If you configured key servers to manage encryption keys, you can generate new keys with
the encryption key servers. Rekeying is the process of
creating a new key for the system. To create a new key, encryption
must be enabled on the system; however, the rekey operation works
whether or not there are encrypted objects.Encryption is supported on Lenovo Storage V3700
V2 XP, Lenovo Storage V5030, and Lenovo
Storage V5030F models only.
You can use USB flash drives or key servers to enable encryption. If
both methods of encryption are configured on your system, completely rekey one method before you
rekey the other method.
Note: To avoid data loss, back up your IBM
Security Key Lifecycle Manager data every time that you rekey.
Using the management GUI
During the rekey process, the
key server generates a new key and the existing key becomes obsolete. If you are using multiple key servers, the rekey
operation happens on the primary key server only. Any additional key
servers go offline and the system reports an error against those key
servers until the new key is replicated from the primary to the secondary
key servers. You can automatically or manually configure replication
with IBM Security Key Lifecycle Manager for the primary and secondary key servers. Replication copies
encryption keys between primary and secondary key servers when replication
is scheduled on the IBM Security Key Lifecycle Manager. For example, if replication is scheduled to occur every 5 hours
and the system is rekeyed, then the secondary key servers remain offline
until the scheduled replication occurs. You can also complete manual
replication of the keys from the primary to the secondary with the IBM Security Key Lifecycle Manager.
Before you generate a new key on all configured key servers, the key servers must be online and
connected to the system. In the management GUI, select . Expand Key Servers to display details on all the configured
key servers on the system. Verify that the status of the key servers
is online and available to the system.
To rekey the
system that uses key server encryption, complete these steps:
- In the management GUI, select .
- Expand Key Servers to display all the configured
key servers on the system and select Rekey.
- Click OK on the message
dialog. The encryption key is generated by the primary key server
and is copied to the primary key server. If errors occur during the
rekey process, status messages display problems with the copy or creation
of a new key. To determine and fix other possible errors, select .
- If you configured multiple
key servers, the encryption key is created on the primary key server
only. All additional key servers go offline until the key is replicated
from the primary key server to the other key servers with IBM Security Key Lifecycle Manager. For more information, see the IBM Security Key Lifecycle Manager Knowledge Center.
If you have USB flash drives configured
in addition to a key server, you can now rekey USB flash drives.
Using the command-line interface
Before you generate a new key on all configured key servers, the key servers must be online and
connected to the system. In the command-line
interface, enter
lskeyserver to verify whether the key servers are
online and available to the system.
To rekey the
system that uses key servers, complete these steps:
- Verify that encryption is enabled on the system by entering this
command:
lsencryption
Ensure that
the status indicates that the encryption is enabled.
- After verifying that encryption is enabled, verify that the key
servers are online and available by entering this command:
lskeyserver
Ensure that the status
for all available key servers is online.
- After verifying that encryption is enabled and the key servers
are online, you need to prepare the system to rekey the encryption
keys that are currently being used on the system. To prepare the rekey
operation, enter the following command:
chencryption -keyserver newkey -key prepare
Note: This command creates the new
key on the primary key server only. All additional key servers go
offline until the key is replicated from the primary key server to
the other key servers with the IBM Security Key Lifecycle Manager.
- To verify that the system is prepared, enter the following command:
lsencryption
Check that the keyserver_rekey parameter has the value prepared. The
prepared value indicates that the new key is
ready to be committed.
- To commit the key, enter the following command:
chencryption -keyserver newkey -key commit
This
command makes the prepared key the current key and stores the key
values on the primary key server.
- Verify that the new key is committed by entering the following
command:
lsencryption
Ensure
that the value in the keyserver_rekey parameter
is no.
- If you configured multiple
key servers, the encryption key is created on the primary key server
only. All additional key servers that are configured until the key
is replicated to the other key servers by using the IBM Security Key Lifecycle Manager. For more information, see the IBM Security Key Lifecycle Manager Knowledge Center.
If you have USB flash drives configured in addition to a key
server, you can now rekey USB flash drives.