CREATE_LOCKING_POLICY procedure

Prior to creating a password policy, the Platform KeyStore must be enabled through the HMC’s Partition Properties -> Advanced Settings -> Platform KeyStore Size value must be set to a non-zero value.

Before creating the NVMe password protection policy on the partition, it is recommended that all of the system and user data be saved using GO SAVE: Option 21 (saving the entire system).

All NVMe devices supported by IBM® i are Self-Encrypting Drives (SED). This means the data is encrypted at rest. However, the key used to encrypt and decrypt the data is not protected. By creating a password policy and adding NVMe devices to it, the devices can protect the confidentiality of stored user data against unauthorized access once the device leaves the owner’s control. This feature uses the Trusted Computer Group (TCG) Opal Security Subsystem Class (SSC) specification for storage. Each NVMe device that supports the Opal SSC is registered in a list of devices on which the administrator can establish a locking policy. Once the device is added to the locking policy the NVMe device will lock itself when Main Power loss or PCIe cold resets occur.

Once the device is locked, reads and writes issued to the drive will fail. While the NVMe device remains in the partition, restoring power to the device will cause it to automatically unlock itself, using the policy password stored in the Platform KeyStore.

Authorization: The caller must have *IOSYSCFG and *SERVICE special authorities.

The schema is QSYS2.

policy-password

A character string that contains the initial policy password that will be used to unlock the device(s) and for changing the locking policy configuration.

It must be at least 8 characters long and cannot exceed 32 characters.