The ENCRYPT command enables you to
-
Re-key an encrypted disk volume that is in use.
-
Encrypt a disk volume that is in use but is not encrypted.
-
Encrypt the not in-use sectors on a disk volume that was reconfigured with the KEY option specified.
Syntax
ENCRYPT is valid for any disk unit in VSS2 or VSS3 format, including both physical and emulated disk units. The disk volume specified must have one of the following characteristics as displayed by the OL command:
-
LOGICAL SECTOR SIZE: 180 BYTES IN VSS2 FORMAT
-
LOGICAL SECTOR SIZE: 180 BYTES IN VSS3 FORMAT
Data is encrypted or decrypted in the IOP. Encryption keys are stored in the IOPs and must also be backed up before use.
When an encryption disk volume is mirrored, all disk volumes in the mirrored set are encrypted and use the same key.
Explanation
KEY = <key name>
The specified <key name> must specify a key already in the key store in the IOPs. Key names in the key store have the form <name>_yyyy_mm_dd_hhmmss, which reflect the date and time the user requested creation of a key of name <name>. The <key name> specified in the KEY parameter can only be the <name> portion of this form, or the entire <name>_yyyy_mm_dd_hhmmss form. If multiple key names in the key store match the short form, the long form must be used.
OLDNAME = <family name>
You can specify the family name of the disk that is to be encrypted. Otherwise, if KEY is specified, you must respond to an ACCEPT OLDNAME = <family name> request.
Examples
Example 1
The following ENCRYPT command encrypts the data on the pack identified by the unit number 46 (and having family name XYZ) using the key named ABC:
ENCRYPT PK 46 KEY=ABC OLDNAME= XYZ
Example 2
The following ENCRYPT command restarts an incomplete encryption operation on the pack identified by the unit number 48:
ENCRYPT PK 48
Considerations for Use
The ENCRYPT command can be used to migrate an encrypted disk volume to a new key while the disk volume is online and in use. During the migration process, some data on the disk volume is encrypted with the old key, and some is encrypted with the new key. Once migration completes, all data on the disk volume is encrypted with the new key. For a particular disk volume, any in-process key migration must complete before a new key migration can be initiated.
For a disk volume which is a mirrored set, encryption is rejected if any member is offline. Otherwise, the entire contents of the offline member would be need to be marked as out of date and requiring re-synchronization when the member eventually came on line.
For a disk volume which is a mirrored set, encryption is terminated (and left incomplete) if any member goes offline during encryption. If the offline member comes back on line (or is released from the mirrored set) within 120 seconds, encryption is automatically restarted. A maximum of two automatic restarts can be attempted.
The following situations leave the encryption process incomplete:
-
Operator DS of the active enrty ENCRYPT PK nnn.
-
Halt/lLoad before encryption completes.
-
Irrecoverable I/O error during encryption.
-
A member of a mirrored set going offline during encryption.
When a disk volume is incompletely encrypted, some (but not all) data on the pack is encrypted with the new key. The remaining data remains as it was before ENCRYPT was entered (either encrypted with an old key or not encrypted.)
To restart encryption of a disk volume which is incompletely encrypted, enter the ENCRYPT command without specifying KEY.
When a disk volume is encrypted, it is in one of three encryption states, identified in the OL PK display by the following:
-
ENCRYPTION: PARTIAL
When a disk volume with existing data which is not encrypted is encrypted by use of the ENCRYPT command, it is placed in the PARTIAL encryption state, and remains there until encryption successfully completes.
In this state, some in-use user data is encrypted and some is not.
-
ENCRYPTION: INUSE SECTORS
When a disk volume is RCed with the KEY option, it is placed in the INUSE SECTORS encryption state.
In this state, all in-use user data is encrypted. Physical disk sectors not in use can contain unencrypted data left over from some previous use of the disk volume.
-
ENCRYPTION: FULL
Once a disk volume is successfully encrypted by the ENCRYPT command, it is placed in the FULL encryption state. In this state, all physical disk sectors within the current CAPACITY of the disk volume are encrypted. Note that when the CAPACITY option of the LB command is used to increase the CAPACITY of a disk volume which is in the FULL encryption state, the encryption state is changed to INUSE SECTORS. This reflects the fact that some or all of the physical disk sectors added to CAPACITY might not be encrypted.
When a disk volume is encrypted, and key migration is not underway, all encrypted data is encrypted with a single key.
When a disk volume is encrypted, and key migration is underway, all encrypted data is encrypted with one of two keys. The new key is considered as the primary key. All write operations use this key. The old key is considered as the secondary key. Read operations can encounter data encrypted with either of the keys.
In the OL PK display, the keys are shown following ENCRYPTION: <encryption state>.
-
The primary (or only) key is preceded by KEY:
-
If present, the secondary key is preceded by OLD:
