Encryption Key Life Cycle
■
“Encryption Key Life Cycle” on page 585
Encryption Key Life Cycle
The encryption key life cycle is flexible because you can change keys at any time without
taking data services offline.
When a key is deleted from the keystore, all the shares that use it are unmounted and their
data becomes inaccessible. Backing up keys in the OKM keystore should be performed using
the OKM backup services. Backup of keys in the LOCAL keystore is included as part of the
System Configuration Backup. For the LOCAL keystore, it is also possible to supply the key
by value at creation time to allow it to be escrowed in an external system, which provides an
alternative per-key backup/restore capability.
Related Topics
■
“Data Encryption Workflow” on page 560
■
“Encryption Properties” on page 581
■
“Managing Encryption Keys” on page 582
■
“Performance Impact of Encryption” on page 584
Backing up and Restoring Encrypted Data
When a share is restored using the ZFS restore function, the restored share inherits the
encryption properties of the target project if the original share inherited its encryption properties
from the source project.
To ensure encryption properties of an original share are maintained in a restored share,
configure encryption on the original share instead of inheriting it from its project.
If you want to set encryption differently for an individual share within a project, manually
configure encryption for the individual source share, instead of letting the share inherit its
properties from the project. This ensures that all shares are backed up and restored with the
desired encryption settings.
For more information about NDMP backup, see “NDMP Configuration” on page 267. For
information about replication, see “Remote Replication” on page 469.
Related Topics
■
“Data Encryption Workflow” on page 560
Data Encryption 585
To Next Page
Loading...
Need help?
General
