Migrating between key management methods

You can migrate between USB flash drive and key server-based encryption non-disruptively by using the management GUI or the command-line interface. To migrate from key servers to USB flash drives, use the command line interface only. During migration, the system supports simultaneous configuration of both key management methods. After the migration completes, you can disable the old key management method.

Using the management GUI

During migration, the system does not disable the currently configured key management method until the new method is configured completely. Therefore, encrypted data can still be accessed with the current key until the migration is completed. For example, if you were migrating from USB flash drives to key servers, the old keys on the USB flash drive are still available until the key server encryption is configured. However, at least one of the USB flash drives with the current encryption key must be inserted into the system before migrating to the key server. After the key servers are configured, the old keys on the USB flash drive can no longer decrypt data on the system. Dispose of any old USB flash drives according to your recommended procedures for disposal of sensitive information.
Note: The management GUI supports migration from USB flash drives to a key server encryption method only. To migrate from key servers to USB flash drives, you must use the command-line interface.
Before migrating to key server-based encryption, ensure that at least one USB flash drive with the current encryption key is inserted into the system. To migrate encryption from a USB flash drive to key servers, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. On the Encryption page, verify the following information:
    1. Expand USB Flash Drives and verify that USB flash drives are configured and detected in the system.
    2. Expand Key Servers and verify that key servers are not configured on the system.
  3. Under Key Servers, click Configure.
  4. Select IBM SKLM (with KMIP) for the key server type.
  5. Enter the name, IP address, and port for each key server. If you are configuring multiple key servers, the first key server that you specify is the primary key server and the rest become secondary key servers. To ensure that keys are distributed to all secondary key servers, replication must be configured on IBM Security Key Lifecycle Manager.
  6. Select SPECTRUM_VIRT for the device group for the key servers. This device group must also be configured on each of the key servers for the system.
  7. On the Key Server Certificate page, you must upload all the necessary key server certificates to the system. The key servers can use a certificate authority (CA) certificate from a trusted third party or a self-signed certificate that is created on the key servers. You can also use both these types of certificates on the key servers. If multiple key servers are configured and use the same CA certificate, upload the single CA-signed certificate, which covers all of the key servers. If the key servers use self-signed certificates, the certificates must be uploaded separately to the system. Any self-signed certificates take priority over any CA-signed certificate that is installed on the system for the key servers.
  8. On the System Encryption Certificate page, click Export Public Key to download the public key to the system. System encryption certificates can also be self-signed or CA-certificate. These certificates are uploaded to each of the key servers to establish trust for the system to communicate with individual key servers. If a certificate does not exist, select Settings > Security > Secure Communications . On the Secure Communications page, select Update Certificate to create or import a certificate. For more information, see the topic about certificates that are used for key servers.
  9. Copy the system's public key by adding it to the trust store for the SPECTRUM_VIRT device group on each configured key server. See the IBM Security Key Lifecycle Manager Knowledge Center for details.
  10. Return to the System Encryption Certificate page and select The system’s public key certificate has been transferred to each configured key server.
  11. On the Disable USB Encryption panel, select Yes and click Next.
  12. On the Summary page, verify the configuration for the key servers and click Finish. After the configuration completes, keys that were stored on the USB flash drives are not valid. Ensure that you dispose of all USB flash drives securely.

Using the CLI

Before migrating to key server-based encryption, ensure that at least one USB flash drive with the current encryption key is inserted into the system. To migrate from a USB flash drive to key servers to manage encryption keys, complete the following steps:
  1. Enter the following command to verify that encryption is enabled on the system with USB flash drives:
    lsencryption
  2. Enter the following CLI command to enable encryption with key servers on your system:
    chencryption -keyserver enable
  3. Enable the key server type and supply the certificate authority (CA) signed certificate if one is required:
    chkeyserverisklm -enable -sslcert /tmp/CASigned.crt
  4. Create the primary key server and specify the key server certificate:
    mkkeyserver -ip ip_address -port port -primary
  5. If you plan to use multiple key servers, enter the following command multiple times to specify up to three more secondary key servers that use the same key server certificate:
    mkkeyserver -ip ip_address -port port
  6. Create the system encryption key and write the key to the specified key server:
    chencryption -keyserver newkey -key prepare
    This command makes the prepared key the current key and stores the key values on all configured key servers.
  7. To verify that the system is prepared, enter the following command:
    lsencryption
    Check that the keyserver_rekey parameter has the value prepared. The prepared value indicates that the new key is ready to be committed.
  8. To commit the key, enter the following command:
    chencryption -keyserver newkey -key commit
  9. After the new key for the key server is committed, disable encryption for the USB flash drive by entering the following command:
    chencryption -usb disable
If encryption is already enabled on the system with key servers, ensure primary key server is connected to the system and distributes the current encryption key. To migrate from a key server to USB flash drives to manage encryption keys, complete the following steps:
  1. Enter the following command to verify that encryption is enabled on the system with key servers:
    lsencryption
  2. Enter the following CLI command to enable encryption on your system:
    chencryption -usb enable
  3. If your system has two node canisters, complete the following steps to copy the encryption key:
    1. Insert two blank USB flash drives into the USB ports that are on each node canister.
    2. Ensure that two flash drives are installed:
      lsportusb
      Check that the value for the status parameter is active. This status indicates that the flash drive is inserted in the canister and can be used by the system.
    3. Enter the following CLI command to create the first two copies: 
      chencryption -usb newkey -key prepare
    4. Remove the two USB flash drives from the system and insert at least one more blank USB flash drive to create the required number of copies. The system requires a minimum of three USB flash drives for copying the encryption keys.
    5. Reenter the following CLI command to create the remaining copies: 
      chencryption -usb newkey -key prepare
    6. Repeat the copy process all backup copies are created.
    7. Enter the following command: 
       chencryption -usb newkey -key commit
  4. If your system has four node canisters, complete the following steps to copy the encryption key:
    1. Insert three blank USB flash drives into three USB ports in the four-node system.
    2. Ensure that sufficient flash drives are installed:
      lsportusb
      Check that the value for the status parameter is active. This status indicates that the flash drive is inserted in the canister and can be used by the system.
    3. Enter the following CLI command to create the three copies: 
      chencryption -usb newkey -key prepare
    4. Enter the following command: 
       chencryption -usb newkey -key commit
  5. After the new key is committed, disable encryption for the key server by entering the following command:
    chencryption -keyserver disable
Parent topic: Managing encryption
Related reference
chencryption
chkeyserverisklm
lsencryption
lsportusb
mkkeyserver