Rekeying an encryption-enabled system using a key server

Rekeying is the process of creating a new key for the system. To create a new key, encryption must be enabled on the system; however, the rekey operation works whether or not there are encrypted arrays. Encryption is supported on Lenovo Storage V5030 models only. If you configured a key server to manage encryption keys, you can generate new keys with the encryption key server.

Using the management GUI

During the rekey process, the key server generates a new key and the existing key becomes obsolete.

Before you generate a new key on all configured key servers, the key servers must be online and connected to the system. In the management GUI, select Settings > Security > Encryption. Expand Key Servers to display details on all the configured key servers on the system. Verify that the status of the key servers is online and available to the system.

To rekey the system that uses a key server, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. Expand Key Servers to display all the configured key servers on the system and select Rekey.

Using the command-line interface

Before you generate a new key on all configured key servers, the key servers must be online and connected to the system. In the command-line interface, enter lskeyserver to verify whether the key server is online and available to the system.

To rekey the system that uses a key server, complete these steps:
  1. Verify that encryption is enabled on the system by entering this command: 
    lsencryption
    Ensure that the status indicates that the encryption is enabled.
  2. After verifying that encryption is enabled, verify that the key server is online and available by entering this command:
    lskeyserver
    Ensure that the status for all available key servers is online.
  3. After verifying that encryption is enabled and the key server is online, you need to prepare the system to rekey the encryption keys that are currently being used on the system. To prepare the rekey operation, enter the following command:
    chencryption -keyserver newkey -key prepare
  4. To verify that the system is prepared and the keys are copied to the key server, enter the following command:
    lsencryption
    Check that the keyserver_rekey parameter has the value prepared. The prepared value indicates that the new key is ready to be committed.
  5. To commit the key, enter the following command:
    chencryption -keyserver newkey -key commit
    This command makes the prepared key the current key and stores the key values on the primary key server.
  6. Verify that the new key is committed by entering the following command:
    lsencryption
    Ensure that the value in the keyserver_rekey parameter is no
Parent topic: Managing encryption
Related concepts
Encryption
Related reference
lsencryption
chencryption
Related information
IBM Security Key Lifecycle Manager