Preparation for encryption

Preparing for encryption includes verifying the version of IBM Spectrum Scale™, installing a remote encryption key server, preparing the cluster, and preparing the encryption key server back ends.

Terms defined

You should be familiar with the following terms:

device group
See tenant.
file encryption key
A file encryption key (FEK) is an encryption key that a key client uses to encrypt a data file. See Encryption keys.
key client
A key client is a computer system, such as an IBM Spectrum Scale node, that retrieves master encryption keys from a key server.
key server
A key server, also known as a Remote Key Management (RKM) server, is a server that provides master encryption keys for key clients. Examples of key server software products are IBM Security Key Lifecycle Manager (SKLM) and Vormetric Data Security Manager (DSM).
master encryption key
A master encryption key (MEK) is an encryption key that a key client uses to encrypt a file encryption key. See Encryption keys.
tenant
A tenant is an entity on a key server that contains master encryption keys and certificates. In the Vormetric Data Security Manager (DSM), a tenant is called a device group.

Required software: IBM Spectrum Scale

The following table lists the versions of IBM Spectrum Scale that support encryption and the encryption setup methods:
Table 1. Required version of IBM Spectrum Scale
IBM® software Version Encryption set-up method
IBM Spectrum Scale V4.1 or later Regular setup
V4.2.1 or later Simplified setup

Required software: Remote Key Management (RKM) server

The next table shows the RKM server software that IBM Spectrum Scale supports.

Table 2. Remote Key Management servers
RKM server Version Type of encryption setup
IBM Security Key Lifecycle Manager (SKLM) V2.5.0.1 or later Regular setup
V2.5.0.4 or later Simplified setup
Vormetric Data Security Manager (DSM) V5.2.3 or later Regular setup
Note: IBM SKLM and Vormetric DSM have a complete implementation of the Key Management Interoperability Protocol (KMIP) standard of the Organization for the Advancement of Structured Information Standards (OASIS). IBM Spectrum Scale nodes use the KMIP protocol to retrieve keys from SKLM and Vormetric Data Security Manager (DSM) servers.

Preparing your cluster for encryption

Follow these steps:

  1. Verify the following items in your IBM Spectrum Scale cluster:
    • The cluster is running the correct version of IBM Spectrum Scale and the correct version of a supported RKM server. These versions are listed in Table 1 and Table 2.
    • The file system daemon is running.
  2. Ensure that the following packages are installed:
    • gpfs.gskit
    • gpfs.crypto
  3. Set up an IBM Spectrum Scale file system on the cluster. The version of the file system must be IBM Spectrum Scale Release 4.1 or later. Configure the following features on the file system:
    1. Create the file system with the inode size of 4 KB.This size is the recommended minimum size. The 4 KB inode size is recommended to accommodate the gpfs.Encryption extended attribute that is assigned to each encrypted file at file creation time. This extended attribute contains one or more wrapped file encryption keys (FEKs) so it can potentially grow large. For more information, see the help topic.
    2. Enable fast extended attributes. This setting is the default for a newly created file system if you are running V4.1 or later. However, if your file system was migrated from an earlier level, you might need to enter the following command to add support for fast extended attributes:
      mmmigratefs FsName --fastea

Preparing the remote key management (RKM) server

The preparation of the RKM server depends on the RKM server product that you select and the encryption method that you plan to follow. For more information, see the help topic in the following list that describes the setup of your RKM server:

RKM back ends

The RKM back end includes a local key client, a remote tenant, and an RKM server. A tenant, or device group, resides on the RKM server and contains master encryption keys that the key client can request. Each RKM back end is described in an RKM stanza in the RKM.conf file on the node.

By controlling the contents of this file, the cluster administrator can control which client nodes have access to master encryption keys (MEKs). For example, the same RKM server can be given two different names in /var/mmfs/etc/RKM.conf stanzas. Then, the administrator can partition a set of MEKs hosted on a single RKM server into separate subsets of MEKs. These subsets of MEKs might belong to subsets of the nodes of the cluster.

Because the master encryption keys (MEK) are cached in memory, some short-term outages while accessing a key server might not cause issues. However, failure to retrieve the keys might result in errors while creating, opening, reading, or writing files. Although the keys are cached, they are periodically retrieved from the key server to ensure their validity.

To ensure that MEKs are always available, it is recommended that multiple key servers be set up in a high-availability configuration. See the subtopic Identifying multiple RKM back ends in a high-availability configuration.

Note: If you are using the simplified method, then the mmkeyserv command manages its own RKM.conf file and updates it automatically. This includes adding any backup servers for High Availability and other key retrieval properties. The RKM.conf file that the mmkeyserv command manages is in the /var/mmfs/ssl/keyServ directory.

The RKM.conf file and the RKM stanza

The full path of the RKM.conf file is /var/mmfs/etc/RKM.conf. The following limits apply:
  • The length cannot exceed 1 MiB.
  • No limit is set on the number of RKM stanzas, if the length limit is not exceeded.
After the file system is configured with encryption policy rules, the file system is considered encrypted. From that point on, each node that has access to that file system must have an RKM.conf file present. Otherwise, the file system might not be mounted or might become unmounted.
Each RKM stanza in the RKM.conf file describes a connection between a local key client, a remote tenant, and an RKM server. The following code block shows the structure of an RKM stanza:
RKM ID {
   type = ISKLM
   kmipServerUri = tls://host:port
   keyStore = /PathToKeyStoreFile
   passphrase = Password
   clientCertLabel = LabelName
   tenantName = NameOfTenant
   [connectionTimeout = ConnectionTimeout]
   [connectionAttempts = ConnectionAttempts]
   [retrySleep = RetrySleepUsec]
}
where the terms of the stanza have the following meanings:
RKM ID
The name of the stanza.
type
ISKLM for the regular setup and the simplified setup. KMIP for the Vormetric DSM setup.
kmipServerUri
The DNS name or IP address of the SKLM or DSM server and the KMIP SSL port.
keyStore
The path and name of the client keystore.
passphrase
The password of the client keystore and client certificate.
clientCertLabel
The label of the client certificate in the client keystore.
tenantName
The name of the tenant or device group.
connectionTimeout
The connection timeout, in seconds. The default is 60 seconds. The valid range is 1 - 120 seconds.
connectionAttempts
The number of connection attempts. The default is 3 attempts. The valid range is 1 - 10.
retrySleep
The retry sleep time, in microseconds. The default is 100,000 (0.1 seconds). The valid range is 1 - 10,000,000 microseconds.

Identifying multiple RKM back ends in a high-availability configuration

The SKLM supports automated replication across multiple nodes for high-availability deployments. To identify multiple RKM back ends in a high-availability configuration, specify any of the following optional parameters: 
rkmname3 {
...
   kmipServerUri2 = tls://host:port     # TLS connection to clone number 1 to host on port
   kmipServerUri3 = tls://host:port     # TLS connection to clone number 2 to host on port
   kmipServerUri4 = tls://host:port     # TLS connection to clone number 3 to host on port
   kmipServerUri5 = tls://host:port     # TLS connection to clone number 4 to host on port
   kmipServerUri6 = tls://host:port     # TLS connection to clone number 5 to host on port
...
}

If at least one backup is configured, whenever key retrieval from the master fails, IBM Spectrum Scale looks in each backup until it finds the MEK. The addition of the URIs for the clone servers is the only required change within IBM Spectrum Scale. All other configuration parameters (certificates, keys, node, and tenant information) do not need to change, because they are also part of the set of information that is replicated. The administrator is responsible for creating and maintaining any backups.

Additionally, setting up SKLM key server clones can help gain some performance advantage by distributing MEK retrieval requests across the different clones in a round-robin fashion. To achieve this result, the administrator must specify different orderings of the server endpoints on different IBM Spectrum Scale nodes in the /var/mmfs/etc/RKM.conf file.

For example, if two cloned SKLM servers are available (such as tls://keysrv.ibm.com:5696 and tls://keysrv_backup.ibm.com:5696), half of the nodes in the cluster can have the following content in /var/mmfs/etc/RKM.conf:
...
   kmipServerUri  = tls://keysrv.ibm.com:5696
   kmipServerUri2 = tls://keysrv_backup.ibm.com:5696
...
The other half can use the following content:
...
   kmipServerUri  = tls://keysrv_backup.ibm.com:5696
   kmipServerUri2 = tls://keysrv.ibm.com:5696
...
Parent topic: Encryption