Enabling encryption with key servers

Encryption key servers create and manage encryption keys that are used by the system. In environments with a large number of systems, key servers distribute keys remotely without requiring physical access to the systems.

A key server is a centralized system that generates, stores, and sends encryption keys to the system. If the key server provider supports replication of keys among multiple key servers, you can specify up to 4 key servers that connect to the system over both a public network or a separate private network.

The system supports enabling encryption using an IBM Security Key Lifecycle Manager key server. All key servers must be configured on the IBM Security Key Lifecycle Manager before defining the key servers in the management GUI.IBM Security Key Lifecycle Manager supports Key Management Interoperability Protocol (KMIP), which is a standard for encryption of stored data and management of cryptographic keys. IBM Security Key Lifecycle Manager can be used to create managed keys for the system and provide access to these keys through a certificate. If you are configuring multiple key servers, use IBM Security Key Lifecycle Manager 2.7.0.1 or later. IBM Security Key Lifecycle Manager key servers designate one master or primary key server which can have up to twenty secondary key servers (also known as clones) defined. These additional key servers support more paths when delivering keys to the system; however, during rekeying only the path to the primary key server is used. When the system is rekeyed, secondary key servers are unavailable until the primary has replicated the new keys to these secondary key servers. Replication must complete before keys can be used on the system. You can either schedule automatic replication or complete it manually with IBM Security Key Lifecycle Manager. During replication, key servers are not available to distribute keys or accept new keys. The time a replication completes on the IBM Security Key Lifecycle Manager depends on the number of key servers that are configured as clones and the amount of key and certificate information that is being replicated. The IBM Security Key Lifecycle Manager issues a completion message when the replication completes. Verify that all key servers contain replicated key and certificate information before keys are used on the system.

When you create IBM Security Key Lifecycle Manager key server objects, you must specify the IP address, port, certificate, and device group. The device group is a collection of storage identifiers, keys, and groups of keys. A device group allows for restricted management of subsets of devices within a larger pool. The system must be defined on the key server to the SPECTRUM_VIRT device group. If the SPECTRUM_VIRT device group does not exist on the key server, it must be created based on the GPFS device family. If you are configuring multiple key servers, the SPECTRUM_VIRT device group must be defined on the primary and all additional key servers.

Prerequisites for enabling encryption

Ensure that you complete the following tasks on the IBM Security Key Lifecycle Manager before you enable encryption:
  1. Define the IBM Security Key Lifecycle Manager to use Transport Layer Security version 2 (TLSv2). The default setting on IBM Security Key Lifecycle Manager is TLSv1, but the system supports only version 2. On the IBM Security Key Lifecycle Manager set the value to SSL_TLSv2, which is a set of protocols that includes TLSv1.2.
  2. Ensure that the database service is started automatically on startup.
  3. Ensure that a valid SSL certificate from IBM Security Key Lifecycle Manager is installed on the system and in use. If automatic replication is configured on IBM Security Key Lifecycle Manager, then this certificate needs to be uploaded to the system once. However, if automatic replication is not configured on the IBM Security Key Lifecycle Manager, a certificate for each stand-alone key server must be uploaded to the system.
  4. Specify the SPECTRUM_VIRT device group for the system definition. If you are configuring multiple key servers, the SPECTRUM_VIRT device group must be defined on the primary and all secondary key servers.
  5. If you currently have encryption enabled with USB flash drives, at least one of the USB flash drives must be inserted into the system before key servers can be configured for managing keys.
For more information about completing these tasks, see the IBM Security Key Lifecycle Manager Knowledge Center.

Using the management GUI

To enable encryption with a key server, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. Click Enable Encryption.
  3. On the Welcome panel, select Key Servers. Click Next.
    Note: You can also select both Key Servers and USB Flash Drives to configure both methods to manage encryption keys. If either method becomes unavailable, you can use the other method to access encrypted data on your system.
  4. Select IBM SKLM (with KMIP) for the key server type.
  5. Enter the name, IP address, and port for each key server. If you are configuring multiple key servers, the first key server that you specify is the primary key server and the rest become secondary key servers. To ensure that keys are distributed to all secondary key servers, you must configure replication on IBM Security Key Lifecycle Manager.
  6. Select SPECTRUM_VIRT for the device group for the key servers. This device group must also be configured on each of the key servers for the system.
  7. On the Key Server Certificate page, you must upload all the necessary key server certificates to the system. The key servers can use either a certificate from a trusted third party, a self-signed certificate, or a combination of these certificates. If IBM Security Key Lifecycle Manager servers are configured for automatic replication, this certificate is copied from the primary key server to all secondary key servers. All IBM Security Key Lifecycle Manager instances are connected to over secure connections with the same key server certificate. If replication is used on the IBM Security Key Lifecycle Manager, only one key server certificate needs to be installed. The IBM Security Key Lifecycle Manager uses this single certificate to replicate keys with each other. If the IBM Security Key Lifecycle Manager servers are not configured for automatic replication, you must install separate certificates for each stand-alone key server. However, if the key servers use self-signed certificates, the certificates must be uploaded separately to the system. Any self-signed certificates take priority over any CA-signed certificate that is installed on the system for the key servers. If only one certificate is used and automatically replicated to all configured key servers, select the certificate that you downloaded to the system in the certificate in the Certificate field. If automatic replication is not configured, select all the valid certificates that you downloaded to the system for each of the configured key servers. Click Next.
  8. On the System Encryption Certificate page, click Export Public Key to download the public key to the system. System encryption certificates can also be self-signed or CA-certificate. These certificates are uploaded to each of the key servers to establish trust for the system to communicate with individual key servers. If IBM Security Key Lifecycle Manager servers are configured for automatic replication, this certificate is copied from the primary key server to all secondary key servers. All IBM Security Key Lifecycle Manager instances are connected to over secure connections with the same key server certificate. If replication is used on the IBM Security Key Lifecycle Manager, the primary key server replicates the system certificate to the other key servers. If the IBM Security Key Lifecycle Manager servers are not configured for automatic replication, you must install the system certificate to each stand-alone key server. If a certificate does not exist, select Settings > Security > Secure Communications. On the Secure Communications page, select Update Certificate to create or import a certificate. For more information about certificates, see the topic about certificates that are used for key servers.
  9. Copy the system's public key by adding it to the trust store for the SPECTRUM_VIRT device group on each configured key server. See the IBM Security Key Lifecycle Manager Knowledge Center for details.
  10. Return to the System Encryption Certificate page and select The system’s public key certificate has been transferred to each configured key server.
  11. If you have USB flash drives configured as your encryption method, the Disable USB Encryption page displays. If you want to migrate to key servers and disable USB flash drives, select Yes. If you want both encryption methods configured simultaneously, click No.
  12. Click Next.
  13. On the Summary page, verify the configuration for the key servers and click Finish.

Using the command-line interface

To enable encryption with a key server, complete the following steps:
  1. Enter the following CLI command to enable encryption on your system:
    chencryption -keyserver enable
  2. Enable the key server type and supply the certificate authority (CA) signed certificate if one is required:
    chkeyserverisklm -enable -sslcert /tmp/CASigned.crt
  3. Create the primary key server and specify the key server certificate:
    mkkeyserver -ip ip_address -port port -sslcert /tmp/self-signed.crt -primary
  4. Create up to three additional secondary key servers with the same key server certificate:
    mkkeyserver -ip ip_address -port port -sslcert /tmp/self-signed.crt
  5. Create the encryption key for the system on the key server:
    chencryption -keyserver newkey -key prepare
    This command prepares the new key to be copied to the primary key server.
  6. To verify that the system is prepared, enter the following command:
    lsencryption
    Check that the keyserver_rekey parameter has the value prepared. The prepared value indicates that the new key is ready to be committed.
  7. To commit the key, enter the following command:
    chencryption -keyserver newkey -key commit
    This command makes the new key the current key and copies it to the primary key server.