Preparation for encryption
Preparing for encryption includes verifying the version of IBM Spectrum Scale, installing a remote encryption key server, preparing the cluster, and preparing the encryption key server back ends.
- Terms defined
- Required software: IBM Spectrum Scale
- Required software: Remote Key Management (RKM) server
- Preparing your cluster for encryption
- Preparing the remote key management (RKM) server
- RKM back ends
- The RKM.conf file and the RKM stanza
- Adding backup RKM servers in a high-availability configuration
- The client keystore directory and its files
Terms defined
The following terms are important:
- device group
- See tenant.
- file encryption key
- A file encryption key (FEK) is a key for encrypting file data. See Encryption keys.
- host
- See tenant.
- key client
- A key client is an entity in the cluster that represents the nodes that access encrypted files. The key client receives master encryption keys from the tenant of the RKM server.
- key server
or
Remote Key Management (RKM) server - A key server is a server that authenticates key clients and provides them with master encryption keys. Examples of key server software products are IBM® Security Key Lifecycle Manager (SKLM) and Thales Vormetric Data Security Manager (DSM).
- master encryption key
- A master encryption key (MEK) is a key for encrypting file encryption keys.
- tenant
- A tenant is an entity on a key server that contains master encryption keys and
certificates.
- In the IBM Security Key Lifecycle Manager (SKLM), a tenant is called a device group.
- In the Thales Vormetric Data Security Manager (DSM), a tenant is called a host.
- The mmkeyserv command uses the generic keyword tenant.
Simplified setup and regular setup
The simplified setup is a method for configuring the encryption environment in which you use the mmkeyserv utility to configure and manage cluster-wide encryption configuration. This method is much preferred if your key server is the IBM Security Lifecycle Key Manager (SKLM) because the mmkeyserv utility automatically performs many of the steps that must be done manually in the regular setup. You can use this setup method only with the IBM Security Lifecycle Key Manager.
The regular setup is a method for configuring the encryption environment in which you generate client credentials and then manually edit and distribute encryption configuration files to the nodes in the cluster. You can use this setup method with either the IBM Security Lifecycle Key Manager (SKLM) or the Thales Vormetric Data Security Manager (DSM).
- See the remaining subtopics in this help topic for number of important differences between the two methods.
- For more information, see the instructions for the simplified setup and regular setup in the help topics that follow this topic.
Required software: IBM Spectrum Scale
IBM software | Version | Encryption setup |
---|---|---|
IBM
Spectrum Scale
|
V4.1 or later |
|
V4.2.1 or later | Simplified setup |
Required software: Remote Key Management (RKM) server
The next table shows the RKM server software that IBM Spectrum Scale supports.
RKM server | Version | Type of encryption setup |
---|---|---|
IBM Security Key Lifecycle Manager (SKLM) | V2.5.0.1 or later |
|
IBM Security Key Lifecycle Manager (SKLM) | V2.5.0.4 or later |
|
Thales Vormetric Data Security Manager (DSM) |
|
Regular setup |
1 For the latest information see IBM Spectrum Scale Knowledge Center Question 2.15, "What are the requirements/limitations for using native encryption in IBM Spectrum® Scale Advanced Edition, Data Management Edition, or Erasure Code Edition?" |
Preparing your cluster for encryption
Follow these steps:
- Verify the following items in your IBM Spectrum Scale cluster:
- Ensure that the following packages are installed:
- gpfs.gskit
- gpfs.crypto
- Set up an IBM Spectrum Scale file system on
the cluster. The version of the file system must be IBM Spectrum Scale Release 4.1 or later. Configure the following features on the file system:
- Create the file system with the inode size of 4 KB. This size is the recommended minimum size. The 4-KB inode size is recommended to accommodate the GPFS encryption extended attribute that is assigned to each encrypted file at file creation time. This extended attribute contains one or more wrapped file encryption keys (FEKs) so it can potentially grow large. For more information, see Encryption policies.
- Enable fast extended attributes. This setting is the default for a newly created file system if
you are running V4.1 or later. To verify that fast extended attributes are enabled, issue a command
like the following one:
where <Device> is the name of the file system. However, if your file system was migrated from an earlier level, enter the following command to add support for fast extended attributes:mmlsfs <Device> --fastea
where <Device> is the name of the file system. For more information, see Completing the upgrade to a new level of IBM Spectrum Scale.mmmigrate <Device> --fastea
Preparing the remote key management (RKM) server
RKM back ends
An RKM back end defines a connection between a local key client, a remote key tenant, and an RKM server. Each RKM back end is described in an RKM stanza in an RKM.conf file on each node that is configured for encryption.
By controlling the contents of the RKM.conf file, the cluster administrator can control which client nodes have access to master encryption keys (MEKs). For example, the same RKM server can be given two different names in /var/mmfs/etc/RKM.conf stanzas. Then, the administrator can partition a set of MEKs hosted on a single RKM server into separate subsets of MEKs. These subsets of MEKs might belong to subsets of the nodes of the cluster.
Because the master encryption keys (MEK) are cached in memory, some short-term outages while attempting to access a key server might not cause issues. However, failure to retrieve the keys might result in errors while creating, opening, reading, or writing files. Although the keys are cached, they are periodically retrieved from the key server to ensure their validity.
