Rekeying
is the process of creating a new key for the system. To create a new
key, encryption must be enabled on the system; however, the rekey
operation works whether or not there are encrypted arrays.
Before creating a new key, ensure that
at least one USB port contains a USB flash drive that contains the
current key. During the rekey
process, a new key is generated and copied to the USB flash drives.
The new key is then used instead of the current key. The rekey operation
fails unless at least one USB flash drive contains the current key.
To rekey the system you need at least three USB flash drives to store
the copied key material.
Using the Management GUI to rekey the system
To rekey the system
in the management GUI, complete these steps:
- In the management GUI, select . Verify that the encryption key is accessible, which
means at least one of the USB flash drives contains the current
key. Insert the other USB flash drives into the remaining ports on
the rear panel of the control enclosure. Available ports are displayed
to indicate which ports need USB flash drives.
- After inserting the remaining USB flash drives into the system,
select .
- When the system detects the required number of the USB flash drives
with at least one drive that contains an existing key, the new key
is generated and copied to the USB flash drives. Click Commit after the key is created to complete the rekey
operation. If errors occur during the rekey process, status messages
display problems with the copy or creation of a new key. For example,
if the minimum number of USB drives are inserted but none of them
have an existing encryption key, the rekey operation fails. To determine
and fix other possible errors, select .
Using the command-line interface to rekey
the system
To
rekey the system in the command-line interface, complete these steps:
- Verify that encryption is enabled on the system by entering this
command:
lsencryption
Ensure
that the status indicates that the encryption is enabled.
- After verifying that encryption is enabled, you need to prepare
the system to rekey the encryption keys that are currently being used
on the system. Ensure that at least one of the USB flash drives that
contain the current key is inserted into the configuration node. The
current key is necessary; otherwise, the rekey process fails. Insert other USB flash drives into the
remaining USB ports on the rear of the system. To prepare the
rekey operation and copy the new key
to all inserted USB flash drives on the system, enter the following
command:
chencryption -usb newkey -key prepare
This command confirms at least
one of the USB flash drives contain the current encryption key. It
also generates a new encryption key for the system and copies the
key to all USB flash drives that are inserted into the system. Optionally,
you can make additional copies of the encryption keys for backups
if the USB flash drives are lost or damaged.
- To verify that the system is prepared
and the keys are copied to the other USB flash drives, enter the following
command:
lsencryption
Check that the
usb_rekey parameter has the value
prepared.
Note: The prepared value indicates that the
new key is ready to be committed.
If USB flash drives are already
inserted into the canisters, the encryption key is copied automatically.
If USB flash drives are not present in the canister, insert them to
begin copying the key to the drives. To verify that copies to the
USB flash drive are successful, enter
lsencryption to check the value in the
usb_key_copies. Each
successful copy to a USB flash drive increments this value. This value
must match the number of USB flash drives that you inserted into the
system to create the new encryption keys. Before the keys can be committed,
this value must be greater than the minimum required amount.
- To commit the key, enter the following command:
chencryption
-usb newkey -key commit
This command makes the prepared
key the current key and stores the key values on the USB flash drives.
- Verify that the new key is committed by entering the following
command:
lsencryption
Ensure that the value
in the usb_rekey parameter is no and the usb_key_copies has the minimum required
number of USB flash drives with copies of the keys. The system needs
at least four USB flash drives, each with
one copy of the key. It is recommended that additional copies of the
keys are made and stored securely.