[gpfsug-discuss] Spectrum Scale Encryption
Simon Thompson (Research Computing - IT Services)
S.J.Thompson at bham.ac.uk
Thu Apr 6 09:20:31 BST 2017
We are currently looking at adding encryption to our deployment for some
of our data sets and for some of our nodes. Apologies in advance if some
of this is a bit vague, we're not yet at the point where we can test this
stuff out, so maybe some of it will become clear when we try it out.
For a node that we don't want to have access to any encrypted data, what
do we need to set up?
According to the docs:
https://www.ibm.com/support/knowledgecenter/STXKQY_4.2.2/com.ibm.spectrum.s
cale.v4r22.doc/bl1adv_encryption_prep.htm
"After the file system is configured with encryption policy rules, the
file system is considered encrypted. From that point on, each node that
has access to that file system must have an RKM.conf file present.
Otherwise, the file system might not be mounted or might become unmounted."
So on a node which I don't want to have access to any encrypted files, do
I just need to have an empty RKM.conf file?
(If this is the case, would be good to have this added to the docs)
Secondly ... (and maybe I'm misunderstanding the docs here)
For the Policy
https://www.ibm.com/support/knowledgecenter/en/STXKQY_4.2.2/com.ibm.spectru
m.scale.v4r22.doc/bl1adv_encryptionpolicyrules.htm
KEYS ('Keyname'[, 'Keyname', ... ])
KeyId:RkmId
RkmId should match the stanza name in RKM.conf?
If so, it would be useful if the docs used the same names in the examples
(RKMKMIP3 vs rkmname3)
And KeyId should match a "Key UUID" in SKLM?
Third. My understanding from talking to various IBM people is that we need
ISKLM entitlements for NSD Servers, Protocol nodes and AFM gateways
(probably), do we have to do any kind of node registration in ISKLM? Or is
this purely based on the certificates being distributed to clients and
keys are mapped in ISKLM to the client cert to determine if the node is
able to request the key?
Thanks
Simon
More information about the gpfsug-discuss
mailing list