You can use either the management GUI or the command-line
interface to enable encryption on your system. The system supports USB flash drives as a method
to manage encryption keys. USB flash drive-based encryption requires physical access to the systems and is
effective in environments with a minimal number of systems. For organizations that require strict
security policies regarding USB flash drives, the system supports disabling these ports to prevent
unauthorized transfer of system data to portable media devices. If you have such security
requirements, use key servers to manage encryption keys.
Note:
When using USB flash drives to manage the master key for the system, the encryption key is stored
in a custom file format on each USB flash drive. The master key is an AES-256 bit key and is
generated locally by the node hardware, by using the Trusted Platform Module (TPM) for entropy.
Before you can enable encryption, you must set an
encryption license on each enclosure that uses encryption. In the management GUI, select to verify the enclosures that are licensed for encryption. Use the
lsencryption command to ensure that the status is set to
licensed.
Using the management GUI to enable encryption
To
enable encryption, complete these steps:
- If you activated an encryption license and
completed the system setup wizard, click Enable Encryption and complete
the wizard.
- If you selected to enable encryption later in the
system setup wizard, you can still enable encryption in the management GUI by selecting .
- Click Enable Encryption.
- On the Welcome panel, select USB flash
drives.
Note: You can also select
both Key Servers and USB Flash Drives to
configure both methods to manage encryption keys. If either method becomes unavailable, you
can use the other method to access encrypted data on your system.
- In the wizard, you are prompted to insert the
required number of USB flash drives into the system.
When the system detects the USB flash drives,
the encryption key is automatically copied to the USB flash drives. Ensure that you create any
required extra copies for backups. You can leave the USB flash drives inserted into the
system. However, the area where the system is located must be secure to prevent the USB flash
drives from being lost or stolen. If the area where the system is located is not secure,
remove all of the USB flash drives from the system and store securely.
- After all copies are completed, click Confirm.
- Create several backup copies of the key on either USB flash drives or another external
storage media and store securely.
Using the command-line interface to enable encryption
Before you enable encryption, verify that the
encryption license is set for the system by using the lsencryption
command.
Follow these steps to enable encryption:
- Enter the following CLI command to enable encryption on your
system:
chencryption -usb enable
- Ensure that
sufficient flash drives are installed:
lsportusb
Check that the value for the
status parameter is active. This status indicates
that the flash drive is inserted in the canister and can be used by the system.
- Create system encryption keys and write
those keys to all system-attached flash
drives:
chencryption -usb newkey -key prepare
- Commit the prepared key as the current
key. Use this command when the lsencryption value for
usb_rekey is set to prepared and the number
of encryption keys is greater than the minimum number
required.
chencryption -usb newkey -key commit
Without the key
that is written to the flash device, access to the encrypted arrays is not possible and the
data is lost. It is vitally important to have sufficient copies of keys for availability and
extra backups in case of disaster. You can copy key material by making backups of the created
files.