chencryption

Parameters

-usbenable | disable | validate | newkey

(Required if you do not specify -keyserver) Specifies whether USB encryption is enabled (or disabled) or the encryption keys are validated. You can also create new encryption keys that are also stored on Universal Serial Bus (USB) flash drives for use if the system forgets the encryption keys.

-usbenable

Enables encryption capability on the system. Then specify -usbnewkey to create new keys. Use this command when the system has encryption hardware and encryption licenses (for example, the lsencryption value for status is set to licensed).

-usbdisable

Disables the encryption capability of the system. If no encryption key is prepared this operation is complete and no further action is needed. Do not use this command if an encryption key is prepared or encrypted objects exist.

Remember: This removes all encryption keys (that are not on the USB flash drive) from the system.

-usbvalidate

Verifies that encryption keys are present on the USB flash drive and makes sure that the keys match the system encryption keys. Use this command when encryption is enabled and encryption keys exist (for example, lsencryption value for usb_rekey is set to no).

-usbnewkey

Generates a new encryption key on a USB flash drive that is attached to the system. Use this command only if the minimum number of USB flash drives that can be used as key material stores are attached to the system (as reported by lsportusb). When you specify this parameter, the -key option must also be supplied.

-keyserverenable | disable | newkey

(Required if you do not specify -usb) Specifies the encryption task that involves encryption keys that are managed by key servers.

-keyserverenable

Enables encryption capability on the system. Use this command when the system has encryption hardware and encryption licenses (for example, the lsencryption value for keyserver_status is set to licensed).

-keyserverdisable

Disables the encryption capability of the system. If no encryption key is prepared, this operation is complete and no further action is needed. Do not use this command if an encryption key is prepared or encrypted objects exist.

-keyservernewkey

Generates a new encryption key on the primary key server that is attached the system. You must also specify -key when you specify this parameter.

-keyprepare | commit | cancel

(Optional) Manages the creation of a new or replacement (rekey) encryption keys when -usb newkey or -keyserver newkey is specified. There are three stages:

-keyprepare

Generates system encryption keys and writes those keys to all system attached USB flash drives or key servers. If there is active encryption key material, confirm that at least one USB flash drive or key server has the current key material. Use this command only when the lsencryption value for usb_rekey or keyserver_rekey is set to no or no_key.

-keycommit

Commits the prepared key as the current key. Use this command when the lsencryption value for usb_rekey or keyserver_rekey is set to prepared and the number of USB encryption keys is at least the minimum number required.

-keycancel

Cancels any specified key changes. Use this command when the lsencryptionvalue for usb_rekey or keyserver_rekey is set to prepared.