Enable encryption

The data within the DS8870 that is encrypted is partitioned in one encryption group. The encryption group that contains encrypted data is enabled to access data through one data key that is obtained from a key server (SKLM).

An encryption group contains a set of extent pools, each of which has a set of associated ranks and volumes.

After the recovery key is created, you need to log on to the DS8870 GUI as a user who has Administrator role to enable the encryption and authorize the previously generated recovery key. From the DS8870 GUI Welcome window, click Settings and then Security as shown in the Figure 4-32.

Figure 4-32 Navigate to the Encryption window

Note: Currently, the DS8870 supports only one encryption group.

The encryption wizard is displayed in Figure 4-33. This wizard is invoked only when you are about to enable the encryption for the first time. Click Enable Encryption to continue.

Figure 4-33 Encryption wizard

The welcome window pops up with the basic information related to the prerequisites for the next steps, such as at least two key servers should be already configured and online (connected to the DS8870 system). In addition, in the example in Figure 4-34, there is an information about recovery key being already configured by the Security Administrator. This key needs to be authorized by the Storage Administrator. Click Next to continue.

Figure 4-34 Encryption wizard - Welcome window

The next step is to configure key servers. The DS8870 system supports up to four key servers. Each one is assigned a port.

The following considerations apply to configurations:

򐂰 In multiple site configurations, at least two of the key server ports should be assigned to isolated key servers at separate physical sites. The remaining ports can be connected to general key servers.

򐂰 In single site configurations, at least two of the key server ports should be assigned to isolated key servers at the same site.

The DS8870 configuration for encryption also requires that at least two active key servers be

Chapter 4. DS8000 encryption implementation 73 The DS8870 monitors all configured key servers. Client notification is provided for loss of access to key servers and other key sever-related errors through DS8870 client notification mechanisms (SNMP traps and email, if configured) in the following ways:

򐂰 Loss of access to key servers is reported at 5-minute intervals.

򐂰 Loss of the ability for at least two key servers to provide key services that can prevent access to the data on the DS8870 is reported at 8-hour intervals.

򐂰 The inability of any one key server to provide key services that can prevent access to data on the DS8870 is also reported at 8-hour intervals.

In the example (see Figure 4-35), four key servers are defined. You can add or remove key servers by clicking the + or - sign next to each key server field. Specify the host address (IP address or host name of the key server). The default TCP port number is 3801. Click Next.

Figure 4-35 Encryption wizard - Define key servers

Each key server connection is tested at this point. The message in Figure 4-36 is displayed if all the key servers you defined in the previous step are accessible. Click OK.

Figure 4-36 Encryption wizard - Test key servers

The following step is required to define the key label for the data key generated by the SKLM server during the certificate creation step on the SKLM server. This key label should match the one defined in Figure 4-3 on page 54, Certificate label in keystore. In this example, this key label is named ds8k_tuc_02.

Only one key label is required in case the SKLM key servers are all installed on the open systems platforms with the same keystore type. A dual key label option is applicable only when at least one SKLM key server is installed on z System (z/OS) and the other on the open systems platform. This is due to the different keystore type used on z Servers.

In the example in Figure 4-37, only one label is defined because all SKLM key servers are installed on the same platform with the same keystore type. Click the + sign to add a key label for the dual platform support. You can add the key label even after the encryption is enabled. The encryption wizard will let you to continue even though the key label you

provided does not match the key label you specified in the SKLM server. The label verification is done as the last step of the encryption enablement process. Click Next to continue.

TCP port: The TCP port can also be changed and it should match the TCP setting on SKLM key server. The default is 3801 for TKLM or SKLM.

Chapter 4. DS8000 encryption implementation 75 The last step is to authorize the pending request for recovery key from the Security

Administrator. Click Authorize as shown in the Figure 4-38.

Figure 4-38 Encryption wizard - Authorize recovery key

The confirmation message windows is displayed (see Figure 4-39). Click Yes to continue.

Figure 4-39 Encryption wizard - Confirm recovery key authorization

The recovery key state changed to Configured as soon as the recovery key authorization is confirmed (see Figure 4-40).

Figure 4-40 Encryption wizard - Recovery key configured

This is the last step to complete the encryption enablement. The window in Figure 4-41 provides the summary of the configuration. Click Finish to initiate all tasks required to enable the encryption.

Figure 4-41 Encryption wizard - Summary

Encryption enablement tasks take approximately one minute. Expand the View more details section to see the task list. The overall progress is displayed as a percentage. When the Completed message is displayed, click Close (see Figure 4-42)

Chapter 4. DS8000 encryption implementation 77 In the Encryption window (Figure 4-43), the encryption state is Enabled and Encryption key is Accessible. By expanding each section you get more information. In this example, there is one key label and four key servers that are accessible and online.

Figure 4-43 Encryption enabled and accessible

The overall process to enable the encryption on DS8870 system using the GUI interface is quite simple. It takes approximately 5 minutes to complete all the above documented steps.

Now you are ready for DS8870 logical configuration, that is, create ranks, extent pools, and volumes. From the moment you create the extent pools, you will not be able to disable the encryption unless you delete all volumes, ranks, and extent pools.

There are a few options available to manage the encryption environment. You can rekey the data key and recovery key. See 5.1, “Rekey data key” on page 94 and 5.2, “Recovery key use and maintenance” on page 95 for more information.