Manually Generating Data Encryption Keys (SKM)

The library generates a RAS ticket when you need to generate more data encryption keys. To manually generate data encryption keys, you need to temporarily disable library managed encryption on a partition, and then enable it again. Enabling library managed encryption on a partition triggers the library to check both SKM servers to see if new data encryption keys are needed. If so, it creates the keys.

The data encryption key generation process takes approximately 15 minutes. You should not run any library or host-initiated operations on SKM partitions during key generation and backup.

CAUTION: Avoid manually generating keys on more than five libraries simultaneously as the key generation process is resource-intensive on the server. Generating keys manually on more than five libraries at once could result in a failure to complete the key generation operation, or interfere with key retrieval operations. If a failure does occur during key generation, wait 10 minutes, then try to start it again. The key generation process will resume from where the error was encountered. .

Follow the steps below to generate data encryption keys manually:

  1. Make sure that both SKM servers are running and operational.
  2. From the library’s Web client, access the encryption partition configuration screen (Setup > Encryption > Partition Configuration).
  3. Select an SKM partition configured for library managed encryption, and temporarily disable library managed encryption by changing the encryption method from Enable Library Managed to Allow Application Managed. Remember which partition it is, because you will be changing it back in a few minutes. Make sure to click Apply.

    CAUTION: When you change the partition’s encryption method to Allow Application Managed, the data that was written to the tapes while the partition was configured for Enable Library Managed can no longer be read, until you change the partition back to Enable Library Managed. You will only be disabling for a short time, and then changing back to Enable Library Managed (just to trigger the key generation process) so this should have little effect, unless you forget to turn it back to Enable Library Managed.
  4. Wait 3 minutes to allow the changes to complete.
  5. Go back to the encryption partition configuration screen and change the partition back to Enable Library Managed. Again, make sure to click Apply.
  6. Wait for the process to complete before resuming library operations.
  7. Back up both SKM server keystores. You must back up the keystores every time you generate new data encryption keys to protect against catastrophic server failure. See the Scalar Key Manager User’s Guide for instructions on backing up the keystores.

See also: