Preparation for encryption

Preparing for encryption includes verifying the version of IBM Spectrum Scale, installing a remote encryption key server, preparing the cluster, and preparing the encryption key server back ends.

Terms defined
Required software: IBM Spectrum Scale
Required software: Remote Key Management (RKM) server
Preparing your cluster for encryption
Preparing the remote key management (RKM) server
RKM back ends
The RKM.conf file and the RKM stanza
Adding backup RKM servers in a high-availability configuration
The client keystore directory and its files

Terms defined

The following terms are important:

device group

See tenant.

file encryption key

A file encryption key (FEK) is a key for encrypting file data. See Encryption keys.

host

See tenant.

key client

A key client is an entity in the cluster that represents the nodes that access encrypted files. The key client receives master encryption keys from the tenant of the RKM server.

key server or Remote Key Management (RKM) server

A key server is a server that authenticates key clients and provides them with master encryption keys. Examples of key server software products are IBM® Security Key Lifecycle Manager (SKLM) and Thales Vormetric Data Security Manager (DSM).

master encryption key

A master encryption key (MEK) is a key for encrypting file encryption keys.

tenant

A tenant is an entity on a key server that contains master encryption keys and certificates.

In the IBM Security Key Lifecycle Manager (SKLM), a tenant is called a device group.
In the Thales Vormetric Data Security Manager (DSM), a tenant is called a host.
The mmkeyserv command uses the generic keyword tenant.

Simplified setup and regular setup

The simplified setup is a method for configuring the encryption environment in which you use the mmkeyserv utility to configure and manage cluster-wide encryption configuration. This method is much preferred if your key server is the IBM Security Lifecycle Key Manager (SKLM) because the mmkeyserv utility automatically performs many of the steps that must be done manually in the regular setup. You can use this setup method only with the IBM Security Lifecycle Key Manager.

The regular setup is a method for configuring the encryption environment in which you generate client credentials and then manually edit and distribute encryption configuration files to the nodes in the cluster. You can use this setup method with either the IBM Security Lifecycle Key Manager (SKLM) or the Thales Vormetric Data Security Manager (DSM).

Note:

See the remaining subtopics in this help topic for number of important differences between the two methods.
For more information, see the instructions for the simplified setup and regular setup in the help topics that follow this topic.

Required software: IBM Spectrum Scale

The following table lists the versions of IBM Spectrum Scale that support encryption and the encryption setup methods:

Table 1. Required version of IBM Spectrum Scale
IBM software	Version	Encryption setup
IBM Spectrum Scale Advanced Edition Data Management Edition Erasure Code Edition	V4.1 or later	Regular setup Regular setup with certificate chain
	V4.2.1 or later	Simplified setup

Required software: Remote Key Management (RKM) server

The next table shows the RKM server software that IBM Spectrum Scale supports.

Table 2. Remote Key Management servers
RKM server	Version	Type of encryption setup
IBM Security Key Lifecycle Manager (SKLM)	V2.5.0.1 or later	Regular setup Regular setup with certificate chain
IBM Security Key Lifecycle Manager (SKLM)	V2.5.0.4 or later	Simplified setup Simplified setup with certificate chain
Thales Vormetric Data Security Manager (DSM)	V5.2.3 Versions later than V5.2.3 and earlier than V6.0.2 V6.2 The following versions of Vormetric DSM are not supported: V6.0.2, V6.0.3, and V6.1.x.¹	Regular setup
¹ For the latest information see IBM Spectrum Scale Knowledge Center Question 2.15, "What are the requirements/limitations for using native encryption in IBM Spectrum® Scale Advanced Edition, Data Management Edition, or Erasure Code Edition?"

Note: IBM SKLM and supported versions of Thales Vormetric DSM have a complete implementation of the Key Management Interoperability Protocol (KMIP) standard of the Organization for the Advancement of Structured Information Standards (OASIS). IBM Spectrum Scale nodes use the KMIP protocol to retrieve keys from SKLM and Vormetric Data Security Manager (DSM) servers.

