Enabling Disk Encryption

To enable disk encryption on a pack, perform the following steps:

  1. Ensure you have installed the MCP runtime key (xxx-DKE-DKE) that enables MCP disk encryption. If this key is not present, you cannot create disk keys or enable encryption. You may need to order the disk encryption feature.

  2. Install MCP Cryptographic Services software on the E-mode Environment on the PMM through a MIM-update; install on the I/O Environment on the ISM through a MIM update.

    For more information, refer to On-Premise Installation of Cryptography.

  3. Create a disk encryption key through the MCP Cryptographic Services Manager module of Security Center or through the ODT command DISKKEY CREATE.

    For more information about the MCP Cryptographic Services Manager, refer to the Security Center Help. For additional information about the ODT command DISKKEY CREATE, refer to the System Commands Reference.

  4. Back up the disk encryption keys through the ODT command DISKKEY BACKUP. This backs up all keys onto the CD or onto a file. The CD is the preferred mechanism. This process also marks all keys as usable.

  5. Assign the disk to one or more packs through the ODT commands ENCRYPT or RC, or use the MCP Cryptographic Services Manager module of Security Center to assign disk keys to packs.

  6. Any data that is subsequently written to the disk is immediately encrypted. Data that was already on the disk in the background begins to be encrypted. While the disk is in the process of being encrypted, the state of the disk (visible through the OL PK command) is marked as PARTIAL. When encryption is completed, the state of the disk is marked FULL.

Decryption from the disk occurs automatically. If the encrypted disk is shared between systems, the disk encryption keys must be restored onto all other systems through the ODT command DISKKEY RESTORE. The CD with the keys must be transported to the other systems.

Note: The principal purpose of MCP Disk Encryption is to keep your data secure if a pack is lost, stolen or discarded without being erased. Once a pack has been encrypted it cannot be changed to unencrypted without reformatting the pack. If you want the data on an encrypted pack to be stored without encryption, you can use Library Maintenance to copy the data to a pack family whose members are not encrypted. Encrypted packs can be reformatted as unencrypted packs by using the RC command with no KEY specification. As with any use of the RC command, any data that was previously stored on the pack is no longer accessible.
Prev  Up  Next
Best Practices   Home  Key Compromise or Rekeying