You can migrate between USB flash drive and key server-based encryption
non-disruptively by using the management GUI or the command-line interface. To migrate from key
servers to USB flash drives, use the command line interface only. During migration, the system
supports simultaneous configuration of both key management methods. After the migration completes,
you can disable the old key management method.
Using the management GUI
During migration, the system does not disable the currently
configured key management method until the new method is configured completely. Therefore, encrypted
data can still be accessed with the current key until the migration is completed. For example, if
you were migrating from USB flash drives to key servers, the old keys on the USB flash drive are
still available until the key server encryption is configured. However, at least one of the USB
flash drives with the current encryption key must be inserted into the system before migrating to
the key server. After the key servers are configured, the old keys on the USB flash drive can no
longer decrypt data on the system. Dispose of any old USB flash drives according to your recommended
procedures for disposal of sensitive information.
Note: The management GUI supports migration from
USB flash drives to a key server encryption method only. To migrate from key servers to USB flash
drives, you must use the command-line interface.
Before migrating to key server-based
encryption, ensure that at least one USB flash drive with the current encryption key is inserted
into the system. To migrate encryption from a USB flash drive to key servers, complete these
steps:
- In the management GUI, select .
- On the Encryption page, verify the following information:
- Expand USB Flash Drives and verify that USB flash drives are configured
and detected in the system.
- Expand Key Servers and verify that key servers are not configured on the
system.
- Under Key Servers, click Configure.
- Select IBM SKLM (with KMIP) for the key server type.
- Enter the name, IP address, and port for each key server. If you
are configuring multiple key servers, the first key server that you specify is the primary key
server and the rest become secondary key servers. To ensure that keys are distributed to all
secondary key servers, replication must be configured on IBM Security Key Lifecycle Manager.
- Select SPECTRUM_VIRT for the device group for the key servers. This device group
must also be configured on each of the key servers for the system.
- On the Key Server Certificate page, you must upload all the
necessary key server certificates to the system. The key servers can use
a certificate authority (CA) certificate from a trusted third party or a self-signed certificate
that is created on the key servers. You can also use both these types of certificates on the key
servers. If multiple key servers are configured and use the same CA certificate, upload the single
CA-signed certificate, which covers all of the key servers. If the key servers use self-signed
certificates, the certificates must be uploaded separately to the system. Any self-signed
certificates take priority over any CA-signed certificate that is installed on the system for the
key servers.
- On the System Encryption Certificate page, click
Export Public Key to download the public key to the system. System encryption
certificates can also be self-signed or CA-certificate. These certificates are uploaded to each of
the key servers to establish trust for the system to communicate with individual key servers. If a
certificate does not exist, select . On the Secure Communications page, select Update
Certificate to create or import a certificate. For more
information, see the topic about certificates that are used for key servers.
- Copy the system's public key by adding it to the trust store
for the SPECTRUM_VIRT device group on each configured key server. See the IBM
Security Key Lifecycle Manager Knowledge Center for details.
- Return to the System Encryption Certificate page and select
The system’s public key certificate has been transferred to each configured key
server.
- On the Disable USB
Encryption panel, select Yes and click
Next.
- On the Summary page, verify the configuration for the key servers and
click Finish. After the configuration completes, keys that were stored on the
USB flash drives are not valid. Ensure that you dispose of all USB flash drives securely.
Using the CLI
Before migrating to key server-based
encryption, ensure that at least one USB flash drive with the current encryption key is inserted
into the system. To migrate from a USB flash drive to key servers to manage encryption keys,
complete the following steps:
- Enter the following command to verify that encryption is enabled on the system with USB flash
drives:
lsencryption
- Enter the following CLI command to enable encryption with key servers on your
system:
chencryption -keyserver enable
- Enable the key server type and supply the certificate authority (CA) signed certificate if one
is required:
chkeyserverisklm -enable -sslcert /tmp/CASigned.crt
- Create the primary key server and specify the key server
certificate:
mkkeyserver -ip ip_address -port port -sslcert /tmp/self-signed.crt -primary
- If you plan to use multiple key servers,
enter the following command multiple times to specify up to three more secondary key servers that
use the same key server
certificate:
mkkeyserver -ip ip_address -port port -sslcert /tmp/self-signed.crt
- Create the system encryption key and write the key to the specified key
server:
chencryption -keyserver newkey -key prepare
This
command makes the prepared key the current key and stores the key values on all configured key
servers.
- To verify that the system is prepared, enter the following
command:
lsencryption
Check that
the keyserver_rekey parameter has the
value prepared. The prepared value
indicates that the new key is ready to be committed.
- To commit the key, enter the following
command:
chencryption -keyserver newkey -key commit
- After the new key for the key server is committed, disable encryption for the USB flash drive by
entering the following
command:
chencryption -usb disable
If
encryption is already enabled on the system with key servers, ensure primary key server is connected
to the system and distributes the current encryption key. To migrate from a key server to USB flash
drives to manage encryption keys, complete the following steps:
- Enter the following command to verify that encryption is enabled on the system with key
servers:
lsencryption
- Enter the following CLI command to enable encryption on your
system:
chencryption -usb enable
- If your system has two node canisters, complete the following steps to copy the
encryption key:
- Insert two blank USB flash drives into the USB ports that are on each node canister.
- Ensure that two flash drives are installed:
lsportusb
Check that the value
for the status parameter is active. This status
indicates that the flash drive is inserted in the canister and can be used by the system.
- Enter the following CLI command to create the first two copies:
chencryption -usb newkey -key prepare
- Remove the two USB flash drives from the system and insert at least one more blank USB flash
drive to create the required number of copies. The system requires a minimum of three USB flash
drives for copying the encryption keys.
- Reenter the following CLI command to create the remaining copies:
chencryption -usb newkey -key prepare
- Repeat the copy process all backup copies are created.
- Enter the following command:
chencryption -usb newkey -key commit
- If your system has four node canisters, complete the following steps to copy the
encryption key:
- Insert three blank USB flash drives into three USB ports in the four-node system.
- Ensure that sufficient flash drives are installed:
lsportusb
Check that the
value for the status parameter is active. This
status indicates that the flash drive is inserted in the canister and can be used by the
system.
- Enter the following CLI command to create the three copies:
chencryption -usb newkey -key prepare
- Enter the following command:
chencryption -usb newkey -key commit
- After the new key is committed, disable encryption for the key server by entering the following
command:
chencryption -keyserver disable