Encryption key servers
create and manage encryption keys that are used by the system.
In environments with a large number of systems, key servers distribute
keys remotely without requiring physical access to the systems.
A
key server is a centralized system that generates, stores, and sends
encryption keys to the system.
If the key server provider supports replication
of keys among multiple key servers, you can specify up to 4 key servers
that connect to the system over both a public network or a separate
private network.
The system supports enabling encryption by using an IBM Security Key Lifecycle Manager key server.All key servers must be configured
on the IBM Security Key Lifecycle Manager before you define the key servers.IBM Security Key Lifecycle Manager supports Key Management Interoperability Protocol (KMIP), which
is a standard for encryption of stored data and management of cryptographic
keys. IBM Security Key Lifecycle Manager can be used to create managed keys for the system and provide
access to these keys through a certificate.
The system supports different types of key server configurations
on IBM Security Key Lifecycle Manager. The following configurations are supported:
- One primary (master) key server
and several secondary key servers: IBM Security Key Lifecycle Manager key servers designate one master or primary key server which can
have up to three secondary key servers (also known as clones) defined.
These additional key servers support more paths when delivering keys
to the system; however, during rekeying only the path to the primary
key server is used. When the system is rekeyed, secondary
key servers are unavailable until the primary key server has replicated
the new keys to these secondary key servers. The amount of time
it takes to replicate the key to a secondary key server depends on
the amount of key and certificate information that is being replicated.
Each replication to a secondary key server can take some time. Replication
must complete before keys can be used on the system. You can either
schedule automatic replication or complete it manually with IBM Security Key Lifecycle Manager. During replication, key servers are not available to distribute
keys or accept new keys. The total time it takes for a replication
to complete on the IBM Security Key Lifecycle Manager depends on the number of key servers that are configured as clones. If replication is triggered manually, the IBM Security Key Lifecycle Manager issues a completion message when the replication completes. Verify that all key servers contain replicated key and certificate
information before keys are used on the system.
- Multiple master key servers: Key servers can be configured
in a multi-master configuration where each key server has the ability
to create new encryption keys. In this instance, any server can be
set as the primary key server. The primary key server is the key server
that the system uses when you create any new key server encryption
keys. If multi-master mode is enabled on the IBM Security Key Lifecycle
Manager, the key is immediately replicated to the other key servers
in the configuration.
For more
information about the supported versions, see the IBM Security Key
Lifecycle Manager Knowledge Center.
When you
create IBM Security Key Lifecycle Manager key server objects, you must specify the IP address, port,
certificate, and device group. The device group is a collection of
storage identifiers, keys, and groups of keys. A device group allows
for restricted management of subsets of devices within a larger pool.
The system must be defined on the key server to the SPECTRUM_VIRT device
group if you are using the default settings. If the
SPECTRUM_VIRT device
group does not exist on the key server, it must be created based on
the GPFS device family. If you are configuring
multiple key servers, the SPECTRUM_VIRT device group must be defined on the primary and all additional key
servers.
Prerequisites for enabling encryption
Ensure
that you complete the following tasks on the
IBM Security Key Lifecycle Manager before you enable encryption:
- Define the IBM Security Key Lifecycle Manager to use Transport Layer Security version 1.2 (TLSv1.2). The default
setting on IBM Security Key Lifecycle Manager is TLSv1, but the system supports only version 1.2. On the IBM Security Key Lifecycle Manager, set the value to SSL_TLSv2, which is a set
of protocols that includes TLSv1.2.
- Ensure that the database service is started automatically on startup.
- Ensure that a valid SSL certificate from IBM Security Key Lifecycle Manager is installed on the system and in use. If
automatic replication is configured on IBM Security Key Lifecycle Manager, then this certificate needs to be uploaded to the system once.
However, if automatic replication is not configured on the IBM Security Key Lifecycle Manager, a certificate for each stand-alone key server must be uploaded
to the system.
- Specify the SPECTRUM_VIRT device group for the system definition.
If you are configuring multiple key servers,
the SPECTRUM_VIRT device group must be defined on the primary and all secondary key
servers.
- If you currently have encryption enabled
with USB flash drives, at least one of the USB flash drives must be
inserted into the system before key servers can be configured for
managing keys.
