 | ||
| Using Key Management Server for encryption | ||
|---|---|---|
| Prev | Volume encryption | Next |
VxVM supports the use of a Key Management Server (KMS) that conforms to the OASIS Key Management Interoperability Protocol (KMIP) specification.
During creation of encrypted volumes:
VxVM sends a key generation request to the configured KMS using the KMIP protocol.
KMS responds with a unique identifier. VxVM sends the identifier to KMS to obtain the key generated by KMS.
KMS responds with the key; VxVM generates the random volume encryption key, and encrypts it using the key provided by KMS.
VxVM stores the encrypted key and the KMS identifier in the volume record.
During startup of encrypted volumes:
VxVM retrieves the encrypted key and the KMS identifier from the volume record.
VxVM sends the identifier to KMS to obtain the key.
KMS responds with the key; VxVM decrypts the encrypted key (stored in the volume record) with the key provided by KMS.
KMS-based encryption is suitable for environments that support high availability and automated configurations.
With a Key Management Server, you can:
Eliminate the need to remember complex passphrases
Back up or replicate keys for disaster recovery
VxVM supports Key Management Servers that conform to the OASIS KMIP specification.
VxVM configures the server using the configuration information in the file /etc/vx/enc-kms-kmip.conf located on the KMIP client.