Enabling encryption with USB flash drives

You can use either the management GUI or the command-line interface to enable encryption on your system. The system supports USB flash drives as a method to manage encryption keys.

Using the management GUI to enable encryption

While the system is enabling encryption, you are prompted to insert the USB flash drives into the system. The system copies the encryption key to these drives systematically. The system generates and copies the encryption key to all available USB flash drives. To enable encryption, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. Click Enable Encryption.
  3. In the wizard, you are prompted to insert the required number of USB flash drives into the system. When the system detects the USB flash drives, the encryption key is automatically copied to the USB flash drives. Ensure that you create any required extra copies for backups. You can leave the USB flash drives inserted into the system. However, the area where the system is located must be secure to prevent the key from being lost or stolen. If the area where the system is located is not secure, remove all the USB flash drives from the system and store securely.
  4. After all copies are completed, click Confirm.
  5. Create several backup copies of the key on either USB flash drives or another external storage media and store securely.

Using the command-line interface to enable encryption

Follow these steps to enable encryption:

  1. Enter the following CLI command to enable encryption on your system:
    chencryption -usb enable
  2. Ensure that there are at least three USB flash drives installed:
    lsportusb
    Check that the value for the status parameter is active. This status indicates that the USB flash drive is inserted in the node and can be used by the system.
  3. Create system encryption keys and write those keys to all system-attached USB flash drives:
    chencryption -usb newkey -key prepare
  4. Commit the prepared key as the current key. Use this command when the lsencryption value for usb_rekey is set to prepared and the number of USB encryption keys is greater than the minimum number required.
    chencryption -usb newkey -key commit

    Without the key that is written to the USB device, access to the encrypted objects is not possible and the data is lost. It is vitally important to have sufficient copies of keys for availability and extra backups in case of disaster. You can copy key material by making backups of the created files.

Parent topic: Encryption enablement