Restoring encrypted auxiliary storage pools

If you have an encrypted user or independent auxiliary storage pool (ASP), you must perform special steps to ensure that the data in these ASPs can be recovered.

To use disk encryption, you must have 5770-SS1 Option 45 - Encrypted ASP Enablement installed. The option to enable encryption is available when you create a user auxiliary storage pool (ASP) or independent ASP in System i® Navigator. You must set the ASP master key before you can create an encrypted independent auxiliary storage pool. The data keys for independent ASPs are kept with the storage pool and are protected with the ASP master key.

The ASP master key is not required for creating an encrypted user ASP.

After you create either an encrypted user ASP or an encrypted independent ASP, or change the data key for either type of ASP, perform a Save System (SAVSYS) operation so that the media has the correct encryption keys. The encryption keys are stored in the system ASP and saved during the SAVSYS operation.

If disk encryption is used in a clustering environment, you must set the master key manually on each system within the device domain.

Important: If you are using encrypted user ASPs and the system ASP fails, you must install the system ASP using the most recent SAVSYS media that contains the encryption keys. If not, the encrypted ASPs are unusable as the encryption keys will not exist on the system. If the encrypted user ASP is not usable, the system will not IPL.

If you are using encrypted independent ASPs and the system ASP fails, you must install the Licensed Internal Code using the most recent SAVSYS media that contains the ASP master key, or manually set the ASP master key to the latest value. The encrypted independent ASPs cannot vary on to the system until the ASP master key is set correctly.

Remember: If you restore the Licensed Internal Code from the save media after a scratch installation, you must IPL to activate the Encryption ASP Enablement option so that you can create new encrypted ASPs. Any encrypted ASPs that are already configured will function correctly, though.

Recovering an encrypted user ASP: If you have an encrypted user ASP, choose one of the following methods to recover the data in the encrypted user ASP:

Reinstall the operating system using the most recent SAVSYS media.
Reinstalling the operating system is only necessary if the system ASP is lost, because the keys would still be set in the system ASP if just the user ASP failed.
Delete and re-create the user ASP.
Clear the user ASP. Then remove or replace the failing drive if a bad disk is the reason for needing to recover the data in the user ASP.

Recovering an encrypted independent ASP: If you have an encrypted independent ASP, choose one of the following methods to recover the data in the independent ASP:

Reinstall the operating system using the most recent SAVSYS media. Reinstalling the operating system is only necessary if the system ASP is lost, because the keys would still be set in the system ASP if just the independent ASP failed.
Delete and re-create the encrypted independent ASP.
Clear the independent ASP. Then remove or replace the failing drive if a bad disk is the reason for needing to recover the data in the independent ASP.
Manually load and set the ASP master key. Only perform this step if you were unable to restore the SAVSYS media with the latest master keys.