Encryption requirements and limitations

Learn the requirements and limitations for using file encryption.

For encryption requirements, see the topic Preparation for encryption.

Encryption has the following requirements and limitations:
  • Existing files cannot be encrypted. To encrypt a file that is currently not encrypted, you must copy it into a new file whose encryption policy rules dictate that the file is to be encrypted. Note that renaming a file does not change its encryption attributes. Encryption attributes are defined at the time that the file is created.
  • The following types of nodes must have network connectivity to the key server node so that they can retrieve the master encryption key (MEK), which is needed to encrypt or decrypt file data:
    • The file system manager node.
      Note: Bear in mind that the file system manager node can be changed. For more information, see mmchmgr command and mmlsmgr command.
    • An NSD server node.
    • Any node that might participate in a maintenance operation, such as restriping the file system.
  • For a multicluster environment, see the topic Encryption in a multicluster environment.
  • For a Disaster Recovery environment, see the topic Encryption in a Disaster Recovery environment.
  • For backup and restore, see the topic Encryption and backup/restore.
  • For snapshots, see the topic Encryption and snapshots.
  • Data for encrypted files is not stored in the inode. For more information, see Use of disk storage and file structure within a GPFS file system.
  • Data from encrypted files is not stored in the highly available write cache (HAWC). For more information, see Highly available write cache (HAWC).
  • Encryption is not supported on Windows. The encryption function must remain disabled when Windows nodes are added to the cluster.
  • To avoid a security exposure, by default IBM Spectrum Scale does not allow file data from encrypted files, which is held in memory as cleartext, to be copied into an LROC. As a result, a file system in which most of the files are encrypted does not take advantage of the performance benefits that are provided by an LROC. However, you can set IBM Spectrum Scale to enable cleartext from encrypted files to be copied into an LROC. You might choose this option if you can configure your system to remove the security problem.
    Warning: If you allow cleartext from an encrypted file to be copied into an LROC, you must take steps to protect the cleartext while it is in LROC storage.
    For more information, see the following links: