Planning for encryption involves purchasing a licensed function and then activating and enabling the function on the system. USB encryption, key server encryption, or both can be enabled on the system. The system supports IBM Security Key Lifecycle Manager version 2.6.0 or later for enabling encryption with a key server.
To encrypt data that is stored on drives, the control enclosure on which they are connected must contain an active license and be configured to use encryption. When encryption is activated and enabled on the system, valid encryption keys must be present on the system when the system unlocks the drives or the user generates a new key. If USB encryption is enabled on the system, the encryption key must be stored on USB flash drives that contain a copy of the key that was generated when encryption was enabled. If key server encryption is enabled on the system, the key is retrieved from the key server.
If you are using encryption to protect data that is copied to cloud storage, the cloud account is always synchronized with the system encryption settings. If both USB flash drives and key servers are configured, the cloud account that is created supports both of these methods. If just one encryption method is configured and the other is disabled, the cloud account supports encryption with the remaining configured encryption method. To ensure that the cloud account supports encryption, one or both methods must be configured with active keys when the cloud account is created.
If a cloud account is created with one encryption method, you can configure the second method later, but the cloud account must be online while the configuration occurs. After the second method is configured, the cloud account will support both key providers.
Lenovo Storage V5030 supports optional encryption of data at rest (Lenovo Storage V3700 V2 XP will support the optional encryption on version 8.1.1.1 or above). Encryption protects against the potential exposure of sensitive user data that is stored on discarded, lost, or stolen storage devices. Both of these systems require an encryption license for each enclosure that supports encryption.
Key servers provide useful features that make them desirable to use such as being responsible for encryption key generation, backups, and following an open standard that aids interoperability. When planning for key server encryption, the following items are important to consider.
All nodes that want to communicate with key servers must have their service IP address configured. A node must have its full service IP stack configured (address, gateway, mask) in order for that node to be a candidate for attempting to contact the key server. Key servers are typically set up on a private LAN, and this requires enforcement of service IP addresses. If only a subset of nodes have service IP addresses set, then those nodes without a service IP address log an error. The IP address that the user supplies must be the one thatthe system uses to communicate with the key server.
Each key server will have a TCP port associated with its access. Since a key server serves multiple clients,the system allows the user to use a different port for each server and enables access for this port as and when required. KMIP server conformance mandates that TCP port 5696 be supported, so this will be the default port for the server end point.
If key server encryption is enabled, then the key server generates and manages the master keys. The node generates all other keys.
The key database can be clustered or unclustered depending on the type of key server that is used. For unclustered key servers, the user needs to consider backup and replication of the key database. IBM Security Key Lifecycle Manager is an example of a key server product where replication must be configured in order for encryption keys to be shared automatically between IBM Security Key Lifecycle Manager instances. Without replication configured, manual backup and restore operations must be used. Other products might self-replicate, so other key server instances automatically have any new keys created. For IBM Security Key Lifecycle Manager, complete backups and restores by following the IBM Security Key Lifecycle Manager user guide.
chencyrption-usb newkey-key preparechencryption-usb newkey-key commit
The rekey operation must be run after the update is completed to the 7.8.x code level or higher and before you attempt to enable key server encryption.