Enabling encryption with key servers

Encryption key servers create and manage encryption keys that are used by the system. In environments with many systems, key servers distribute keys remotely without requiring physical access to the systems. For security and simplification of key management, key servers are the preferred method of managing encryption keys on the system.

A key server is a centralized system that generates, stores, and sends encryption keys to the system. If the key server provider supports replication of keys among multiple key servers, you can specify up to four key servers that connect to the system over both a public network or a separate private network. The system supports IBM Security Key Lifecycle Manager or Gemalto SafeNet KeySecure key servers to handle key management on the system. Both of these supported key server management applications create and manage cryptographic keys for the system and provide access to these keys through a certificate. Only one type of key server management application can be enabled on the system at a time. Authentication takes place when certificates are exchanged between the system and the key server. Certificates must be managed closely because expired certificates can cause system outages. Key servers must be installed and configured before they are defined on the system.

The supported key server versions for IBM Spectrum Virtualize products are shown at the following website:

http://www.ibm.com/support/docview.wss?uid=ibm10738187

Configuring IBM Security Key Lifecycle Manager key servers

IBM Security Key Lifecycle Manager key servers support Key Management Interoperability Protocol (KMIP), which is a standard for encryption of stored data and management of cryptographic keys.

The system supports different types of key server configurations on IBM Security Key Lifecycle Manager. The following configurations are supported:
  • One primary (master) key server and several secondary key servers: IBM Security Key Lifecycle Manager key servers designate one master or primary key server, which can have up to three secondary key servers (also known as clones) defined. These additional key servers support more paths when it delivers keys to the system; however, during rekeying only the path to the primary key server is used. When the system is rekeyed, secondary key servers are unavailable until the primary key server replicates the new keys to these secondary key servers. The amount of time it takes to replicate the key to a secondary key server depends on the amount of key and certificate information that is being replicated. Each replication to a secondary key server can take some time. Replication must complete before keys can be used on the system. You can either schedule automatic replication or complete it manually with IBM Security Key Lifecycle Manager. During replication, key servers are not available to distribute keys or accept new keys. The total time that it takes for a replication to complete on the IBM Security Key Lifecycle Manager depends on the number of key servers that are configured as clones. If replication is triggered manually, the IBM Security Key Lifecycle Manager issues a completion message when the replication completes. Verify that all key servers contain replicated key and certificate information before keys are used on the system.
  • Multiple master key servers: Key servers can be configured in a multi-master configuration where each key server has the ability to create new encryption keys. In this instance, any server can be set as the primary key server. The primary key server is the key server that the system uses when you create any new key server encryption keys. If multi-master mode is enabled on the IBM Security Key Lifecycle Manager, the key is immediately replicated to the other key servers in the configuration.
Ensure that you complete the following tasks on the IBM Security Key Lifecycle Manager before you enable encryption:
  1. Define the IBM Security Key Lifecycle Manager to use Transport Layer Security version 1.2 (TLSv1.2). The default setting on IBM Security Key Lifecycle Manager is TLSv1, but the system supports only version 1.2. On the IBM Security Key Lifecycle Manager, set the value to SSL_TLSv2, which is a set of protocols that includes TLSv1.2.
  2. Ensure that the database service is started automatically on startup.
  3. Ensure that a valid SSL certificate from IBM Security Key Lifecycle Manager is installed on the system and in use. If automatic replication is configured on IBM Security Key Lifecycle Manager, then this certificate needs to be uploaded to the system once. However, if automatic replication is not configured on the IBM Security Key Lifecycle Manager, a certificate for each stand-alone key server must be uploaded to the system.
  4. Specify the SPECTRUM_VIRT device group for the system definition. If you are configuring multiple key servers, the SPECTRUM_VIRT device group must be defined on the primary and all secondary key servers.
  5. If you currently have encryption enabled with USB flash drives, at least one of the USB flash drives must be inserted into the system before key servers can be configured for managing keys.
For more information about completing these tasks, see the IBM Knowledge Center for IBM Security Key Lifecycle Manager.

When you create key server objects on the system for IBM Security Key Lifecycle Manager key servers, you must create a device group, in addition to name, IP address, port and certificate information. The device group is a collection of security credentials (including keys and groups of keys) that allows for restricted management of subsets of devices within a larger pool. The system must be defined on the key server to the SPECTRUM_VIRT device group if you are using the default settings. If the SPECTRUM_VIRT device group does not exist on the key server, it must be created based on the GPFS device family. If you are configuring multiple key servers, the SPECTRUM_VIRT device group must be defined on the primary and all additional key servers.

