Configure the encryption environment

Encryption License Key User Guide for VSP One Block

Version
10.2.x
Audience
anonymous
Part Number
MK-23VSP1B010-00

You can use the REST API or the initial configuration script to configure the encryption environment settings. Many of the settings depend on whether you use a KMS. The following table lists the encryption environment settings and indicates when each setting should be enabled.

For details about using the initial configuration script, see Using the initial configuration script to configure the encryption environment and Running the initial configuration script.

CAUTION:
When you use a KMS, the encryption keys backed up on the KMS are used when the storage system is powered on. Communication between the storage system and the KMS must be established. If communication with the KMS is not established, the storage system boots up but all volumes become blocked. Make sure the storage system and the KMS can communicate before powering on the storage system.

Encryption environment settings

Setting No KMS KMS
Configure the KMS

POST kms-settings

-- Configure each attribute.
Set up encryption environment

PATCH encryption-settings/instance

Enable encrypted environments

(isEnabled)

Enabled Enabled
Using a KMS

(usesKms)

Disabled Enabled
Prohibit local key generation

(prohibitsLocalKeyGeneration)

Disabled
  • Disabled if "Prohibit local key generation" is disabled.
  • Enabled if "Prohibit local key generation" is enabled.

If you enable "Prohibit local key generation", the setting cannot be changed. Make sure that it is safe to enable this setting.

Use the following procedure to configure the encryption environment. If you are not using a KMS, perform only step 4.

  1. (KMS) Upload the client certificate and the root certificate using the following command:
    POST < Base URL>/v1/objects/kms-certificates
    Tip:
    • To upload the client certificate, use ClientCertFile for the attribute fileType.
    • To upload the root certificate, set the attribute fileType to RootCertFile.
  2. (KMS) Set up a connection with the KMS using the following command:
    POST <Base URL >/v1/objects/kms-settings
  3. (KMS) Perform a communication test with the KMS using the following command:
    POST <Base URL >/v1/objects/kms-settings/ <Object ID >/actions/ test-connectivity
  4. Configure your encryption environment using the following command:
    PATCH <Base URL >/v1/objects/encryption-settings/instance

    The setting values differ depending on whether a KMS is used. For details about the settings, see the Encryption environment settings table above.

After you have configured your encryption environment, you can begin performing encryption operations. The first step is to create DDP (parity) groups with encryption enabled.