If you configured encryption with USB flash drives, you can create new keys and store
them on USB flash drives. Rekeying
is the process of creating a new key for the system. To create a new key, encryption must be enabled
on the system; however, the rekey operation works whether or not there are encrypted
objects.
If you have both methods of encryption configured on
your system, completely rekey one method before rekeying to the other.
Before creating a new
key, ensure that at least one USB port contains a USB flash drive that contains the current
key. During the rekey
process, a new key is generated and copied to the USB flash drives. The new key is then used instead
of the current key. The rekey operation fails unless at least one USB flash drive contains the
current key. To rekey the system you need at least three USB flash drives to
store the copied key material.
Using the management GUI
To rekey the system in the management GUI, complete these steps:
- In the management GUI, select . Verify that the encryption key is accessible, which means at least one of the USB
flash drives contains the current key. Insert the other USB flash drives into the remaining ports on
the node. Available ports are displayed to indicate which ports need USB flash drives.
- Expand USB Flash Drives to display all the detected USB flash drives on
the system and select Rekey.
- When the system detects the required number of the USB flash drives with at least one drive that
contains an existing key, the new key is generated and is copied to the USB flash drives. Click
Commit after the key is created to complete the rekey operation. If errors
occur during the rekey process, status messages display problems with the copy or creation of a new
key. For example, if the minimum number of USB drives are inserted but none of them have an existing
encryption key, the rekey operation fails. To determine and fix other possible errors, select .
Note: If you have key servers configured in addition to USB flash drives, you can
now rekey the key server.
Using the command-line interface
To rekey the system in the command-line
interface, complete these steps:
- Verify that encryption is enabled on the system by entering this
command:
lsencryption
Ensure that the status indicates
that the encryption is enabled.
- After verifying that encryption is enabled, you need to prepare the system to rekey the
encryption keys that are currently being used on the system. Ensure that at least one of the USB
flash drives that contain the current key is inserted into the configuration node. The current key
is necessary; otherwise, the rekey process fails. Insert other USB flash drives into the remaining
USB ports on the rear of the system. To prepare the rekey operation and copy the new key to all
inserted USB flash drives on the system, enter the following
command:
chencryption -usb newkey -key prepare
This
command confirms at least one of the USB flash drives contain the current encryption key. It also
generates a new encryption key for the system and copies the key to all USB flash drives that are
inserted into the system. Optionally, you can make additional copies of the encryption keys for
backups if the USB flash drives are lost or damaged.
- To commit the key, enter the following
command:
chencryption -usb newkey -key commit
This
command makes the prepared key the current key and stores the key values on the USB flash drives.
- Verify that the new key is committed by entering the following
command:
lsencryption
Ensure that the value in the
usb_rekey parameter is no and the
usb_key_copies has the minimum required number of USB flash drives with copies
of the keys. The system needs at least three USB flash drives, each with one copy of the key. It is
recommended that additional copies of the keys are made and stored securely.