Regenerating keys support (rekeying)

Edit online

This topic describes regeneration of keys support (rekeying).

Rekeying is the process of creating a new key for the disk storage system. Rekeying can be done locally or externally.

Regenerating keys support locally

Any TS7700 configured with Local Key Management encryption can be rekeyed with new encryption keys on-demand with no downtime and no performance loss during or after the rekey operation. The rekey operations require physical access to the disk storage system. Therefore, the rekey operations can be initiated only from the TS7700 Smit menus. Following is the Smit menus for the 3948-CSB or 3956-CSB rekey operations:

Smit > IBM TS7700 Maintenance > Utility Menus > Disk Cache Utility Menus > Re-generate Encryption Key.

During the rekeying process, a new key is generated and copied to the USB flash drives. By default, rekeying creates four copies out of which two are expected to be connected and two are for backup drives. The new key is then used in place of the current key.

Note:
  • Before you create a new key, ensure that at least one USB port has a USB flash drive that contains the current valid key. The rekey operation fails unless at least one USB flash drive contains the current key.
  • To rekey the disk storage system, at least four USB flash drives are needed to store the copied key material.

Regenerating keys support externally

If external encryption enablement is configured to manage encryption keys, 3948-CSB or 3956-CSB can generate new keys with the encryption key servers. During the rekey process, the key server generates a new key and the existing key becomes obsolete. In configurations with a single primary key server and multiple secondary key servers, only the primary key server is updated during the rekey operation.

Note: To create a new key, enable encryption on the disk storage system.
Any TS7700 configured with External Key Management Encryption depends on the ISKLM server to manage the encryption keys. TS7700 does not support backing up the encryption keys to external media, such as DVD discs, USB flash drives. ISKLM must instead be used to perform key backups. However, from the TS7700 service menu, a request can be sent to ISKLM to issue a new key to the disk subsystem for the rekey. TS7700 does not store any encryption key permanently. All copies of the encryption keys remain only in ISKLM indefinitely. TS7700 supports up to two synchronized ISKLM servers for redundancy.
External rekey can be performed in the following ways:
  • From the TS7700 Smit menus Smit > IBM TS7700 Maintenance > Utility Menus > Disk Cache Utility Menus > Re-generate Encryption Key
  • From the TS7700 Management Interface Cluster Summary > Actions > Encryption > Regenerate Key