If you have configured encryption with USB flash drives, you can create new keys and
store them on USB flash drives. Rekeying is the process of
creating a new key for the system. To create a new key, encryption
must be enabled on the system; however, the rekey operation works
whether or not there are encrypted objects.Encryption is supported on Lenovo Storage V3700
V2 XP, Lenovo Storage V5030, and Lenovo
Storage V5030F models only.
Before creating a new key, ensure that at
least one USB port contains a USB flash drive that contains the current
key. During the rekey process, a new key is generated and copied to the
USB flash drives. The new key is then used instead of the current
key. The rekey operation fails unless at least one USB flash drive
contains the current key. To rekey the system you need at least three
USB flash drives to store the copied key material. If you have both methods of encryption configured
on your system, completely rekey one method before rekeying to the
other.
Using the management GUI
Before rekeying
the system, ensure that the encryption key is accessible by verifying
that at least one of the USB flash drives contains the current
key. Insert the other USB flash drives into the remaining ports on
the rear panel of the control enclosure. Available ports are displayed
to indicate which ports need USB flash drives. If you have both methods of encryption configured on your system,
completely rekey one method before rekeying to the other.
To
rekey the system in the management GUI, complete these steps:
- In the management GUI, select .
- Expand USB Flash Drives to display all the detected USB flash
drives on the system and select
Rekey.
- When the system detects the required number of the USB flash drives
with at least one drive that contains an existing key, the new key
is generated and copied to the USB flash drives. Click
Commit after the key is created to complete
the rekey operation. If errors occur during the rekey process, status
messages display problems with the copy or creation of a new key.
For example, if the minimum number of USB drives are inserted but
none of them have an existing encryption key, the rekey operation
fails. To determine and fix other possible errors, select .
Note: If you have key servers configured in addition
to USB flash drives, you can now rekey the key server.
Using the command-line interface
Before rekeying
the system, ensure that the encryption key is accessible by verifying
that at least one of the USB flash drives contains the current
key. Insert the other USB flash drives into the remaining ports on
the rear panel of the control enclosure. Available ports are displayed
to indicate which ports need USB flash drives. If you have both methods of encryption configured on your system,
completely rekey one method before rekeying to the other.
To
rekey the system in the command-line interface, complete these steps:
- Verify that encryption is enabled on the system by entering this
command:
lsencryption
Ensure that the status indicates that the encryption is enabled.Encryption is supported on Lenovo Storage V3700
V2 XP, Lenovo Storage V5030, and Lenovo
Storage V5030F models only.
- After verifying that encryption is enabled, you need to prepare
the system to rekey the encryption keys that are currently being used
on the system. Ensure that at least one of the USB flash drives that
contain the current key is inserted into the configuration node. The
current key is necessary; otherwise, the rekey process fails. Insert other USB flash drives into the
remaining USB ports on the rear of the system. To prepare the
rekey operation and copy the new key
to all inserted USB flash drives on the system, enter the following
command:
chencryption -usb newkey -key prepare
This command confirms
at least one of the USB flash drives contain the current
encryption key. It also generates a new encryption key for the system
and copies the key to all USB flash drives that are inserted into
the system. Optionally, you can make additional copies of the encryption
keys for backups if the USB flash drives are lost or damaged.
- To verify that the system is prepared
and the keys are copied to the other USB flash drives, enter the following
command:
lsencryption
Check
that the
usb_rekey parameter has the value
prepared.
Note: The
prepared value indicates that the new key is
ready to be committed.
If USB flash drives are already inserted
into the canisters, the encryption key is copied automatically. If
USB flash drives are not present in the canister, insert them to begin
copying the key to the drives. To verify that copies to the USB flash
drive are successful, enter
lsencryption to check the value in the
usb_key_copies. Each successful copy to a USB flash drive
increments this value. This value must match the number of USB flash
drives that you inserted into the system to create the new encryption
keys. Before the keys can be committed, this value must be greater
than the minimum required amount.
- To commit the key, enter the following command:
chencryption -usb newkey -key commit
This
command makes the prepared key the current key and stores the key
values on the USB flash drives.
- Verify that the new key is committed by entering the following
command:
lsencryption
Ensure
that the value in the
usb_rekey parameter is no and the
usb_key_copies has the minimum required number
of USB flash drives with copies of the keys. The system needs at least three USB flash drives, each with one copy
of the key. It is recommended that additional copies of the keys are
made and stored securely.