Encryption policies

An encryption policy consists of a set of policy rules for one of two purposes: managing the encryption of a group of files or re-wrapping the file encryption keys of already encrypted files.

The following encryption policy rules are available:
  • The ENCRYPTION IS rule specifies how a file is to be encrypted and how file encryption keys (FEKs) are to be wrapped (that is, encrypted) with master encryption keys (MEKs).
  • The SET ENCRYPTION rule describes a group of files to be encrypted and specifies the type of encryption (as defined by an earlier ENCRYPTION IS rule) that is to be done.
  • The SET ENCRYPTION EXCLUDE command signals the end of a series of SET ENCRYPTION rules.
  • The CHANGE ENCRYPTION KEYS rule re-wraps FEKs. FEKs that were previously wrapped with a specified MEK are unwrapped and then re-wrapped with a new MEK.
The first three types of rules appear in policies to encrypt files. The fourth type of rule typically appears in a policy by itself or with other CHANGE ENCRYPTION KEYS rules.

Encryption policies are configured with the mmchpolicy command. A policy for re-wrapping FEKs is applied with the mmapplypolicy command. A policy for encrypting a set of files is applied whenever a file is created or is restored from backup.

When a file is created or is restored, the following steps occur:
  1. IBM Storage Scale evaluates the rules in the policy sequentially. The type of processing depends on the type of rule:
    • For an ENCRYPTION IS rule, the encryption specification is saved for future use.
    • For a SET ENCRYPTION rule, if the created or restored file does not match the file description in the rule, the rule is skipped and processing goes on to the next rule. If the file does match the file description in the rule, encryption is postponed until the entire policy is scanned.
    • If a SET ENCRYPTION EXCLUDE command is encountered, evaluation of the rules stops.
      Note: Evaluation of the rules also stops if the end of the of the policy is reached or if the file matches the file description of eight SET ENCRYPTION rules. Eight is the maximum number of SET ENCRYPTION rules that can be applied to one file.
  2. After the encryption policy is evaluated, a FEK is generated and the file is encrypted with it.
  3. Then the FEK is wrapped separately for each of the SET ENCRYPTION rules that the file matched. For example, if the file matched three SET ENCRYPTION rules, then three separate wrappings of the FEK are created. The wrapped FEKs are stored in the gpfs.Encryption extended attribute of the file. Only one of the wrapped FEKs needs to be unwrapped to access the file.
Notes:
  1. When an encryption policy is changed, the changes apply only to the encryption of subsequently created files.
  2. Encryption policies are defined on a per-file-system basis by a system administrator. After the encryption policies are put in place, they can result in files in different filesets or with different names being encrypted differently.