Enabling Encryption
The Storage Scale cluster file system can be encrypted by using the IBM Security® Guardium® Key Lifecycle Manager (GKLM) or the IBM KeyProtect. You can enable encryption features during deployment. The encryption provides highly available key servers for cryptographic operations on the GPFS file system.
Enabling encryption by using GKLM
The following diagram is an example of a Storage Scale deployment with encryption enabled. The deployment includes key servers that use the GKLM application.
By setting the scale_encryption_type
deployment value to gklm
, the key servers are automatically deployed and configured for encryption during the deployment.
Before you begin
Before you begin, review the following tasks:
- Make sure to complete the steps for Getting started with IBM Storage Scale.
- Learn more about file system encryption by using GKLM.
A minimum of two key servers are added to the cluster to avoid a single point of failure.
Configuring encryption deployment values
To enable encryption on a Storage Scale cluster, the following variables need to be defined in your workspace:
Encryption variable | Description | Example value |
---|---|---|
scale_encryption_type |
To enable filesystem encryption, specify either key_protect or gklm . If neither is specified, the default value will be 'null' and encryption is disabled. |
gklm |
scale_encryption_vsi_osimage_name |
Specify the image name to create the GKLM server when scale_encryption_type is set to gklm . Only RHEL 8.8 stock images are supported. |
gklm-custom-image-name |
scale_encryption_vsi_profile |
Specify the virtual server instance profile type to create storage nodes when scale_encryption_type is set to gklm . For more information, see Instance profiles. |
bx2-2x8 |
scale_encryption_server_count |
Specify the number of servers for a high-availability encryption setup when scale_encryption_type is set to gklm . A minimum of 2 servers and a maximum of 5 servers are allowed. |
3 |
scale_encryption_admin_password |
The password for administrative operations in KeyProtect or GKLM must be between 8 and 20 characters long. It must include at least three alphabetic characters (one uppercase and one lowercase), two numbers, and one special character from the set (~@_+:). The password should not contain the username. For more information, see GKLM password policy. | xxxxxxx |
scale_encryption_dns_domain |
Specify the IBM Cloud DNS Services domain name for the GKLM cluster when scale_encryption_type is set to gklm . Note: If an existing DNS domain is in use, a new domain must be provided, as existing domains are
not supported. |
gklmscale.com |
scale_encryption_instance_key_pair |
Specify the name of the SSH key in your IBM Cloud account for connecting to the Scale Encryption keyserver nodes when scale_encryption_type is set to gklm . Ensure the SSH key is in the same resource group and
region as the keyservers. Only one SSH key is supported for the keyserver nodes. If you do not have an SSH key in your IBM Cloud account, create one by using the SSH keys instructions. |
my-ssh-key |
After a successful cluster creation, the following resources are automatically configured to encrypt the file system:
- The key servers are deployed along with the Storage Scale cluster.
- The admin password is updated for the GKLM application.
- An SSL certificate is created on the key server.
- Replication occurs between the primary and clone key servers.
- The key servers are added to each cluster (storage and compute).
- Tenants and clients are created on each cluster.
- The master key is created for encrypting the file system.
- An encryption policy is created and applied to the file system.
The storage and compute clusters have access to the encrypted file system, and any files that are created on the file system are encrypted.
Verifying encryption on the file system
-
Log in to any of the clusters (storage or compute nodes) by running the following SSH command:
ssh -J root@BASTION_SERVER vpcuser@STORAGE_NODE
-
List the key server that was added to the cluster by running the following command:
mmkeyserv server show
-
List the key components, for example tenant or client, by running the following commands:
mmkeyserv tenant show
mmkeyserv client show
-
Validate the policy that was applied to the cluster by running the following command:
mmlspolicy FILESYSTEM_NAME -L
-
Check the encrypted file by running the following command:
mmlsattr -n gpfs.Encryption FILE_NAME
To learn more about encryption for Storage Scale or different encryption use cases, see Encryption.
Accessing the GKLM dashboard
-
Open a new command line terminal.
-
Run the following commands from the local machine:
ssh -L 9443:localhost:9443 -J ubuntu@<bastion_host_IP> vpcuser@<first_GKLM_server>
-
Open the browser on the local machine, and run https://localhost:9443/.
-
Enter the username SKLMAdmin and the password that you set up when you created your workspace to access the GKLM GUI.
Enabling encryption by using IBM KeyProtect
The Storage Scale cluster file system can be encrypted using IBM® Key Protect. The IBM Key Protect on IBM Cloud service helps you provision and store encrypted keys for applications across IBM Cloud services, so that you can see and manage data encryption and the entire key lifecycle from one central location.
You can enable encryption features during deployment by setting the scale_encryption_type
deployment value to key_protect
.
Before you begin
Before you begin, review the following tasks:
- Make sure to complete the steps for Getting started with IBM Storage Scale.
- Learn more about file system encryption by using IBM Key Protect.
Configuring encryption deployment values
To enable encryption on a Storage Scale cluster, the following variables need to be defined in your workspace:
Encryption variable | Description | Example value |
---|---|---|
scale_encryption_type |
To enable filesystem encryption, specify either key_protect or gklm . If neither is specified, the default value will be 'null' and encryption is disabled. |
key_protect |
scale_encryption_admin_password |
The password for administrative operations in KeyProtect or GKLM must be between 8 and 20 characters long. It must include at least three alphabetic characters (one uppercase and one lowercase), two numbers, and one special character from the set (~@_+:). The password should not contain the username. For more information, see GKLM password policy. | xxxxxxx |
Verifying encryption on the file system
-
Log in to any of the clusters (storage or compute nodes) by running the following SSH command and switch to the
root
user:ssh -J root@BASTION_SERVER vpcuser@STORAGE_NODE sudo -i
-
Validate the policy that was applied to the cluster by running the following command:
mmlspolicy FILESYSTEM_NAME -L
-
Check the encrypted file by running the following command:
mmlsattr -n gpfs.Encryption FILE_NAME