Key rotation: Replacing master encryption keys

Key rotation is the process of rewrapping file encryption keys (FEKs) with a new master encryption key (MEK).

Replacing a MEK can require rewrapping the FEKs of a large number of files across multiple file systems and also possibly in archives. Before you begin the process of replacing a MEK, back up the affected files in case you need to redo the process.
Warning: If you plan to delete the MEK from the RKM server, be aware that after the MEK is deleted, any files that are still encrypted with FEKs that are wrapped with the old MEK cannot be decrypted and their data is unrecoverable.
  1. Create a MEK on the key server and make a note of its key UUID. In this help topic, the keyname of the old MEK is KEY-old:isklmsrv and the keyname of the new MEK is KEY-new:isklmsrv. For more information see Encryption keys.
  2. Encrypting new files: This step describes how to update the policy rules that specify how files are encrypted so that new files are encrypted with FEKs that are wrapped with the new MEK:
    1. Find the ENCRYPTION IS rules in your encryption policy.
    2. In the KEYS parameter, replace the name of the old MEK with the name of the new MEK, as in the following example: 
      RULE 'EncRule1' ENCRYPTION 'E1' IS
         ALGO 'DEFAULTNISTSP800131A'
         KEYS('KEY-new:isklmsrv')
    3. Issue the mmchpolicy command to change the policy rules to encrypt new files with the new policy.
    For more information, see Encryption policy rules.
  3. Rewrapping the FEKs of existing files: This step describes how to rewrap the FEKs of existing files with the new MEK:
    1. Create a CHANGE ENCRYPTION KEYS policy rule to rewrap FEKs that are wrapped with the old MEK. This rule scans a specified group of files, unwraps each FEK entry that is wrapped with the old MEK, and rewraps the FEK entry with the new MEK. In the following example the rule finds all the files that are wrapped with KEY-old:isklmsrv and rewraps them with KEY-new:isklmsrv: 
      RULE 'Rule to rewrap keys' CHANGE ENCRYPTION KEYS FROM 'KEY-old:isklmsrv' to 'KEY-new:isklmsrv'
      This rule has optional POOL, FILESET, SHOW, and WHERE clauses to specify the group of files to be rewrapped. For more information, see Encryption policy rules.
    2. Issue the mmapplypolicy command to apply the policy rule that you created in Step 3(a). The command rewraps the FEKs of the existing files with the new MEK.
      Note: The first phase of the mmapplypolicy command's operation can be a lengthy process. In this phase the command scans all of the files in the affected file system or fileset to discover files that meet the criteria of the policy rule. If your file system or fileset is very large, you might want to delay issuing the mmapplypolicy command until a time when the system is not running a heavy load of applications. For more information see Phase one: Selecting candidate files.
      Note: The mmapplypolicy command does not process files in unlinked filesets. If these files are encrypted and the FEKs are wrapped with the old MEK, and if the old MEK is deleted from the RKM server, the data in these files is unrecoverable.
  4. Delete any snapshots that might contain files that are encrypted with the old MEK (KEY-old:isklmsrv).
    Warning: You will not be able to delete such snapshots after the old MEK is deleted from the key server.

Do not begin the next step until the mmapplypolicy command from Step 3(b) has completed.

  1. If the old MEK is no longer needed, delete it from the RKM server. In the regular encryption setup, open the RKM server console and delete the old MEK. In the simplified encryption setup, issue the mmkeyserv key delete command to delete the MEK.
    Note: When you delete a MEK from the RKM server, any file that is encrypted with an FEK that is still wrapped by the old MEK cannot be decrypted and its data is unrecoverable.
  2. Delete the old MEK from the key cache on each node. The old MEK is present in the key cache of any node that did I/O operations to a file whose FEK was wrapped with the old MEK. To delete the old MEK, issue the following command on each node where the old MEK is cached: 
    /usr/lpp/mmfs/bin/tsctl encKeyCachePurge 'KEY-old:isklmsrv'
    For more information see the subtopic "Secure deletion and encryption key cache purging" in the help topic Secure deletion.
Warning: If the steps for key rotation are not followed carefully, they can result in unrecoverable data loss. Be aware of the following issues:
  • Check other file systems that might contain files that are encrypted with the old MEK. If there are such files, rewrap their FEKs with the new MEK before you delete the old MEK from the RKM server.

  • Test the policy rule by running the mmapplypolicy command with the -I test option. Check the output to verify that the policy rule is selecting the correct set of files. Also verify that the CHANGE ENCRYPTION KEYS statement specifies the correct old MEK and new MEK.

  • To preserve the data in files that were deleted or were unlinked from filesets, restore the files (from a backup or snapshot, if available) before you issue the mmapplypolicy command. Remember that the mmapplypolicy command does not process unlinked files that were deleted from filesets with operating system commands such as rm and unlink.