chencryption

Use the chencryption command to manage the encryption state of the system. This command applies only to models that support encryption.

Syntax

 chencryption    [  -usb  {  enable  |  disable  |  validate  |  newkey   -key  {  prepare  |  commit  |  cancel  } } ]   [  -keyserver  {  enable  |  disable  |  newkey   -key  {  prepare  |  commit  |  cancel  } } ]

Parameters

-usbenable | disable | validate | newkey
(Required if you do not specify-keyserver) Specifies whether encryption is enabled (or not enabled) or the encryption keys are validated. You can also create new encryption keys which are also stored on unversal serial bus (USB) flash drives for use if the system forgets the encryption keys.
-usbenable
Enables encryption capability on the system. Then specify -usbnewkey to create new keys. Use this command when the system has encryption hardware and encryption licenses (for example, the lsencryption value for status is set to licensed).
-usbdisable
Disables the encryption capability of the system. If no encryption key is prepared this operation is complete and no further action is needed. Do not use this command if an encryption key is prepared or encrypted arrays already exist.
Remember: This removes all encryption keys (that are not on the USB flash drive) from the system.
-usbvalidate
Verifies that encryption keys are present on the USB flash drive and makes sure that the keys match the system encryption keys. Use this command when encryption is enabled and encryption keys exist (for example, lsencryption value for usb_rekey is set to no).
-usbnewkey
Generates a new encryption key on a USB flash drive attached to the system. Use this command only if the minimum number of USB flash drives that can be used as key material stores are attached to the system (as reported by lsportusb). When specifying this parameter, the -key option must also be supplied.
-keyserverenable | disable | newkey
(Required if you do not specify-usb) Specifies the encryption task that involves encryption keys that are managed by key servers.
-keyserverenable
Enables encryption capability on the system. Use this command when the system has encryption hardware and encryption licenses (for example, the lsencryption value for status is set to licensed).
-keyserverdisable
Disables the encryption capability of the system. If no encryption key is prepared, this operation is complete and no further action is needed. Do not use this command if an encryption key is prepared or encrypted arrays already exist.
-keyservernewkey
Generates a new encryption key on the primary key server that is attached the system. You must also specify -key when you specify this parameter.
-keyprepare | commit | cancel
(Optional) Manages the creation of a new or replacement encryption keys when -usb newkey is specified.
-keyprepare
Generates system encryption keys and writes those keys to all system attached USB flash drives. If there is active encryption key material, confirm that at least one USB flash drive has the current key material. Use this command only when the lsencryption value for usb_rekey is set to no or no_key.
-keycommit
Commits the prepared key as the current key. Use this command when the lsencryption value for usb_rekey is set to prepared and the number of USB encryption keys is at least the minimum number required.
-keycancel
Cancels any specified key changes. Use this command when the lsencryptionvalue for usb_rekey is set to prepared.

Description

Use this command to manage the encryption state of the system.
It can turn on or turn off USB key encryption or key server encryption (but you cannot disable encryption if there are any encrypted arrays). There are four types:
  • enable, which enables encryption
  • disable, which disables encryption
  • validate, which validates USB key encryption
    Note: The validate option does not apply to key server authentication.
  • newkey, which specifies a new USB key for encryption
You can also rekey the external USB key or key server key information, which is divided into three stages:
  • prepare, which generates new keys and sets up the system to change encryption keys during apply
  • commit, which includes applying new keys (and copying key information)
  • cancel, which rolls back the key setup performed during the prepare and cancels the rekey request

Specify chencryption -keyserver newkey -key commit to add a new key on a key server.

Note: You cannot use USB flash drive authentication and key server authentication in parallel on the same system.

An invocation example

chencryption -usb enable

The resulting output:

No feedback

An invocation example

chencryption -usb newkey -key prepare

The resulting output:

No feedback

An invocation example

chencryption -usb newkey -key commit

The resulting output:

No feedback

An invocation example

chencryption -keyserver enable

The resulting output:

chencryption -keyserver newkey -key prepare

An invocation example

chencryption -keyserver newkey -key commit

The resulting output:

No feedback

An invocation example

The resulting output:


No feedback
Parent topic: Encryption commands
Related concepts
Rekeying an encryption-enabled system using a key server
Rekeying an encryption-enabled system using a USB flash drive
Related information
lsencryption
Disabling encryption