Start of change

Creating storage policy for object encryption

Use the following information to create a storage policy with the encryption function enabled and to create a storage policy with the encryption schedule defined.

To create a storage policy with the encryption function enabled, use the mmobj policy create command as follows: 
mmobj policy create PolicyName [-f FilesetName] [-i MaxNumInodes] 
{[--enable-compression --compression-schedule CompressionSchedule]} 
[--enable-file-access] {[--enable-encryption --encryption-keyfile EncryptionKeyFileName [–force-rule-add]]}

where
PolicyName is the name of the storage policy that must be created.
FilesetName is the fileset name the created storage policy must use. This parameter is optional.
MaxNumInodes specifies the Inode limit for the new inode space. This parameter is optional.

enable-compression enables a compression policy. This parameter is optional.
CompressionSchedule specifies the compression schedule. This parameter is optional.
enable-file-access enables a file-access policy. This parameter is optional.
enable-encryption enables an encryption policy. This parameter is optional.
EncryptionKeyFileName specifies the encryption key file (full qualified). 
This parameter is optional.
force-rule-add specifies whether to add and establish the rule if other rules exist already. 
This parameter is optional.

The –force-rule add parameter is used the decide the following cases whether to establish the GPFS™ policy rules.

  • --force-rule-add
    is not set:
    • During create policy we check whether a GPFS policy rule is already established.
    • If yes, the new encryption rule will not be established but will be printed on the command screen.
    • If there is no previous policy rule established, the new encryption rule will be established and printed on the command screen. 
  • --force-rule-add
    is set:
    • During create policy we check whether a GPFS policy rule is already established.
    • If yes, the new encryption rule will be added to the already established rules and the GPFS policy for the filesystem is updated. The new encryption rule will be printed on the command screen.
    • If there is no previous policy rule established, the new encryption rule will be established and printed on the command screen.

During command execution the encryption policy and rule will be created. A GPFS policy rule file will be created and used to establish the policy rule.

Policy Rule File:
  • filename = /var/mmfs/ces/policyencryption.rule
Note: The filename is auto-generated.

After the encryption policy is created, depending on the –force-rule-add parameter, as a user information the new encryption policy will be printed on the command screen.

If an error on creating the encryption part occurs, the local cleanup function is called to remove the just created fileset and exit the CLI mmobj policy create script. The existing rules and policies are not changed.

Note: The same encryption functionality and restrictions apply to object encryption as they apply for file encryption.
Parent topic: Administering storage policies for object storage
End of change