To ensure that MEKs are always available, it is a good practice to set up multiple key servers in a high-availability configuration. See the subtopic Adding backup RKM servers in a high-availability configuration.
The RKM.conf file and the RKM stanza
- In the simplified setup, the mmkeyserv command manages its own RKM.conf file and updates it automatically. This management includes adding any backup servers for High Availability and other key retrieval properties.
- In the regular setup and the Vormetric setup, you must manage the RKM.conf file and its contents.
Setup | Location of the RKM.conf file |
---|---|
Simplified setup | /var/mmfs/ssl/keyServ/RKM.conf |
Regular setup | /var/mmfs/etc/RKM.conf |
Vormetric DSM setup | /var/mmfs/etc/RKM.conf |
The length of the RKM.conf file cannot exceed 1 MiB. No limit is set on the number of RKM stanzas, if the length limit is not exceeded.
After the file system is configured with encryption policy rules, the file system is considered encrypted. From that point on, each node that has access to that file system must have an RKM.conf file present. Otherwise, the file system might not be mounted or might become unmounted.
RKM ID {
type = ISKLM
kmipServerUri = tls://host:port
keyStore = PathToKeyStoreFile
passphrase = Password
clientCertLabel = LabelName
tenantName = NameOfTenant
[connectionTimeout = ConnectionTimeout]
[connectionAttempts = ConnectionAttempts]
[retrySleep = RetrySleepUsec]
}
where
the terms of the stanza have the following meanings:- RKM ID
- The name of the stanza.
- type
ISKLM
for the regular setup and the simplified setup.KMIP
for the Vormetric DSM setup.- kmipServerUri
- The DNS name or IP address of the SKLM or DSM server and the KMIP SSL port.
- keyStore
- The path and name of the client keystore.
- passphrase
- The password of the client keystore and client certificate.
- clientCertLabel
- The label of the client certificate in the client keystore.
- tenantName
- The name of the tenant or device group.
- connectionTimeout
- The connection timeout, in seconds. The default is 60 seconds. The valid range is 1 - 120 seconds.
- connectionAttempts
- The number of connection attempts. The default is three attempts. The valid range is 1 - 10.
- retrySleep
- The retry sleep time, in microseconds. The default is 100,000 (0.1 seconds). The valid range is 1 - 10,000,000 microseconds.
The client keystore directory and its files
The files in the client keystore directory include the client keystore file, the public and private key files for the client, and possibly other files that are described in later topics.
- In the simplified setup, the mmkeyserv command creates and updates the files in the client keystore directory automatically.
- In the regular setup and the Vormetric setup, you must run various commands to create and update the files.
Setup | Location of the client keystore directory |
---|---|
Simplified setup | /var/mmfs/ssl/keyServ |
Regular setup | /var/mmfs/etc/RKMcerts |
Vormetric DSM setup | /var/mmfs/etc/RKMcerts |
Adding backup RKM servers in a high-availability configuration
<server_name>=<IP_address:port_number>
The
line must be added either immediately after the line that specifies the primary RKM server or
immediately after a line that specifies another backup RKM server. In the following example, the
maximum of five backup RKM servers is
specified:
rkmname3 {
type = ISKLM
kmipServerUri = tls://host:port
kmipServerUri2 = tls://host:port # TLS connection to backup RKM server 1
kmipServerUri3 = tls://host:port # TLS connection to backup RKM server 2
kmipServerUri4 = tls://host:port # TLS connection to backup RKM server 3
kmipServerUri5 = tls://host:port # TLS connection to backup RKM server 4
kmipServerUri6 = tls://host:port # TLS connection to backup RKM server 5
keyStore = PathToKeyStoreFile
passphrase = Password
clientCertLabel = LabelName
tenantName = NameOfTenant
[connectionTimeout = ConnectionTimeout]
[connectionAttempts = ConnectionAttempts]
[retrySleep = RetrySleepUsec]
}
- • Regular setup: See the subtopic "Part 3: Configuring the remote key management (RKM) back end" in the topic Regular setup: Using SKLM with a self-signed certificate.
- • Simplified setup: See the subtopic "Adding backup key servers" in the topic Simplified setup: Doing other tasks.
If at least one backup RKM server is configured, then whenever key retrieval from the primary RKM server fails, IBM Spectrum Scale queries each backup RKM server in the list, in order, until it finds the MEK. The addition of the URIs for the backup RKM servers is the only change that is required within IBM Spectrum Scale. All other configuration parameters (certificates, keys, node, and tenant information) do not need to change, because they are also part of the set of information that is replicated. The administrator is responsible for creating and maintaining any backups.
Additionally, setting up backup RKM servers can help gain some performance advantage by distributing MEK retrieval requests across the backup RKM servers in a round-robin fashion. To achieve this result, the administrator must specify different orderings of the server endpoints on different IBM Spectrum Scale nodes in the /var/mmfs/etc/RKM.conf file.
...
kmipServerUri = tls://keysrv.ibm.com:5696
kmipServerUri2 = tls://keysrv_backup.ibm.com:5696
...
...
kmipServerUri = tls://keysrv_backup.ibm.com:5696
kmipServerUri2 = tls://keysrv.ibm.com:5696
...