To enable encryption with a IBM Security Key Lifecycle Manager key server in the management GUI, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. Click Enable Encryption.
  3. On the Welcome panel, select Key Servers. Click Next.
    Note: You can also select both Key Servers and USB Flash Drives to configure both methods to manage encryption keys. If either method becomes unavailable, you can use the other method to access encrypted data on your system.
  4. Select IBM SKLM (with KMIP) for the key server type.
  5. Enter the name, IP address, and port for each key server. If you are configuring multiple key servers, the first key server that you specify is the primary key server and the rest become secondary key servers. To ensure that keys are distributed to all secondary key servers, you must configure replication on IBM Security Key Lifecycle Manager.
  6. Select SPECTRUM_VIRT for the device group for the key servers. This device group must also be configured on each of the key servers for the system.
  7. On the Key Server Certificate page, you must upload all the necessary key server certificates to the system. The key servers can use either a certificate from a trusted third party, a self-signed certificate, or a combination of these certificates. If IBM Security Key Lifecycle Manager servers are configured for automatic replication, this certificate is copied from the primary key server to all secondary key servers. All IBM Security Key Lifecycle Manager instances are connected to over secure connections with the same key server certificate. If replication is used on the IBM Security Key Lifecycle Manager, only one key server certificate needs to be installed. The IBM Security Key Lifecycle Manager uses this single certificate to replicate keys with each other. Any self-signed certificates take priority over any CA-signed certificate that is installed on the system for the key servers. If only one certificate is used and automatically replicated to all configured key servers, select the certificate that you downloaded to the system in the certificate in the Certificate field. If automatic replication is not configured, select all the valid certificates that you downloaded to the system for each of the configured key servers. Click Next.
  8. On the System Encryption Certificate page, click Export Public Key to download the public key to the system. System encryption certificates can also be self-signed or CA-certificate. These certificates are uploaded to each of the key servers to establish trust for the system to communicate with individual key servers. If IBM Security Key Lifecycle Manager servers are configured for automatic replication, this certificate is copied from the primary key server to all secondary key servers. All IBM Security Key Lifecycle Manager instances are connected to over secure connections with the same key server certificate. If replication is used on the IBM Security Key Lifecycle Manager, the primary key server replicates the system certificate to the other key servers. If the IBM Security Key Lifecycle Manager servers are not configured for automatic replication, you must install the system certificate to each stand-alone key server. If a certificate does not exist, select Settings > Security > Secure Communications. On the Secure Communications page, select Update Certificate to create or import a certificate. For more information about certificates, see the topic about certificates that are used for key servers.
  9. Copy the system's public key by adding it to the truststore for the SPECTRUM_VIRT device group on each configured key server. See the IBM® Security Key Lifecycle Manager IBM Knowledge Center for details.
  10. Return to the System Encryption Certificate page and select The system’s public key certificate has been transferred to each configured key server.
  11. If you have USB flash drives configured as your encryption method, the Disable USB Encryption page displays. If you want to migrate to key servers and disable USB flash drives, select Yes. If you want both encryption methods configured simultaneously, click No.
  12. Click Next.
  13. On the Summary page, verify the configuration for the key servers and click Finish.
To enable encryption with a IBM Security Key Lifecycle Manager key server in the command-line interface, complete the following steps:
  1. Export the SSL Certificate (public key) that is installed on the system :
    svctask chsystemcert -export

    This action creates a /dumps/certificate.pem file.

  2. Copy the system's public key as a trusted certificate to each configured key server. See the IBM Security Key Lifecycle Manager Knowledge Center for details.
  3. Enter the following CLI command to enable encryption on your system:
    chencryption -keyserver enable
  4. Enable the key server type and supply the certificate authority (CA) signed certificate if one is required:
    chkeyserverisklm -enable -sslcert /tmp/CASigned.crt
  5. Create the primary key server and specify the key server certificate:
    mkkeyserver -ip ip_address -port port -primary
  6. Create up to three more secondary key servers with the same key server certificate:
    mkkeyserver -ip ip_address -port port
  7. Create the encryption key for the system on the key server:
    chencryption -keyserver newkey -key prepare
    This command requests the primary key server to create a new key.
  8. To verify that the system is prepared, enter the following command:
    lsencryption
    Check that the keyserver_rekey parameter has the value prepared. The prepared value indicates that the new key is ready to be committed.
  9. To commit the key, enter the following command:
    chencryption -keyserver newkey -key commit
    This command makes the new key the current key on the system.

