Enabling encryption by using GKLM
The Spectrum Scale cluster file system can be encrypted by using the IBM Security® Guardium® Key Lifecycle Manager (GKLM). You can enable encryption features during deployment. The encryption provides highly available key servers for cryptographic operations on the GPFS file system.
The following diagram is an example of a Spectrum Scale deployment with encryption enabled. The deployment includes key servers that use the GKLM application.
By setting the scale_encryption_enabled deployment value to "true" during the deployment, the key servers are automatically deployed and configured with encryption.
Before you begin
Before you begin, review the following tasks:
- Make sure to complete the steps for Getting started with IBM Spectrum Scale.
- Learn more about file system encryption by using GKLM.
A minimum of two key servers are added to the cluster to avoid a single point of failure.
Configuring encryption deployment values
To enable encryption on a Spectrum Scale cluster, the following variables need to be defined in your workspace:
| Encryption variable | Description | Example value |
|---|---|---|
scale_encryption_enabled |
Set to "true" to enable encryption for the file system. | true |
scale_encryption_vsi_osimage_name |
Name of the image that you would like to use to create the GKLM server for encryption. The solution supports only a RHEL 8.6 stock image. | gklm-custom-image-name |
scale_encryption_vsi_profile |
Specify the virtual server instance profile type name used to create the storage nodes. For more information, see Instance profiles. | bx2-2x8 |
scale_encryption_server_count |
The number of highly available encryption servers that are set up. You can choose between a minimum of two servers and a maximum of five servers. | 3 |
scale_encryption_admin_password |
The admin password for the GKLM application, which needs to be configured by using specific guidelines and policies. | xxxxxxx |
scale_encryption_dns_domain |
IBM Cloud DNS Services domain name to be used for the GKLM cluster. | gklmscale.com |
scale_encryption_instance_key_pair |
Name of the SSH key configured in your IBM Cloud account that is used to establish a connection to the encrypted Scale key server nodes. Make sure that the SSH key is present in the same resource group and region where the key servers are provisioned. The solution supports only one SSH key that can be attached to key server nodes. If you do not have an SSH key in your IBM Cloud account, create one by using the SSH keys instructions. | my-ssh-key |
After a successful cluster creation, the following resources are automatically configured to encrypt the file system:
- The key servers are deployed along with the Spectrum Scale cluster.
- The admin password is updated for the GKLM application.
- An SSL certificate is created on the key server.
- Replication occurs between the primary and clone key servers.
- The key servers are added to each cluster (storage and compute).
- Tenants and clients are created on each cluster.
- The master key is created for encrypting the file system.
- An encryption policy is created and applied to the file system.
The storage and compute clusters have access to the encrypted file system, and any files that are created on the file system are encrypted.
Verifying encryption on the file system
-
Log in to any of the clusters (storage or compute nodes) by running the following SSH command:
ssh -J root@BASTION_SERVER vpcuser@STORAGE_NODE -
List the key server that was added to the cluster by running the following command:
mmkeyserver server show -
List the key components, for example tenant or client, by running the following commands:
mmkeyserver tenant showmmmkeyserver client show -
Validate the policy that was applied to the cluster by running the following command:
mmlspolicy FILESYSTEM_NAME -L -
Check the encrypted file by running the following command:
mmlsattr -n gpfs.Encryption FILE_NAME
To learn more about encryption for Spectrum Scale or different encryption use cases, see Encryption.