Enabling KMS encryption for a local LSU
You can enable the KMS encryption for a local LSU by using the nbdevconfig command.
To enable KMS encryption for a local LSU
- Create a configuration file with a name of your preference in the following format. For example,
sample_config.txtV7.5 "operation" "set-local-lsu-kms-property" string V7.5 "encryption" "1" string V7.5 "kmsenabled" "1" string V7.5 "kmsservertype" "0" string V7.5 "kmsservername" "xxxxxx" string V7.5 "keygroupname" "xxxxx" string
Configuration setting
Description
V7.5 "operation" "set-local-lsu-kms-property" string
You can only update the KMS status from disabled to enabled.
V7.5 "encryption" "1" string
Specifies the encryption status. This value must be 1.
V7.5 "kmsenabled" "1" string
Specifies the KMS status. This value must be 1.
V7.5 "kmsservertype" "0" string
Specifies the KMS server type. This value must be 0.
V7.5 "kmsservername" "" string
KMS server name that is shared among all LSUs.
V7.5 "keygroupname" "" string
The key group name must include the following valid characters.
A-Z
a-z
0-9
Underscore (_)
Hyphen (-)
Colon (:)
Period (.)
Space
- Run the following command to enable the KMS encryption:
nbdevconfig -setconfig -storage_server <storage server host name> -stype PureDisk -configlist <configuration file name>
Note:
All encrypted LSUs in one storage server must use the same keygroupname and kmsservername. KMS server must be configured. Key group and Key exist in the KMS server.