Rekeying an encryption-enabled system using a key server

If you configured key servers to manage encryption keys, you can generate new keys with the encryption key servers. Rekeying is the process of creating a new key for the system. To create a new key, encryption must be enabled on the system; however, the rekey operation works whether or not there are encrypted objects.

You can use USB flash drives or key servers to enable encryption. If both methods of encryption are configured on your system, completely rekey one method before you rekey the other method.

Note: To avoid data loss, back up your IBM Security Key Lifecycle Manager data every time that you rekey.

Using the management GUI

During the rekey process, the key server generates a new key and the existing key becomes obsolete. If you are using multiple key servers, the rekey operation happens on the primary key server only. Any additional key servers go offline and the system reports an error against those key servers until the new key is replicated from the primary to the secondary key servers. In multi-master IBM Security Key Lifecycle Manager configurations, the key is replicated to the clone endpoints instantaneously without any downtime on the other key servers in the configuration. You can automatically or manually configure replication with IBM Security Key Lifecycle Manager for the primary and secondary key servers. Replication copies encryption keys between primary and secondary key servers when replication is scheduled on the IBM Security Key Lifecycle Manager. For example, if replication is scheduled to occur every 5 hours and the system is rekeyed, then the secondary key servers remain offline until the scheduled replication occurs. You can also complete manual replication of the keys from the primary to the secondary with the IBM Security Key Lifecycle Manager.

Before you generate a new key on all configured key servers, the key servers must be online and connected to the system. In the management GUI, select Settings > Security > Encryption. Expand Key Servers to display details on all the configured key servers on the system. Verify that the status of the key servers is online and available to the system.

To rekey the system that uses key server encryption, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. Expand Key Servers to display all the configured key servers on the system and select Rekey.
  3. Click OK on the message dialog. The encryption key is generated by the primary key server and is copied to the primary key server. If errors occur during the rekey process, status messages display problems with the copy or creation of a new key. To determine and fix other possible errors, select Monitoring > Events.
  4. If you configured multiple key servers, the encryption key is created on the primary key server only. All additional key servers go offline until the key is replicated from the primary key server to the other key servers with IBM Security Key Lifecycle Manager. If multi-master mode is enabled on the IBM Security Key Lifecycle Manager, the key is immediately replicated to the other key servers in the configuration. For more information, see the IBM Security Key Lifecycle Manager Knowledge Center.
If you have USB flash drives configured in addition to a key server, you can now rekey USB flash drives.

Using the command-line interface

Before you generate a new key on all configured key servers, the key servers must be online and connected to the system. In the command-line interface, enter lskeyserver to verify whether the key servers are online and available to the system.

To rekey the system that uses key servers, complete these steps:
  1. Verify that encryption is enabled on the system by entering this command: 
    lsencryption
    Ensure that the status indicates that the encryption is enabled.
  2. After verifying that encryption is enabled, verify that the key servers are online and available by entering this command:
    lskeyserver
    Ensure that the status for all available key servers is online.
  3. After verifying that encryption is enabled and the key servers are online, you need to prepare the system to rekey the encryption keys that are currently being used on the system. To prepare the rekey operation, enter the following command:
    chencryption -keyserver newkey -key prepare
    Note: This command creates the new key on the primary key server only. All additional key servers go offline until the key is replicated from the primary key server to the other key servers with the IBM Security Key Lifecycle Manager.
  4. To verify that the system is prepared, enter the following command:
    lsencryption
    Check that the keyserver_rekey parameter has the value prepared. The prepared value indicates that the new key is ready to be committed.
  5. To commit the key, enter the following command:
    chencryption -keyserver newkey -key commit
    This command makes the prepared key the current key and stores the key values on the primary key server.
  6. Verify that the new key is committed by entering the following command:
    lsencryption
    Ensure that the value in the keyserver_rekey parameter is no
  7. If you configured multiple key servers, the encryption key is created on the primary key server only. All additional key servers that are configured until the key is replicated to the other key servers by using the IBM Security Key Lifecycle Manager. For more information, see the IBM Security Key Lifecycle Manager Knowledge Center.
If you have USB flash drives configured in addition to a key server, you can now rekey USB flash drives.
Parent topic: Managing encryption
Related concepts:
Encryption
Related reference:
lsencryption
chencryption
Related information:
IBM Security Key Lifecycle Manager