Enabling encryption with key servers
Encryption key servers create and manage encryption keys that are used by the system.
A key server is a centralized server or application that receives and then distributes encryption keys to the system. The system can be connected the key servers over both a public network or a separate private network.
The system supports enabling encryption on an IBM Security Key Lifecycle Manager key server. Before you can create the key server object on the system, the key server must be configured. IBM Security Key Lifecycle Manager supports Key Management Interoperability Protocol (KMIP), which is a standard for encryption of stored data and management of cryptographic keys. IBM Security Key Lifecycle Manager can be used to create managed keys for the system and provide access to these keys through a certificate.
When you create IBM Security Key Lifecycle Manager key server objects, you must specify the IP address, port, certificate, and device group. The device group is a collection of storage identifiers, keys, and groups of keys. A device group allows for restricted management of subsets of devices within a larger pool. The system must be defined on the key server to the SPECTRUM_VIRT device group. If the SPECTRUM_VIRT device group does not exist on the key server, it must be created based on the GPFS™ device family.
- Define the IBM Security Key Lifecycle Manager to use Transport Layer Security version 2 (TLSv2). The default setting on IBM Security Key Lifecycle Manager is TLSv1, but the system supports only version 2.
- Ensure that the database service is started automatically on startup.
- Ensure a valid SSL certificate is installed and in use.
- Specify the SPECTRUM_VIRT device group for the system definition.
- In the management GUI, select .
- Click Enable Encryption.
- On the Welcome panel, select Key Servers. Click Next.
- Select IBM SKLM (with KMIP) for the key server type.
- Enter the name, IP address, and port for the key server.
- Select SPECTRUM_VIRT for the device group for the key server. This device group must also be configured on the key server for the system.
- On the Key Server Certificate page, you must upload all the necessary key server certificates to the system. The key servers can use either a certificate from a trusted third party, called a certificate authority (CA), a self-signed certificate that is created on the key servers, or both these types of certificates can be used. If multiple key servers are configured and use the same CA certificate, upload the single CA-signed certificate, which covers all of the key servers. If the key servers use self-signed certificates, the certificates must be uploaded separately to the system. Any self-signed certificates take priority over any CA-signed certificate that is installed on the system for the key servers.
- On the System Encryption Certificate page, click Export Public Key to download the public key to the system. System encryption certificates can also be self-signed or CA-certificate. These certificates are uploaded to each of the key servers to establish trust for the system to communicate with individual key servers. If a certificate does not exist, select . For information on key server certificates and system encryption certificates, see Certificates that are used for key servers.
- Copy the systems public key as a trusted certificate to each configured key server. See the IBM® Security Key Lifecycle Manager Knowledge Center for details.
- Return to the System Encryption Certificate page and select The system’s public key certificate has been transferred to each configured key server.
- On the Summary page, verify the configuration for the key servers and click Finish.