Configuring Gemalto SafeNet KeySecure key servers

Gemalto SafeNet KeySecure key servers also supports KMIP and creates keys on demand, and then shares them with the other clustered servers, providing redundant access. The system supports different types of configurations on KeySecure key server. The following configurations are supported:
  • KeySecure key servers use an active-active model, where there are multiple key servers to provide redundancy. One KeySecure key server must be specified as the primary key server. The primary key server is the key server that the system uses when you create any new encryption keys. The key is immediately replicated to the other key servers in the KeySecure cluster. All of the KeySecure key servers that are defined on the system can be used to retrieve keys. Although it is possible to configure a single key server instance with KeySecure, two key servers are recommended to ensure availability of keys if one key server experiences an outage.
  • The system supports up to four key servers with KeySecure. If the system is accessing multiple key servers, they need to belong to the same cluster of KeySecure key servers.
Ensure that you complete the following tasks on the SafeNet KeySecure key servers before you enable encryption:
  1. Each key server must be configured to allow TLS 1.2 for secure communications.
  2. Ensure that a valid SSL certificate from each KeySecure key server is installed on the system and in use. Either add the server certificate for each KeySecure key server, or add the root CA certificate which was used to sign each server certificate.
  3. If you plan to use a user name and password to authenticate the system to these key servers, you must configure user credentials for authentication in the KeySecure interface. For KeySecure versions of 8.10 and up, administrators can configure a user name and password to authenticate the system when it connects. Before version KeySecure 8.10, the use of a password is optional. To set up authentication with a user name and password between the system and KeySecure key servers, disable global keys on the High Security menu in the SafeNet KeySecure interface. When global keys are disabled, key servers cannot authenticate clients to create or access keys without valid credentials.
  4. Ensure that the system encryption certificate is a trusted entity on the KeySecure interface. You can use two methods to add the system encryption certificate as a trusted entity. You can export the current system encryption certificate and then add it to the known certificate authorities (CA) on the Trusted CA List or create a new certificate signing request to a third-party certificate authority that is already listed on the Trusted CA List. The system encryption certificate might also require a user name, if a user name is enabled for certificates for KeySecure key servers.
  5. If you currently have encryption that is enabled with USB flash drives, at least one of the USB flash drives must be inserted into the system before key servers can be configured for managing keys.
To enable encryption with a KeySecure key server with the management GUI, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. Click Enable Encryption.
  3. On the Welcome page, select Key Servers. Click Next.
    Note: You can also select both Key Servers and USB Flash Drives to configure both methods to manage encryption keys. If either method becomes unavailable, you can use the other method to access encrypted data on your system.
  4. Select Gemalto SafeNet KeySecure for the key server type.
  5. Enter the name, IP address, and port for each key server. If you are configuring multiple key servers, the first key server that you specify is the primary key server.
  6. On the Key Server Credentials page, enter a user name and password that is used to authenticate the system to the key servers.
  7. On the Key Server Certificate page, you must upload all the necessary key server certificates to the system. The key servers can use either a certificate from a trusted third party, a self-signed certificate, or a combination of these certificates. All instances are connected to over secure connections with the same key server certificate. Either the server certificate for each key server, or the root CA certificate that signed the server certificates, must be installed. Any server certificates take priority over any CA certificate that is installed on the system for the key servers. Click Next.
  8. On the System Encryption Certificate page, click Export Public Key to download the public key to the system. These certificates are uploaded to one of the key servers to establish trust for the system to communicate with individual key servers. If a certificate does not exist, select Settings > Security > Secure Communications. On the Secure Communications page, select Update Certificate to create or import a certificate. For more information about certificates, see the topic about certificates that are used for key servers.
  9. Return to the System Encryption Certificate page and select The system’s public key certificate has been transferred to each configured key server.
  10. If you have USB flash drives configured as your encryption method, the Disable USB Encryption page displays. If you want to migrate to key servers and disable USB flash drives, select Yes. If you want both encryption methods that are configured simultaneously, click No.
  11. Click Next.
  12. On the Summary page, verify the configuration for the key servers and click Finish.
To enable encryption with a KeySecure key server in the command-line interface, complete the following steps:
  1. Enter the following CLI command to enable encryption on your system:
    chencryption -keyserver enable
  2. Enable the key server type and supply the certificate authority (CA) signed certificate if one is required:
    chkeyserverkeysecure -enable -sslcert /tmp/CASigned.crt
  3. Configure the user name and password that is used to the system to the key servers if one is required:
    chkeyserverkeysecure -username admin -password 'examplepassword'
  4. Create the primary key server and specify the key server certificate if one is required:
    mkkeyserver -ip ip_address -port port -sslcert /tmp/ServerCert.crt -primary
  5. Create up to three more secondary key servers and specify the key server certificate if one is required.
    mkkeyserver -ip ip_address -port port -sslcert /tmp/ServerCert.crt
  6. Create the encryption key for the system on the key server:
    chencryption -keyserver newkey -key prepare
    This command requests the primary key server to create a new key.
  7. To verify that the system is prepared, enter the following command:
    lsencryption
    Check that the keyserver_rekey parameter has the value prepared. The prepared value indicates that the new key is ready to be committed.
  8. To commit the key, enter the following command:
    chencryption -keyserver newkey -key commit
    This command makes the new key the current key on the system.