File encryption

Use the following table to access IBM Spectrum Scale documentation for file encryption.

Table 1. Quick reference for file encryption
For this information...		Go to...
IBM Spectrum Scale file encryption ensures secure storage of data and secure deletion of data.		Encryption
Read about master encryption keys (MEKs) and file encryption keys (FEKs).		Encryption keys
An encryption policy specifies the set of files to be encrypted, an encryption algorithm, and a MEK for wrapping the FEK.		Encryption policies
File encryption policy rules: The ENCRYPTION IS rule; the SET ENCRYPTION rule. Default encryption parameters. Example of an encryption policy. Rewrapping policies; the CHANGE ENCRYPTION rule.		Encryption policy rules
Configuring the components that are required for encryption: Terms defined. Required software: IBM Spectrum® Scale. Required software: Remote Key Management (RKM) server. Preparing your cluster for encryption. Preparing the remote key management (RKM) server. RKM back ends. The RKM.conf file and the RKM stanza. Adding backup RKM servers in a high-availability configuration. The client keystore directory and its files.		Preparation for encryption
Configuring an environment to support file encryption.	Secure file encryption and deletion.	Establishing an encryption-enabled environment
	Simplified setup.	Simplified setup: Using SKLM with a self-signed certificate Simplified setup: Using SKLM with a certificate chain Simplified setup: Valid and invalid configurations Simplified setup: Accessing a remote file system Simplified setup: Doing other tasks
	Regular setup.	Regular setup: Using SKLM with a self-signed certificate Regular setup: Using SKLM with a certificate chain
	SKLM v2.7 and later.	Configuring encryption with SKLM v2.7 or later
	Thales Vormetric DSM.	Configuring encryption with the Vormetric DSM key server
Notifications when RKM or key client certificates approach their expiration dates.		Certificate expiration warnings
Renewing expired client and RKM server certificates.		Renewing client and server certificates Certificate expiration errors Renewing expired server certificates Renewing expired client certificates
Testing whether a file is encrypted by IBM Spectrum Scale.		Encryption hints
Securely deleting files in a fileset. Secure deletion and encryption key cache purging.		Secure deletion
Meeting standards for FIPS-140-2 certification and NIST SP88-131A compliance.		Encryption and standards compliance Encryption and FIPS 140-2 certification Encryption and NIST SP800-131A compliance
Accessing an encrypted file in a remote cluster.		Encryption in a multicluster environment
Preserving access to MEKs if an entire site goes down.		Encryption in a Disaster Recovery environment
Encrypted files are unencrypted before they are sent to the mmbackup command. A file that is being restored from backup is encrypted only if it matches an encryption rule at the destination.		Encryption and backup/restore
The snapshot restore operation restores encrypted files and their FEKs and MEKs. For encrypted files in a snapshot, take care not to delete a relevant MEK until after the snapshot is deleted.		Encryption and snapshots
By default cleartext from an encrypted file is not copied into a local read-only cache (LROC). The LROCEnableStoringClearText option allows copying cleartext into an LROC.		Encryption and a local read-only cache (LROC) device
An encrypted file that is migrated to an external pool is unencrypted. A file that is recalled from an external pool is encrypted only if it matches an encryption rule at the destination.		Encryption and external pools
File encryption requirements. File encryption use in special environments. Existing files. Encrypted data is not stored in the inode. Data in encrypted files is not stored in the HAWC.		Encryption requirements and limitations