Encryption and snapshots

IBM Spectrum Scale™ preserves the encryption status of files when they are copied into global or fileset snapshots.

The global snapshot restore operation restores encrypted files and their FEKs and MEKs. For more information, see the topic mmrestorefs command in the IBM Spectrum Scale Command and Programming Reference.

As snapshots are taken of a file system or fileset that includes encrypted files, subsequent operations on the active files and snapshots depend on the continuing availability of the MEKs for those files.

Over time, some MEKs might no longer be accessible. For example, MEKs can be deleted from the server as a result of secure deletion. Similarly, encrypted files might be moved to a different key server and have their FEKs rewrapped with MEKs from the new server, possibly resulting in the old server being decommissioned.

All snapshots that include encrypted files whose MEKs will no longer be accessible must be deleted with the mmdelsnapshot command before the current MEKs become unavailable. Otherwise, the corresponding snapshots will no longer be able to be removed, as is the case of the active files whose keys are no longer available.