Enabling encryption with USB flash drives

You can use either the management GUI or the command-line interface to enable encryption on your system. The system supports USB flash drives as a method to manage encryption keys. USB flash drive-based encryption requires physical access to the systems and is effective in environments with a minimal number of systems. For organizations that require strict security policies regarding USB flash drives, the system supports disabling these ports to prevent unauthorized transfer of system data to portable media devices. If you have such security requirements, use key servers to manage encryption keys.

Before you can enable encryption, you must set an encryption license on each node that will use encryption. In the management GUI, select Settings > System > Licensed Function to verify the nodes that are licensed for encryption. Use the lsencryption command to ensure that the status is set to licensed.

Using the management GUI to enable encryption

While the system is enabling encryption, you are prompted to insert the USB flash drives into the system. The system copies the encryption key to these drives systematically. The system generates and copies the encryption key to all available USB flash drives. To enable encryption, complete these steps:
  1. If you activated an encryption license and completed the system setup wizard, click Enable Encryption and complete the wizard.
  2. If you opted to enable encryption later, in the management GUI, select Settings > Security > Encryption.
  3. Click Enable Encryption.
  4. On the Welcome panel, select USB flash drives.
    Note: You can also select both Key Servers and USB Flash Drives to configure both methods to manage encryption keys. If either method becomes unavailable, you can use the other method to access encrypted data on your system.
  5. In the wizard, you are prompted to insert the required number of USB flash drives into the system. When the system detects the USB flash drives, the encryption key is automatically copied to the USB flash drives. Ensure that you create any required extra copies for backups. You can leave the USB flash drives inserted into the system. However, the area where the system is located must be secure to prevent the USB flash drives from being lost or stolen. If the area where the system is located is not secure, remove all the USB flash drives from the system and store securely.
  6. After all copies are completed, click Confirm.
  7. Create several backup copies of the key on either USB flash drives or another external storage media and store securely.

Using the command-line interface to enable encryption

Before you enable encryption, verify that the encryption license is set for the system by using the lsencryption command.

Follow these steps to enable encryption:

  1. Enter the following CLI command to enable encryption on your system:
    chencryption -usb enable
  2. Ensure that there are at least three USB flash drives installed:
    lsportusb
    Check that the value for the status parameter is active. This status indicates that the USB flash drive is inserted in the node and can be used by the system.
  3. Create system encryption keys and write those keys to all system-attached USB flash drives:
    chencryption -usb newkey -key prepare
  4. Commit the prepared key as the current key. Use this command when the lsencryption value for usb_rekey is set to prepared and the number of USB encryption keys is greater than the minimum number required.
    chencryption -usb newkey -key commit

    Without the key that is written to the USB device, access to the encrypted arrays is not possible and the data is lost. It is vitally important to have sufficient copies of keys for availability and extra backups in case of disaster. You can copy key material by making backups of the created files.