Enabling encryption with USB flash drives

You can use either the management GUI or the command-line interface to enable encryption on your system. The system supports USB flash drives as a method to manage encryption keys.

Before you can enable encryption, you must have Lenovo Storage V3700 V2 XP or Lenovo Storage V5030 hardware with encryption licenses set. In the management GUI, select Settings > System > Licensed Function to verify the enclosures that are licensed for encryption. Use the lsencryption command to ensure that the status is set to licensed.

Using the management GUI to enable encryption

While the system is enabling encryption, you are prompted to insert the flash drives into the system.The system requires a minimum of three USB flash drives for copying the encryption keys. To enable encryption, complete these steps:
  1. If you activated an encryption license and completed the system setup wizard, click Enable Encryption and complete the wizard.
  2. If you selected to enable encryption later in the system setup wizard, you can still enable encryption in the management GUI by selecting Settings > Security > Encryption.
  3. Click Enable Encryption.
  4. On the Welcome panel, select USB flash drives.
    Note: You can also select both Key Servers and USB Flash Drives to configure both methods to manage encryption keys. If either method becomes unavailable, you can use the other method to access encrypted data on your system.
  5. In the wizard, you are prompted to insert the required number of USB flash drives into the system.The system requires a minimum of three USB flash drives for copying the encryption keys. The system contains two ports for the USB flash drives, one on each node canister. Insert two USB flash drives into the system to begin the copy process. After the encryption key is copied to the first two USB flash drives, the management GUI prompts you to remove the two flash drives. After you remove the flash drives, insert the last required flash drive into the system. When the final copy completes, you can create any additional backup copies by repeating the process. When the system detects the USB flash drives, the encryption key is automatically copied to the USB flash drives. Ensure that you create any required extra copies for backups. You can leave the USB flash drives inserted into the system. However, the area where the system is located must be secure to prevent someone from losing or stealing the key. If the area where the system is located is not secure, remove all of the USB flash drives from the system and store securely.
  6. After all copies are completed, click Confirm.
  7. Create several backup copies of the key on either USB flash drives or another external storage media and store securely.

Using the command-line interface to enable encryption

Before you enable encryption, verify that the encryption license is set for the system by using the lsencryption command.

Follow these steps to enable encryption:

  1. Enter the following CLI command to enable encryption on your system:
    chencryption -usb enable
  2. If your system has two node canisters, complete the following steps to copy the encryption key:
    1. Insert two blank USB flash drives into the USB ports that are on each node canister.
    2. Ensure that two flash drives are installed:
      lsportusb
      Check that the value for the status parameter is active. This status indicates that the flash drive is inserted in the canister and can be used by the system.
    3. Enter the following CLI command to create the first two copies:
      chencryption -usb newkey -key prepare
    4. Remove the two USB flash drives from the system and insert at least one more blank USB flash drive to create the required number of copies. The system requires a minimum of three USB flash drives for copying the encryption keys.
    5. Reenter the following CLI command to create the remaining copies:
      chencryption -usb newkey -key prepare
    6. Repeat the copy process all backup copies are created.
    7. Enter the following command:
       chencryption -usb newkey -key commit
  3. If your system has four node canisters, complete the following steps to copy the encryption key:
    1. Insert three blank USB flash drives into three USB ports in the four-node system.
    2. Ensure that sufficient flash drives are installed:
      lsportusb
      Check that the value for the status parameter is active. This status indicates that the flash drive is inserted in the canister and can be used by the system.
    3. Enter the following CLI command to create the three copies:
      chencryption -usb newkey -key prepare
    4. Enter the following command:
       chencryption -usb newkey -key commit