Enabling encryption with USB flash drives

You can use either the management GUI or the command-line interface to enable encryption on your system. The system supports USB flash drives as a method to manage encryption keys. USB flash drive-based encryption requires physical access to the systems and is effective in environments with a minimal number of systems. For organizations that require strict security policies regarding USB flash drives, the system supports disabling these ports to prevent unauthorized transfer of system data to portable media devices. If you have such security requirements, use key servers to manage encryption keys.

Note:

When using USB flash drives to manage the master key for the system, the encryption key is stored in a custom file format on each USB flash drive. The master key is an AES-256 bit key and is generated locally by the node hardware, by using the Trusted Platform Module (TPM) for entropy.

Before you can enable encryption, you must set an encryption license on each enclosure that uses encryption. In the management GUI, select Settings > System > Licensed Function to verify the enclosures that are licensed for encryption. Use the lsencryption command to ensure that the status is set to licensed.

Using the management GUI to enable encryption

To enable encryption, complete these steps:
  1. If you activated an encryption license and completed the system setup wizard, click Enable Encryption and complete the wizard.
  2. If you selected to enable encryption later in the system setup wizard, you can still enable encryption in the management GUI by selecting Settings > Security > Encryption.
  3. Click Enable Encryption.
  4. On the Welcome panel, select USB flash drives.
    Note: You can also select both Key Servers and USB Flash Drives to configure both methods to manage encryption keys. If either method becomes unavailable, you can use the other method to access encrypted data on your system.
  5. In the wizard, you are prompted to insert the required number of USB flash drives into the system. When the system detects the USB flash drives, the encryption key is automatically copied to the USB flash drives. Ensure that you create any required extra copies for backups. You can leave the USB flash drives inserted into the system. However, the area where the system is located must be secure to prevent the USB flash drives from being lost or stolen. If the area where the system is located is not secure, remove all of the USB flash drives from the system and store securely.
  6. After all copies are completed, click Confirm.
  7. Create several backup copies of the key on either USB flash drives or another external storage media and store securely.

Using the command-line interface to enable encryption

Before you enable encryption, verify that the encryption license is set for the system by using the lsencryption command.

Follow these steps to enable encryption:

  1. Enter the following CLI command to enable encryption on your system:
    chencryption -usb enable
  2. Ensure that sufficient flash drives are installed:
    lsportusb
    Check that the value for the status parameter is active. This status indicates that the flash drive is inserted in the canister and can be used by the system.
  3. Create system encryption keys and write those keys to all system-attached flash drives:
    chencryption -usb newkey -key prepare
  4. Commit the prepared key as the current key. Use this command when the lsencryption value for usb_rekey is set to prepared and the number of encryption keys is greater than the minimum number required.
    chencryption -usb newkey -key commit 

    Without the key that is written to the flash device, access to the encrypted arrays is not possible and the data is lost. It is vitally important to have sufficient copies of keys for availability and extra backups in case of disaster. You can copy key material by making backups of the created files.