Preparing your cluster for encryption

Follow these steps:

Verify the following items in your IBM Spectrum Scale cluster:
- The cluster is running the correct version of IBM Spectrum Scale and the correct version of a supported RKM server. These versions are listed in Table 1 and Table 2.
- The file system daemon is running.
Ensure that the following packages are installed:
- gpfs.gskit
- gpfs.crypto
Set up an IBM Spectrum Scale file system on the cluster. The version of the file system must be IBM Spectrum Scale Release 4.1 or later. Configure the following features on the file system:
1. Create the file system with the inode size of 4 KB. This size is the recommended minimum size. The 4-KB inode size is recommended to accommodate the GPFS encryption extended attribute that is assigned to each encrypted file at file creation time. This extended attribute contains one or more wrapped file encryption keys (FEKs) so it can potentially grow large. For more information, see Encryption policies.
2. Enable fast extended attributes. This setting is the default for a newly created file system if you are running V4.1 or later. To verify that fast extended attributes are enabled, issue a command like the following one:
```
mmlsfs <Device> --fastea
```
  where <Device> is the name of the file system. However, if your file system was migrated from an earlier level, enter the following command to add support for fast extended attributes:
```
mmmigrate <Device> --fastea
```
  where <Device> is the name of the file system. For more information, see Completing the upgrade to a new level of IBM Spectrum Scale.

Preparing the remote key management (RKM) server

The preparation of the RKM server depends on the RKM server product that you select and the encryption setup that you plan to follow. For more information, see the help topic in the following list that describes the setup of your RKM server:

RKM back ends

An RKM back end defines a connection between a local key client, a remote key tenant, and an RKM server. Each RKM back end is described in an RKM stanza in an RKM.conf file on each node that is configured for encryption.

By controlling the contents of the RKM.conf file, the cluster administrator can control which client nodes have access to master encryption keys (MEKs). For example, the same RKM server can be given two different names in /var/mmfs/etc/RKM.conf stanzas. Then, the administrator can partition a set of MEKs hosted on a single RKM server into separate subsets of MEKs. These subsets of MEKs might belong to subsets of the nodes of the cluster.

Because the master encryption keys (MEK) are cached in memory, some short-term outages while attempting to access a key server might not cause issues. However, failure to retrieve the keys might result in errors while creating, opening, reading, or writing files. Although the keys are cached, they are periodically retrieved from the key server to ensure their validity.

To ensure that MEKs are always available, it is a good practice to set up multiple key servers in a high-availability configuration. See the subtopic Adding backup RKM servers in a high-availability configuration.

The RKM.conf file and the RKM stanza

The management of the RKM.conf file and its stanzas depends on the setup:

In the simplified setup, the mmkeyserv command manages its own RKM.conf file and updates it automatically. This management includes adding any backup servers for High Availability and other key retrieval properties.
In the regular setup and the Vormetric setup, you must manage the RKM.conf file and its contents.

The location of the RKM.conf file also depends on the setup:

Table 3. The RKM.conf file
Setup	Location of the RKM.conf file
Simplified setup	/var/mmfs/ssl/keyServ/RKM.conf
Regular setup	/var/mmfs/etc/RKM.conf
Vormetric DSM setup	/var/mmfs/etc/RKM.conf

The length of the RKM.conf file cannot exceed 1 MiB. No limit is set on the number of RKM stanzas, if the length limit is not exceeded.

After the file system is configured with encryption policy rules, the file system is considered encrypted. From that point on, each node that has access to that file system must have an RKM.conf file present. Otherwise, the file system might not be mounted or might become unmounted.

Each RKM stanza in the RKM.conf file describes a connection between a local key client, a remote tenant, and an RKM server. The following code block shows the structure of an RKM stanza:


RKM ID {
   type = ISKLM
   kmipServerUri = tls://host:port
   keyStore = PathToKeyStoreFile
   passphrase = Password
   clientCertLabel = LabelName
   tenantName = NameOfTenant
   [connectionTimeout = ConnectionTimeout]
   [connectionAttempts = ConnectionAttempts]
   [retrySleep = RetrySleepUsec]
}

where the terms of the stanza have the following meanings:

RKM ID: The name of the stanza.
type: ISKLM for the regular setup and the simplified setup. KMIP for the Vormetric DSM setup.
kmipServerUri: The DNS name or IP address of the SKLM or DSM server and the KMIP SSL port.
keyStore: The path and name of the client keystore.
passphrase: The password of the client keystore and client certificate.
clientCertLabel: The label of the client certificate in the client keystore.
tenantName: The name of the tenant or device group.
connectionTimeout: The connection timeout, in seconds. The default is 60 seconds. The valid range is 1 - 120 seconds.
connectionAttempts: The number of connection attempts. The default is three attempts. The valid range is 1 - 10.
retrySleep: The retry sleep time, in microseconds. The default is 100,000 (0.1 seconds). The valid range is 1 - 10,000,000 microseconds.