For more information about completing these tasks, see the
IBM Security Key Lifecycle Manager Knowledge Center.
Using the management GUI
To enable encryption
with a key server, complete these steps:
- In the management GUI, select .
- Click Enable Encryption.
- On the Welcome panel, select Key Servers. Click
Next.
Note: You can also select both Key Servers and USB Flash Drives to configure both methods
to manage encryption keys. If either method becomes unavailable, you
can use the other method to access encrypted data on your system.
- Select IBM SKLM (with KMIP) for the key
server type.
- Enter the name, IP
address, and port for each key server. If you are configuring multiple
key servers, the first key server that you specify is the primary
key server and the rest become secondary key servers. To ensure that
keys are distributed to all secondary key servers, you must configure
replication on IBM Security Key Lifecycle Manager.
- Select SPECTRUM_VIRT for the device group for the key servers. This device group must
also be configured on each of the key servers for the system.
- On the Key Server Certificate page, you
must upload all the necessary key server certificates to the system. The key servers can use either a certificate
from a trusted third party, a self-signed certificate, or a combination
of these certificates. If IBM Security Key Lifecycle Manager servers are configured for automatic replication, this certificate
is copied from the primary key server to all secondary key servers.
All IBM Security Key Lifecycle Manager instances are connected to over secure connections with the
same key server certificate. If replication is used on the IBM Security Key Lifecycle Manager, only one key server certificate needs to be installed. The IBM Security Key Lifecycle Manager uses this single certificate to replicate keys with each other.
Any self-signed certificates take priority over any CA-signed certificate
that is installed on the system for the key servers. If only
one certificate is used and automatically replicated to all configured
key servers, select the certificate that you downloaded to the system
in the certificate in the Certificate field.
If automatic replication is not configured, select all the valid certificates
that you downloaded to the system for each of the configured key servers.
Click Next.
- On the System Encryption Certificate page,
click Export Public Key to download the public
key to the system. System encryption certificates can also be self-signed
or CA-certificate. These certificates are uploaded to each of the
key servers to establish trust for the system to communicate with
individual key servers. If IBM Security Key Lifecycle Manager servers are configured for automatic replication, this certificate
is copied from the primary key server to all secondary key servers.
All IBM Security Key Lifecycle Manager instances are connected to over secure connections with the
same key server certificate. If replication is used on the IBM Security Key Lifecycle Manager, the primary key server replicates the system certificate to the
other key servers. If the IBM Security Key Lifecycle Manager servers are not configured for automatic replication, you must install
the system certificate to each stand-alone key server.
If a certificate does not exist, select . On the Secure Communications page, select Update Certificate to create
or import a certificate. For more information about certificates, see
the topic about certificates that are used for key servers.
- Copy the system's public key by adding
it to the trust store for the
SPECTRUM_VIRT device group on each configured
key server. See the IBM Security Key Lifecycle Manager Knowledge
Center for details.
- Return to the System Encryption Certificate page and select
The system’s public key certificate has been transferred
to each configured key server.
- If
you have USB flash drives configured as your encryption method, the Disable USB Encryption page displays. If you want to
migrate to key servers and disable USB flash drives, select Yes. If you want both encryption methods configured simultaneously,
click No.
- Click Next.
- On the Summary page, verify the configuration
for the key servers and click Finish.
Using the command-line interface
To enable encryption
with a key server, complete the following steps:
- Enter the following CLI command to enable encryption on your system:
chencryption -keyserver enable
- Enable the key server type and supply the certificate authority
(CA) signed certificate if one is required:
chkeyserverisklm -enable -sslcert /tmp/CASigned.crt
- Create the primary key server and specify
the key server certificate:
mkkeyserver -ip ip_address -port port -primary
- Create up to three additional secondary key
servers with the same key server certificate:
mkkeyserver -ip ip_address -port port
- Create the encryption key for the system on the key server:
chencryption -keyserver newkey -key prepare
This command makes the prepared key the current key and
pushes the key to the key server configured as the primary key server.
- To verify that the system is prepared, enter the following command:
lsencryption
Check that the keyserver_rekey parameter has the value prepared. The prepared value indicates that
the new key is ready to be committed.
- To commit the key, enter the following command:
chencryption -keyserver newkey -key commit
This command makes the new key the current key and copies it to the
primary key server.