Migrating between key management methods

You can migrate between USB flash drive and key server-based encryption non-disruptively by using the management GUI or the command-line interface. To migrate from key servers to USB flash drives, use the command line interface only. During migration, the system supports simultaneous configuration of both key management methods. After the migration completes, you can disable the old key management method.

Using the management GUI

During migration, the system does not disable the currently configured key management method until the new method is configured completely. Therefore, encrypted data can still be accessed with the current key until the migration is completed. For example, if you were migrating from USB flash drives to key servers, the old keys on the USB flash drive are still available until the key server encryption is configured. However, at least one of the USB flash drives with the current encryption key must be inserted into the system before migrating to the key server. After the key servers are configured, the old keys on the USB flash drive can no longer decrypt data on the system. Dispose of any old USB flash drives according to your recommended procedures for disposal of sensitive information.
Note: The management GUI supports migration from USB flash drives to a key server encryption method only. To migrate from key servers to USB flash drives, you must use the command-line interface.
Before migrating to key server-based encryption, ensure that at least one USB flash drive with the current encryption key is inserted into the system. To migrate encryption from a USB flash drive to key servers, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. On the Encryption page, verify the following information:
    1. Expand USB Flash Drives and verify that USB flash drives are configured and detected in the system.
    2. Expand Key Servers and verify that key servers are not configured on the system.
  3. Under Key Servers, click Configure.
  4. Select either IBM SKLM (with KMIP) or Gemalto SafeNet KeySecure for the key server type.
  5. Enter the name, IP address, and port for each key server. If you are configuring multiple key servers, the first key server that you specify is the primary key server and the rest become secondary key servers.
    Note: If you selected IBM SKLM (with KMIP) and the key servers are configured with one primary and multiple secondary key servers, ensure that replication is enabled to ensure that keys are distributed to all secondary key servers.
  6. If you selected IBM SKLM (with KMIP), the Key Server Options page displays. Select SPECTRUM_VIRT for the device group for the key servers. This device group must also be configured on each of the key servers for the system.
  7. If you selected Gemalto SafeNet KeySecure, the Key Server Credentials page displays. If you enabled authentication to the key server using a username and password, enter that username and password. These credentials are used to authenticate the system each time it connects to the key server. The username and password must match the credentials that are configured on the key server.
  8. On the Key Server Certificate page, you must upload all the necessary key server certificates to the system. The key servers can use a certificate authority (CA) certificate from a trusted third party or a self-signed certificate that is created on the key servers. You can also use both these types of certificates on the key servers. If multiple key servers are configured and use the same CA certificate, upload the single CA-signed certificate, which covers all of the key servers. If the key servers use self-signed certificates, the certificates must be uploaded separately to the system. Any self-signed certificates take priority over any CA-signed certificate that is installed on the system for the key servers.
  9. On the System Encryption Certificate page, click Export Public Key to download the public key to the system. System encryption certificates can also be self-signed or CA-certificate. These certificates are uploaded to each of the key servers to establish trust for the system to communicate with individual key servers. If a certificate does not exist, select Settings > Security > Secure Communications . On the Secure Communications page, select Update Certificate to create or import a certificate. For more information, see the topic about certificates that are used for key servers.
  10. If you selected IBM SKLM (with KMIP) as your key server type, copy the system's public key by adding it to the trust store for the SPECTRUM_VIRT device group on each configured key server. If you selected Gemalto SafeNet KeySecure, ensure that the system encryption certificate is a trusted entity on the KeySecure interface. You can use two methods to add the system encryption certificate as a trusted entity. You can export the current system encryption certificate and then add it to the known certificate authorities (CA) on the Trusted CA List or create a new certificate signing request to a third-party Certificate Authority that is already listed on the Trusted CA List. The system encryption certificate might also require a username, if a username has been enabled for certificates for KeySecure key servers. For information, see the corresponding documentation for your key server.
  11. Return to the System Encryption Certificate page and select The system’s public key certificate has been transferred to each configured key server.
  12. On the Disable USB Encryption panel, select Yes and click Next.
  13. On the Summary page, verify the configuration for the key servers and click Finish. After the configuration completes, keys that were stored on the USB flash drives are not valid. Ensure that you dispose of all USB flash drives securely.

Using the CLI

Before migrating to key server-based encryption, ensure that at least one USB flash drive with the current encryption key is inserted into the system. To migrate from a USB flash drive to key servers to manage encryption keys, complete the following steps:
Migrating from USB flash drives to IBM Security Key Lifecycle Manager key servers
  1. Enter the following command to verify that encryption is enabled on the system with USB flash drives:
    lsencryption
  2. Enter the following CLI command to enable encryption with key servers on your system:
    chencryption -keyserver enable
  3. Enable the key server type and supply the certificate authority (CA) signed certificate if one is required:
    chkeyserverisklm -enable -sslcert /tmp/CASigned.crt
  4. Create the primary key server and specify the key server certificate:
    mkkeyserver -ip ip_address -port port -primary
  5. If you plan to use multiple key servers, enter the following command multiple times to specify up to three more secondary key servers that use the same key server certificate:
    mkkeyserver -ip ip_address -port port
  6. Create the system encryption key and write the key to the specified key server:
    chencryption -keyserver newkey -key prepare
    This command makes the prepared key the current key and stores the key values on all configured key servers.
  7. To verify that the system is prepared, enter the following command:
    lsencryption
    Check that the keyserver_rekey parameter has the value prepared. The prepared value indicates that the new key is ready to be committed.
  8. To commit the key, enter the following command:
    chencryption -keyserver newkey -key commit
  9. After the new key for the key server is committed, disable encryption for the USB flash drive by entering the following command:
    chencryption -usb disable
Migrating from USB flash drives to Gemalto SafeNet SecureKey key servers
  1. Enter the following command to verify that encryption is enabled on the system with USB flash drives:
    lsencryption
  2. Enter the following CLI command to enable encryption on your system:
    chencryption -keyserver enable
  3. Enable the key server type and supply the certificate authority (CA) signed certificate if one is required:
    chkeyserverkeysecure -enable -sslcert /tmp/CASigned.crt
  4. Configure the username and password that is used to the system to the key servers if one is required:
    chkeyserverkeysecure -username admin -password examplepassword
  5. Create the primary key server and specify the key server certificate if one is required:
    mkkeyserver -ip ip_address -port port -sslcert /tmp/ServerCert.crt -primary
  6. Create up to three additional secondary key servers and specify the key server certificate if one is required.
    mkkeyserver -ip ip_address -port port -sslcert /tmp/ServerCert.crt
  7. Create the encryption key for the system on the key server:
    chencryption -keyserver newkey -key prepare
    This command makes the prepared key the current key and pushes the key to the key server configured as the primary key server.
  8. To verify that the system is prepared, enter the following command:
    lsencryption
    Check that the keyserver_rekey parameter has the value prepared. The prepared value indicates that the new key is ready to be committed.
  9. To commit the key, enter the following command:
    chencryption -keyserver newkey -key commit
    This command makes the new key the current key and copies it to the primary key server.
  10. After the new key for the key server is committed, disable encryption for the USB flash drive by entering the following command:
    chencryption -usb disable
If encryption is already enabled on the system with key servers, ensure that the primary key server is connected to the system and distributes the current encryption key. To migrate from a key server to USB flash drives to manage encryption keys, complete the following steps:
  1. Enter the following command to verify that encryption is enabled on the system with key servers:
    lsencryption
  2. Enter the following CLI command to enable encryption on your system:
    chencryption -usb enable
  3. If your system has two node canisters, complete the following steps to copy the encryption key:
    1. Insert two blank USB flash drives into the USB ports that are on each node canister.
    2. Ensure that two flash drives are installed:
      lsportusb
      Check that the value for the status parameter is active. This status indicates that the flash drive is inserted in the canister and can be used by the system.
    3. Enter the following CLI command to create the first two copies: 
      chencryption -usb newkey -key prepare
    4. Remove the two USB flash drives from the system and insert at least one more blank USB flash drive to create the required number of copies. The system requires a minimum of three USB flash drives for copying the encryption keys.
    5. Reenter the following CLI command to create the remaining copies: 
      chencryption -usb newkey -key prepare
    6. Repeat the copy process all backup copies are created.
    7. Enter the following command: 
       chencryption -usb newkey -key commit
  4. If your system has four node canisters, complete the following steps to copy the encryption key:
    1. Insert three blank USB flash drives into three USB ports in the four-node system.
    2. Ensure that sufficient flash drives are installed:
      lsportusb
      Check that the value for the status parameter is active. This status indicates that the flash drive is inserted in the canister and can be used by the system.
    3. Enter the following CLI command to create the three copies: 
      chencryption -usb newkey -key prepare
    4. Enter the following command: 
       chencryption -usb newkey -key commit
  5. After the new key is committed, disable encryption for the key server by entering the following command:
    chencryption -keyserver disable
Parent topic: Managing encryption