The client keystore directory and its files

The files in the client keystore directory include the client keystore file, the public and private key files for the client, and possibly other files that are described in later topics.

The management of these files depends on the setup:

In the simplified setup, the mmkeyserv command creates and updates the files in the client keystore directory automatically.
In the regular setup and the Vormetric setup, you must run various commands to create and update the files.

The location of the client keystore directory also depends on the setup:

Table 4. The client keystore directory
Setup	Location of the client keystore directory
Simplified setup	/var/mmfs/ssl/keyServ
Regular setup	/var/mmfs/etc/RKMcerts
Vormetric DSM setup	/var/mmfs/etc/RKMcerts

Adding backup RKM servers in a high-availability configuration

You can add up to five backup RKM servers to your configuration if necessary to improve the reliability or performance of master encryption key retrieval. A backup RKM server is specified by adding a line in the following format to the RKM stanza:

<server_name>=<IP_address:port_number>

The line must be added either immediately after the line that specifies the primary RKM server or immediately after a line that specifies another backup RKM server. In the following example, the maximum of five backup RKM servers is specified:


rkmname3 {
   type = ISKLM
   kmipServerUri = tls://host:port
   kmipServerUri2 = tls://host:port     # TLS connection to backup RKM server 1
   kmipServerUri3 = tls://host:port     # TLS connection to backup RKM server 2
   kmipServerUri4 = tls://host:port     # TLS connection to backup RKM server 3
   kmipServerUri5 = tls://host:port     # TLS connection to backup RKM server 4
   kmipServerUri6 = tls://host:port     # TLS connection to backup RKM server 5
   keyStore = PathToKeyStoreFile
   passphrase = Password
   clientCertLabel = LabelName
   tenantName = NameOfTenant
   [connectionTimeout = ConnectionTimeout]
   [connectionAttempts = ConnectionAttempts]
   [retrySleep = RetrySleepUsec]
}

Note: In the regular setup method you must add each line manually; in the simplified setup lines are added automatically in response to mmkeyserv commands. For more information see the following subtopics:

• Regular setup: See the subtopic "Part 3: Configuring the remote key management (RKM) back end" in the topic Regular setup: Using SKLM with a self-signed certificate.
• Simplified setup: See the subtopic "Adding backup key servers" in the topic Simplified setup: Doing other tasks.

If at least one backup RKM server is configured, then whenever key retrieval from the primary RKM server fails, IBM Spectrum Scale queries each backup RKM server in the list, in order, until it finds the MEK. The addition of the URIs for the backup RKM servers is the only change that is required within IBM Spectrum Scale. All other configuration parameters (certificates, keys, node, and tenant information) do not need to change, because they are also part of the set of information that is replicated. The administrator is responsible for creating and maintaining any backups.

Additionally, setting up backup RKM servers can help gain some performance advantage by distributing MEK retrieval requests across the backup RKM servers in a round-robin fashion. To achieve this result, the administrator must specify different orderings of the server endpoints on different IBM Spectrum Scale nodes in the /var/mmfs/etc/RKM.conf file.

For example, if two backup RKM servers are available, such as tls://keysrv.ibm.com:5696 and tls://keysrv_backup.ibm.com:5696, half of the nodes in the cluster can have the following content in /var/mmfs/etc/RKM.conf:

...
   kmipServerUri  = tls://keysrv.ibm.com:5696
   kmipServerUri2 = tls://keysrv_backup.ibm.com:5696
...

The other half can use the following content:

...
   kmipServerUri  = tls://keysrv_backup.ibm.com:5696
   kmipServerUri2 = tls://keysrv.ibm.com:5696
...