File system encryption

You can encrypt queue manager file systems, you can also encrypt the system file systems that are used by IBM® MQ.

You specify that you want an encrypted file system when you create a queue manager using the crtmqm command or by using the web console. You specify the passphrase for the encryption at the same time.

When an encrypted file system is created, a unique volume encryption key is generated that is used to encrypt the data. A passphrase is required to access the volume encryption key whenever the file system needs to be mounted. The appliance stores a copy of the passphrase on the encrypted flash device so the file system can be mounted automatically without requiring the passphrase to be re-entered each time. You can manage the passphrase for an encrypted file system and you can manage the stored copy of its passphrase on the encrypted flash device. It is important to save a copy of the passphrase somewhere safe so it can be re-entered if the stored passphrase is cleared or the SSDs are transferred to a replacement appliance after a hardware failure. If the file system passphrase is lost then the volume encryption key cannot be accessed and the file system data cannot be retrieved.

When you create a high availability (HA) queue manager with an encrypted file system, the passphrase is automatically shared with the other appliance in the HA pair, provided that the other appliance in the HA pair is available. When you create a disaster recovery (DR) queue manager with an encrypted file system, you must store the encryption passphrase on the recovery appliance manually when you create the secondary queue manager.

You can also convert an existing queue manager to use an encrypted file system. To convert an existing queue manager you must back up the queue manager, then restore it to an encrypted file system.

You schedule encryption for one or more of the system file systems, and they are encrypted the next time that the appliance restarts.