Migrating between key management methods

You can migrate between USB flash drive and key server-based encryption non-disruptively by using the management GUI or the command-line interface. During migration, the system supports simultaneous configuration of both key management methods. After the migration completes, you can disable the old key management method and remove access to these ports for security reasons, if necessary.

Using the management GUI

During migration, the system does not disable the currently configured key management method until the new method is configured completely. Therefore, encrypted data can still be accessed with the current key until the migration is completed. For example, if you were migrating from USB flash drives to key servers, the old keys on the USB flash drive are still available until the key server encryption is configured. However, at least one of the USB flash drives with the current encryption key must be inserted into the system before migrating to the key server. After the key servers are configured, the old keys on the USB flash drive can no longer decrypt data on the system. Dispose of any old USB flash drives according to your recommended procedures for disposal of sensitive information. For organizations that require strict security policies regarding USB flash drives, the system supports disabling these ports to prevent unauthorized transfer of system data to portable media devices. After keys have been migrated to the key servers, you can use the command-line interface to disable USB ports.
Note: The management GUI supports migration from USB flash drives to a key server encryption method only. To migrate from key servers to USB flash drives, you must use the command-line interface.
Before migrating to key server-based encryption, ensure that at least one USB flash drive with the current encryption key is inserted into the system. To migrate encryption from a USB flash drive to key servers, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. On the Encryption page, verify the following information:
    1. Expand USB Flash Drives and verify that USB flash drives are configured and detected in the system.
    2. Expand Key Servers and verify that key servers are not configured on the system.
  3. Under Key Servers, click Configure.
  4. Select either IBM SKLM (with KMIP) or Gemalto SafeNet KeySecure for the key server type.
  5. Enter the name, IP address, and port for each key server. If you are configuring multiple key servers, the first key server that you specify is the primary key server and the rest become secondary key servers.
    Note: If you selected IBM SKLM (with KMIP) and the key servers are configured with one primary and multiple secondary key servers, ensure that replication is enabled to ensure that keys are distributed to all secondary key servers.
  6. If you selected IBM SKLM (with KMIP), the Key Server Options page displays. Select SPECTRUM_VIRT for the device group for the key servers. This device group must also be configured on each of the key servers for the system.
  7. If you selected Gemalto SafeNet KeySecure, the Key Server Credentials page displays. If you enabled authentication to the key server using a username and password, enter that username and password. These credentials are used to authenticate the system each time it connects to the key server. The username and password must match the credentials that are configured on the key server.
  8. On the Key Server Certificate page, you must upload all the necessary key server certificates to the system. The key servers can use a certificate authority (CA) certificate from a trusted third party or a self-signed certificate that is created on the key servers. You can also use both these types of certificates on the key servers. If all key server certificates are signed by the same CA, upload the root CA certificate. If the key servers use self-signed certificates, the certificates must be uploaded separately to the system. Any self-signed certificates take priority over any CA-signed certificate that is installed on the system for the key servers.
  9. On the System Encryption Certificate page, click Export Public Key to download the public key to the system. System encryption certificates can also be self-signed or CA-certificate. These certificates are uploaded to each of the key servers to establish trust for the system to communicate with individual key servers. If a certificate does not exist, select Settings > Security > Secure Communications . On the Secure Communications page, select Update Certificate to create or import a certificate. For more information, see the topic about certificates that are used for key servers.
  10. If you selected IBM SKLM (with KMIP) as your key server type, copy the system's public key by adding it to the trust store for the SPECTRUM_VIRT device group on each configured key server. If you selected Gemalto SafeNet KeySecure, ensure that the system encryption certificate is a trusted entity on the KeySecure interface. You can use two methods to add the system encryption certificate as a trusted entity. You can export the current system encryption certificate and then add it to the known certificate authorities (CA) on the Trusted CA List or create a new certificate signing request to a third-party Certificate Authority that is already listed on the Trusted CA List. The system encryption certificate might also require a username, if a username has been enabled for certificates for KeySecure key servers. For information, see the corresponding documentation for your key server.
  11. Return to the System Encryption Certificate page and select The system’s public key certificate has been transferred to each configured key server.
  12. On the Disable USB Encryption panel, select Yes and click Next.
  13. On the Summary page, verify the configuration for the key servers and click Finish. After the configuration completes, keys that were stored on the USB flash drives are not valid. Ensure that you dispose of all USB flash drives securely.
  14. After you have completed the migration, you can optionally disable USB ports on the system to prevent unauthorized transfer of system data to portable media devices. The management GUI does not support this operation.

