated to external pools in cleartext and are re-encrypted when they are retrieved from external pools.

Whenever encrypted files on the IBM Storage Scale file system are migrated to an external storage pool, they are decrypted before migration to the external storage pool takes place. Files are sent to the tool that manages the external storage in cleartext, leaving file stubs in the file system. When these migrated files are recalled, they are retrieved in cleartext and are subsequently re-encrypted by IBM Storage Scale as they are rewritten to disk. Typically the product software that manages the external storage provides the means to encrypt the cleartext data sent by IBM Storage Scale before writing the data to the external storage. Similarly the product software can decrypt the data before sending it to IBM Storage Scale when the file is recalled.

When the stub files that are created from the migration of data to an external pool are copied to other locations in the file system, IBM Storage Scale recalls the data from the external pool if the destination of the copy is a different file (inode) space. For example, copying a stub file from one file system to another or from one independent fileset to another triggers the recall of the file data from the external pool. If the placement policy for the destination of the file copy requires files to be encrypted, then the file also is encrypted when recalled.

For more information about external pools, see External storage pools.