Chapter 13. Encryption 761
The next section will present a scenario in which both encryption key providers are enabled at
the same time. See 13.4.2, “Enabling encryption using USB flash drives” for instructions on
how to enable encryption using only USB flash drives provider. See 13.4.3, “Enabling
encryption using key servers” on page 765 for instructions on how to enable encryption using
key server(s) as the sole encryption key provider.
13.4.2 Enabling encryption using USB flash drives
Using USB flash drives as the encryption key provider requires a minimum of three USB flash
drives to store the generated encryption keys. Because the system will attempt to write the
encryption keys to any USB key inserted into a node port, it is critical to maintain physical
security of the system during this procedure.
While the system enables encryption, you are prompted to insert USB flash drives into the
system. The system generates and copies the encryption keys to all available USB flash
drives.
Ensure that each copy of the encryption key is valid before you write any user data to the
system. The system validates any key material on a USB flash drive when it is inserted into
the canister. If the key material is not valid, the system logs an error. If the USB flash drive is
unusable or fails, the system does not display it as output. Figure 13-79 on page 797 shows
an example where the system detected and validated three USB flash drives.
If your system is in a secure location with controlled access, one USB flash drive for each
canister may remain inserted in the system. If there is a risk of unauthorized access, then all
USB flash drives with the master access keys must be removed from the system and stored
in a secure place.
Securely store all copies of the encryption key. For example, any USB flash drives holding an
encryption key copy, that are not left plugged into the system, can be locked in a safe. Similar
precautions must be taken to protect any other copies of the encryption key that are stored on
other media.
Note: The system needs at least three USB flash drives to be present before you can
enable encryption using this encryption key provider. IBM USB flash drives are
recommended, although other flash drives might work. You can use any USB ports in any
node of the cluster. After creating the USB flash drives you can copy them if you need more
than four.
Order IBM USB flash drives in e-config as Feature Code ACEA (IBM Storwize V7000),
ACEB (IBM San Volume Controller) or ACEC (IBM Storwize V5000): Encryption USB
Flash Drives (Four Pack).
Notes: Generally, create at least one additional copy on another USB flash drive for
storage in a secure location. You can also copy the encryption key from the USB drive and
store the data on other media, which may provide additional resilience and mitigate risk
that the USB drives used to store the encryption key come from a faulty batch.
Every encryption key copy must be stored securely to maintain confidentiality of the
encrypted data.
To Next Page
Loading...
Need help?
General