Creating storage policy for object encryption

Use the following information to create a storage policy for encryption.

To create a storage policy with the encryption function enabled, use the mmobj policy create command: 
mmobj policy create PolicyName -f FilesetName -i MaxNumInodes
--enable-encryption --encryption-keyfile EncryptionKeyFileName 
-–force-rule-append
where:
PolicyName
Indicates the name of the storage policy to create.
FilesetName
Indicates the fileset name that the created storage policy must use. This parameter is optional.
FilesystemName
Indicates the file system name where the fileset resides. This parameter is optional.
MaxNumInodes
Indicates the inode limit for the new inode space. This parameter is optional.
--enable-encryption
Enables an encryption policy.
EncryptionKeyFileName
Indicates the fully qualified path of the encryption key file.
--force-rule-append
Adds and establishes the rule when other rules exist. This parameter is optional.
The --force-rule-append determines whether to establish the GPFS policy rules:
  • If --force-rule-append is not set:
    1. The command checks whether a GPFS policy rule is already established during policy creation.
    2. If the policy rule is established, the new encryption rule is not established but is displayed.
    3. Otherwise, the new encryption rule is established and is displayed.
  • If --force-rule-append is set:
    1. The command checks whether a GPFS policy rule is already established during policy creation.
    2. If the policy rule is established, the new encryption rule is added to the already established rules and the GPFS policy for the file system is updated. The new encryption rule is displayed.
    3. Otherwise, the new encryption rule is established and is displayed.

During command execution the encryption policy and rule are created. A GPFS policy rule file is created and used to establish the policy rule.

The following example shows a policy rule file: /var/mmfs/ces/policyencryption.rule

Note: The filename is autogenerated.

After the encryption policy is created, depending on the presence or absence of the --force-rule-append parameter, the command displays the new encryption policy.

If an error occurs during encryption, the local cleanup function is called to remove the created fileset and exit the CLI mmobj policy create script. The existing rules and policies are not changed.

Note: The encryption function enables the file system encryption over the object file set. The same encryption functions and restrictions apply to object encryption and file encryption.