Enable Encryption

You must have Administrator privileges to change the encryption configuration.

To ensure that you are aware of the requirements for encrypting volumes, read the information in Encryption of Data at Rest.

Beginning with version 6.0, you have the option of using a passphrase for local key management or using external key management for your encryption keys. The use of encryption involves using keys to encrypt volume data. Two important points to remember are:
  • If you lose the passphrase for the master encryption key or if you lose access to the external key manager, data in the encrypted volumes cannot be retrieved.
  • Once it has been set, the encryption status of a volume cannot be changed.
  1. Create the master key or set up the external key manager.
    encryptkey --create_master
  2. Enter a new passphrase composed of any printable characters with a length of between 8 and 64 characters.
  3. Retype the new passphrase.
  4. (Optional) Specify the group encryption settings.
    group --edit --encryption_cipher {aes-256-xts | none} --encryption_scope {group | volume} --encryption_mode {available | secure}

    The group encryption settings are applied to the volumes that you create from this point forward. The settings are not applied to existing volumes.

  5. Create a volume using the encryption settings that you need and that are valid based on the group encryption settings.
    vol --create volume_name --size mebibytes --encryption_cipher {aes-256-xts | none}
    NOTE: After volume creation, encryption on that volume cannot be changed.

Enabling encryption using the default group encryption settings (encryption_cipher = aes-256-xts, encryption_scope = group, and encryption_mode = available). Here you have the option of using the encryptkey --create_master command to enable encryption with local key management or setting up an external key manager as described in the next section.

$ encryptkey --create_master
Enter new passphrase:
Retype new passphrase:

Creating a volume with encryption when encryption is enabled for the group.

$ vol --create finance --size 1000000 --encryption_cipher aes-256-xts

Creating an unencrypted volume when encryption is enabled for the group.

$ group --edit --encryption_scope volume
$ vol --create facilities --size 500000 --encryption_cipher none