Use the chencryption command to manage the encryption state of the
system.
Syntax
chencryption -usb { enable | disable | validate | newkey -key { prepare | commit | cancel } }
Parameters
- -usbenable | disable | validate | newkey
- (Required) Specifies whether
encryption is enabled (or not enabled) or the encryption keys are
validated. You can also create new encryption keys which are also
stored on unversal serial bus (USB) flash drives for use if the system
forgets the encryption keys.
- -usbenable
- Enables encryption capability on the system. Then specify -usbnewkey to
create new keys. Use this command when the system has encryption hardware
and encryption licenses (for example, the lsencryption value
for status is set to licensed).
- -usbdisable
- Disables the encryption capability of the system.
If no encryption key is prepared this operation is complete and no
further action is needed. Do not use this command if an encryption
key is prepared and encrypted arrays already exist.
Remember: This removes all encryption
keys (that are not on the USB flash drive) from the system.
- -usbvalidate
- Verifies that encryption keys are present on the USB flash drive
and makes sure that the keys match the system encryption keys. Use
this command when encryption is enabled and encryption keys exist
(for example, lsencryption value for usb_rekey is
set to no).
- -usbnewkey
- Generates a new encryption key on a USB flash drive attached the
system. Use this command only if the minimum number of USB flash drives
that can be used as key material stores are be attached to the system
(as reported by lsportusb). When specifying this
the -key option must also be supplied.
- -keyprepare | commit | cancel
- (Optional) Manages the creation
of a new or replacement encryption keys when -usb newkey is
specified.
- -keyprepare
- Generates system encryption keys and writes those keys to all
system attached USB flash drives. If there is active encryption key
material confirm that at least one USB flash drive has the current
key material. Use this command only when the lsencryption value
for usb_rekey is set to no or no_key.
- -keycommit
- Commits the prepared key as the current key. Use this command
when the lsencryption value for usb_rekey is
set to prepared and the number of USB encryption
keys is at least the minimum number required.
- -keycancel
- Cancels any specified key changes. Use this command when the lsencryptionvalue
for usb_rekey is set to prepared.
Description
Use
this command to manage the encryption state of the system.
It can turn on or turn off USB external key encryption
(but you cannot disable encryption if there are any encrypted arrays).
There are four types:
- enable, which enables encryption.
- disable, which disables encryption
- validate, which validates USB external key encryption.
- newkey, which specifies a new USB external key
for encryption.
You can also rekey the external USB key information, which
is divided into three stages:
- prepare, which generates new keys and sets up
the system to change encryption keys during apply.
- commit, which includes applying new keys (and
copying key information).
- cancel, which rolls back the key setup performed
during the prepare and cancels the rekey request.
An invocation example
chencryption -usb enable
The resulting output:
No feedback
An invocation example
chencryption -usb newkey -key prepare
The resulting output:
No feedback
An invocation example
chencryption -usb newkey -key commit
The
resulting output:
No feedback