Enabling encryption with USB flash drives

You can use either the management GUI or the command-line interface to enable encryption on your system. The system supports both key server and USB flash drive to manage encryption keys. USB flash drive-based encryption requires physical access to the systems and is effective in environments with a minimal number of systems. For organizations that require strict security policies regarding USB flash drives, the system supports disabling these ports to prevent unauthorized transfer of system data to portable media devices. If you have such security requirements, use key servers to manage encryption keys. If your environment does not have security restrictions for USB flash drives, you can also have a simultaneous configuration of both key servers and USB flash drives. Both methods can be configured to ensure access to encrypted data if either method becomes unavailable or if the keys are permanently lost for one of the methods.

Using the management GUI to enable encryption

While the system is enabling encryption, you are prompted to insert the USB flash drives into the nodes. To enable encryption, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. Click Enable Encryption.
  3. On the Welcome panel, select USB flash drives.
    Note: You can also select both Key Servers and USB Flash Drives to configure both methods to manage encryption keys. If either method becomes unavailable, you can use the other method to access encrypted data on your system.
  4. In the wizard, you are prompted to insert the required number of USB flash drives into the system. When the system detects the USB flash drives, the encryption key is automatically copied to the USB flash drives. Ensure that you create any required extra copies for backups. You can leave the USB flash drives inserted into the system. However, the area where the system is located must be secure to prevent the USB flash drives from being lost or stolen. If the area where the system is located is not secure, remove all of the USB flash drives from the system and store securely.
  5. After all copies are completed, click Confirm.
  6. Create several backup copies of the key on either USB flash drives or another external storage media and store securely.
While the system is enabling encryption, you are prompted to insert the USB flash drives into the system. The system copies the encryption key to these drives systematically. The system generates and copies the encryption key to all available USB flash drives. To enable encryption, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. Click Enable Encryption.
  3. On the Welcome panel, select USB flash drives.
    Note: You can also select both Key Servers and USB Flash Drives to configure both methods to manage encryption keys. If either method becomes unavailable, you can use the other method to access encrypted data on your system.
  4. In the wizard, you are prompted to insert the required number of USB flash drives into the system. When the system detects the USB flash drives, the encryption key is automatically copied to the USB flash drives. Ensure that you create any required extra copies for backups. You can leave the USB flash drives inserted into the system. However, the area where the system is located must be secure to prevent the USB flash drives from being lost or stolen. If the area where the system is located is not secure, remove all the USB flash drives from the system and store securely.
  5. After all copies are completed, click Confirm.
  6. Create several backup copies of the key on either USB flash drives or another external storage media and store securely.

Using the command-line interface to enable encryption

Follow these steps to enable encryption:

  1. Enter the following CLI command to enable encryption on your system:
    chencryption -usb enable
  2. Ensure that there are at least three USB flash drives installed:
    lsportusb
    Check that the value for the status parameter is active. This status indicates that the USB flash drive is inserted in the node and can be used by the system.
  3. Create system encryption keys and write those keys to all system-attached USB flash drives:
    chencryption -usb newkey -key prepare
  4. Commit the prepared key as the current key. Use this command when the lsencryption value for usb_rekey is set to prepared and the number of USB encryption keys is greater than the minimum number required.
    chencryption -usb newkey -key commit

    Without the key that is written to the USB device, access to the encrypted objects is not possible and the data is lost. It is vitally important to have sufficient copies of keys for availability and extra backups in case of disaster. You can copy key material by making backups of the created files.