You can use either the management GUI or the command-line
interface to enable encryption on your system. The system supports
USB flash drives as a method to manage encryption keys.
Before you can enable encryption, you must have Lenovo
Storage V3700 V2 XP or Lenovo Storage V5030 hardware with encryption licenses set. In the management GUI,
select to verify the
enclosures that are licensed for encryption. Use the lsencryption command to ensure that the status is set to licensed.
Using
the management GUI to enable encryption
While the system is enabling encryption, you
are prompted to insert the flash drives into the system.The system requires a minimum of three USB flash drives
for copying the encryption keys. To
enable encryption, complete these steps:
- If you activated an encryption license and
completed the system setup wizard, click Enable Encryption and complete the wizard.
- If you selected to enable encryption later
in the system setup wizard, you can still enable encryption in the
management GUI by selecting .
- Click Enable Encryption.
- On the Welcome panel, select USB flash drives.
Note: You
can also select both Key Servers and USB Flash Drives to configure both methods to manage
encryption keys. If either method becomes unavailable, you can use
the other method to access encrypted data on your system.
- In the wizard,
you are prompted to insert the required number of USB flash drives
into the system.The system requires a minimum of three USB flash drives for copying
the encryption keys. The system contains two ports for the USB flash
drives, one on each node canister. Insert two USB flash drives into
the system to begin the copy process. After the encryption key is
copied to the first two USB flash drives, the management GUI prompts
you to remove the two flash drives. After you remove the flash drives,
insert the last required flash drive into the system. When the final
copy completes, you can create any additional backup copies by repeating
the process. When the system detects the USB flash drives, the
encryption key is automatically copied to the USB flash drives. Ensure
that you create any required extra copies for backups. You can leave
the USB flash drives inserted into the system. However, the area where
the system is located must be secure to prevent someone from losing
or stealing the key. If the area where the system is located is not
secure, remove all of the USB flash drives from the system and store
securely.
- After all copies are completed, click Confirm.
- Create several backup copies of the key on either USB flash drives
or another external storage media and store securely.
Using the
command-line interface to enable encryption
Before you enable encryption, verify that
the encryption license is set for the system by using the lsencryption command.
Follow these steps to enable
encryption:
- Enter the following CLI command to enable encryption on your system:
chencryption -usb enable
- If your system has two node canisters, complete
the following steps to copy the encryption key:
- Insert two blank USB flash drives into the USB ports that are
on each node canister.
- Ensure that two flash drives are installed:
lsportusb
Check that the value for the status parameter
is active. This status indicates that
the flash drive is inserted in the canister and can be used by the
system.
- Enter the following CLI command to create the first two copies:
chencryption -usb newkey -key prepare
- Remove the two USB flash drives from the system and insert at
least one more blank USB flash drive to create the required number
of copies. The system requires a minimum of three USB flash drives
for copying the encryption keys.
- Reenter the following CLI command to create the remaining copies:
chencryption -usb newkey -key prepare
- Repeat the copy process all backup copies are created.
- Enter the following command:
chencryption -usb newkey -key commit
- If your system has four node canisters, complete
the following steps to copy the encryption key:
- Insert three blank USB flash drives into three USB ports in the
four-node system.
- Ensure that sufficient flash drives are installed:
lsportusb
Check that the value for the status parameter
is active. This status indicates that
the flash drive is inserted in the canister and can be used by the
system.
- Enter the following CLI command to create the three copies:
chencryption -usb newkey -key prepare
- Enter the following command:
chencryption -usb newkey -key commit