Using the CLI

Before migrating to key server-based encryption, ensure that at least one USB flash drive with the current encryption key is inserted into the system. To migrate from a USB flash drive to key servers to manage encryption keys, complete the following steps:
Migrating from USB flash drives to IBM Security Key Lifecycle Manager key servers
  1. Enter the following command to verify that encryption is enabled on the system with USB flash drives:
    lsencryption
  2. Enter the following CLI command to enable encryption with key servers on your system:
    chencryption -keyserver enable
  3. Enable the key server type and supply the root certificate authority (CA) certificate if one is required:
    chkeyserverisklm -enable -sslcert /tmp/rootCA.crt
  4. Create the primary key server and specify the key server certificate:
    mkkeyserver -ip ip_address -port port -primary
  5. If you plan to use multiple key servers, enter the following command multiple times to specify up to three more secondary key servers that use the same key server certificate:
    mkkeyserver -ip ip_address -port port
  6. Create the system encryption key and write the key to the specified key server:
    chencryption -keyserver newkey -key prepare
    This command makes the prepared key the current key and stores the key values on all configured key servers.
  7. To verify that the system is prepared, enter the following command:
    lsencryption
    Check that the keyserver_rekey parameter has the value prepared. The prepared value indicates that the new key is ready to be committed.
  8. To commit the key, enter the following command:
    chencryption -keyserver newkey -key commit
  9. After the new key for the key server is committed, disable encryption for the USB flash drive by entering the following command:
    chencryption -usb disable
Migrating from USB flash drives to Gemalto SafeNet SecureKey key servers
  1. Enter the following command to verify that encryption is enabled on the system with USB flash drives:
    lsencryption
  2. Enter the following CLI command to enable encryption on your system:
    chencryption -keyserver enable
  3. Enable the key server type and supply the root certificate authority (CA) certificate if one is required:
    chkeyserverkeysecure -enable -sslcert /tmp/rootCA.crt
  4. Configure the username and password that is used to the system to the key servers if one is required:
    chkeyserverkeysecure -username admin -password 'examplepassword'
  5. Create the primary key server and specify the key server certificate if one is required:
    mkkeyserver -ip ip_address -port port -sslcert /tmp/ServerCert.crt -primary
  6. Create up to three additional secondary key servers and specify the key server certificate if one is required.
    mkkeyserver -ip ip_address -port port -sslcert /tmp/ServerCert.crt
  7. Create the encryption key for the system on the key server:
    chencryption -keyserver newkey -key prepare
    This command makes the prepared key the current key and pushes the key to the key server configured as the primary key server.
  8. To verify that the system is prepared, enter the following command:
    lsencryption
    Check that the keyserver_rekey parameter has the value prepared. The prepared value indicates that the new key is ready to be committed.
  9. To commit the key, enter the following command:
    chencryption -keyserver newkey -key commit
    This command makes the new key the current key and copies it to the primary key server.
  10. After the new key for the key server is committed, disable encryption for the USB flash drive by entering the following command:
    chencryption -usb disable
If encryption is already enabled on the system with key servers, ensure primary key server is connected to the system and distributes the current encryption key. To migrate from a key server to USB flash drives to manage encryption keys, complete the following steps:
  1. Enter the following command to verify that encryption is enabled on the system with key servers:
    lsencryption
  2. Enter the following CLI command to enable encryption on your system:
    chencryption -usb enable
  3. Ensure that there are at least three USB flash drives installed:
    lsportusb
    Check that the value for the status parameter is active. This status indicates that the USB flash drive is inserted in the node and can be used by the system.
  4. Create system encryption keys and write those keys to all system-attached USB flash drives:
    chencryption -usb newkey -key prepare
  5. Commit the prepared key as the current key. Use this command when the lsencryption value for usb_rekey is set to prepared and the number of USB encryption keys is greater than the minimum number required.
    chencryption -usb newkey -key commit

    Without the key that is written to the USB device, access to the encrypted objects is not possible, and the data is lost. It is vitally important to have sufficient copies of keys for availability and extra backups in case of disaster. You can copy key material by making backups of the created files.

  6. After the new key is committed, disable encryption for the key server by entering the following command:
    chencryption -keyserver disable