Enabling encryption with key servers

Encryption key servers create and manage encryption keys that are used by the system.

A key server is a centralized server or application that receives and then distributes encryption keys to the system. The system can be connected the key servers over both a public network or a separate private network.

The system supports enabling encryption on an IBM Security Key Lifecycle Manager key server. Before you can create the key server object on the system, the key server must be configured. IBM Security Key Lifecycle Manager supports Key Management Interoperability Protocol (KMIP), which is a standard for encryption of stored data and management of cryptographic keys. IBM Security Key Lifecycle Manager can be used to create managed keys for the system and provide access to these keys through a certificate.

When you create IBM Security Key Lifecycle Manager key server objects, you must specify the IP address, port, certificate, and device group. The device group is a collection of storage identifiers, keys, and groups of keys. A device group allows for restricted management of subsets of devices within a larger pool. The system must be defined on the key server to the SPECTRUM_VIRT device group. If the SPECTRUM_VIRT device group does not exist on the key server, it must be created based on the GPFS™ device family.

Prerequisites for enabling encryption

Ensure that you complete the following tasks on the IBM Security Key Lifecycle Manager before you enable encryption:
  1. Define the IBM Security Key Lifecycle Manager to use Transport Layer Security version 2 (TLSv2). The default setting on IBM Security Key Lifecycle Manager is TLSv1, but the system supports only version 2.
  2. Ensure that the database service is started automatically on startup.
  3. Ensure a valid SSL certificate is installed and in use.
  4. Specify the SPECTRUM_VIRT device group for the system definition.
For more information about completing these tasks, see the IBM Security Key Lifecycle Manager Knowledge Center.

Using the management GUI

To enable encryption with a key server, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. Click Enable Encryption.
  3. On the Welcome panel, select Key Servers. Click Next.
  4. Select IBM SKLM (with KMIP) for the key server type.
  5. Enter the name, IP address, and port for the key server.
  6. Select SPECTRUM_VIRT for the device group for the key server. This device group must also be configured on the key server for the system.
  7. On the Key Server Certificate page, you must upload all the necessary key server certificates to the system. The key servers can use either a certificate from a trusted third party, called a certificate authority (CA), a self-signed certificate that is created on the key servers, or both these types of certificates can be used. If multiple key servers are configured and use the same CA certificate, upload the single CA-signed certificate, which covers all of the key servers. If the key servers use self-signed certificates, the certificates must be uploaded separately to the system. Any self-signed certificates take priority over any CA-signed certificate that is installed on the system for the key servers.
  8. On the System Encryption Certificate page, click Export Public Key to download the public key to the system. System encryption certificates can also be self-signed or CA-certificate. These certificates are uploaded to each of the key servers to establish trust for the system to communicate with individual key servers. If a certificate does not exist, select Settings > Security > Secure Communications. For information on key server certificates and system encryption certificates, see the topic about certificates that are used for key servers.
  9. Copy the systems public key as a trusted certificate to each configured key server. See the IBM® Security Key Lifecycle Manager Knowledge Center for details.
  10. Return to the System Encryption Certificate page and select The system’s public key certificate has been transferred to each configured key server.
  11. On the Summary page, verify the configuration for the key servers and click Finish.

Using the command-line interface

To enable encryption with a key server, complete the following steps:
  1. Enter the following CLI command to enable encryption on your system:
    chencryption -keyserver enable
  2. Enable the key server type and supply the certificate authority (CA) signed certificate if one is required:
    chkeyserverisklm -enable -sslcert /tmp/CASigned.crt
  3. Create a key server object by specifying the key server certificate:
    mkkeyserver -ip ip_address -port port -sslcert /tmp/self-signed.crt -primary
  4. Create the system encryption key and write the key to the specified key server:
    chencryption -keyserver newkey -key prepare
  5. To verify that the system is prepared and the keys are copied to the key server enter the following command:
    lsencryption
    Check that the keyserver_rekey parameter has the value prepared. The prepared value indicates that the new key is ready to be committed.
  6. To commit the key, enter the following command:
    chencryption -keyserver newkey -key commit
    This command makes the prepared key the current key and stores the key values on all configured key servers.
Parent topic: Encryption enablement
Related concepts
Rekeying an encryption-enabled system using a key server
Certificates that are used for encryption key servers
Related information
IBM Security Key Lifecycle Manager
Disabling encryption