Product DocumentationExample: Set Up the Keystore and Enable Encryption
The following output is an example of a complete ybcli session in which the keystore is created, new keys are generated, the keys and a backup of the keystore are copied to a secure location, and encryption is enabled.
1. Set Up the Keystore
Run the keystore setup command:
YBCLI (PRIMARY)> keystore setup
Setting up the keystore. Standby...
The system will generate two types of keys:
-> A single authentication key
-> One or more keys to unlock the keystore
At least one of each type of key is required.
Note: You can request up to 5 keystore unlock keys. In this way, multiple administrators can unlock the keystore
using a combination of keys. No single key has to be distributed to a single administrator.
How many unlock keys should be generated for the keystore? (1 to 5): 1
1 key will be required to unlock the keystore
Successfully initialized the keystore. Please store the keys listed below in a secure location.
The following key is used to authenticate to the keystore (required by any encryption command):
Authentication key: 5f2cb5e7-0e08-897e-1119-4ec98c8814a0
The following 1 key is used to unlock the keystore after system bootup or failover:
Note: 1 of 1 key(s) are required for unlocking the keystore.
Keystore unlock key 1: 5278a49d2180e1b2fa841eebc01a1ba9ad551e33ebef1f218fcef3db9f28ede6
Keys have been generated. Please store them in a safe place.
Do you want to create a backup of the keystore?
Type yes to continue: yes
Stopping the keystore service before backup. Standby... Done
Backing up keystore. Standby... Done
Starting the keystore service after backup. Standby... Done
The keystore has been backed up successfully to:
/tmp/ybd-ks-11-03-2019-11-27-59.tar.gz
Please copy the backup to another machine. The backup is located on this system at:
yb00-mgr0.yellowbrick.io:/tmp/ybd-ks-11-03-2019-11-27-59.tar.gz
MD5: 272e2231990294380d9366a91b21e6e1
Do you want to unlock the keystore (not required)?
Type yes to continue: no
Keystore will not be unlockedNote: You can use the log keystore command to see audit log entries for keystore operations.
2. Store the Keys in a Safe Place
Copy and paste the keys from the screen output into a text file, then store it in a safe location:
The following key is used to authenticate to the keystore (required by any encryption command):
Authentication key: 5f2cb5e7-0e08-897e-1119-4ec98c8814a0
The following 1 key is used to unlock the keystore after system bootup or failover:
Note: 1 of 1 key(s) are required for unlocking the keystore.
Keystore unlock key 1: 5278a49d2180e1b2fa841eebc01a1ba9ad551e33ebef1f218fcef3db9f28ede63. Copy the Keystore Backup File to a Secure Location
For example:
[ybdadmin@yb007-mgr0 ~]$ scp /tmp/ybd-ks-11-03-2019-11-27-59.tar.gz keysadmin@keysadmin.yellowbrick.io:/home/keysadmin/backups
keysadmin@keysadmin.yellowbrick.io's password:
ybd-ks-11-03-2019-11-27-59.tar.gz 100% 22KB 22.0KB/s 00:004. Enable Encryption
Run the encryption enable command:
YBCLI (PRIMARY)> encryption enable
Are you sure you want to enable encryption system wide?
WARNING: Enabling encryption means this system will have to be unlocked after every power-cycle.
Also make sure to have the keys for the keystore available in a secure place. These are needed to unlock both the system and the drives.
Type yes to continue: yes
Do you want this command to show the actual drive keys generated?
WARNING: The keys will be shown in clear text. Saying anything but yes below will not display the keys.
Type yes to show drive keys: no
Not displaying keys in clear text
WARNING: The keystore is locked. Initiating unlocking
Please enter an unlock key to begin unlocking the keystore:
Key ->
Verifying keystore status. Standby...
Keystore locked: NO
Keystore was successfully unlocked
Authenticating to the keystore for this YBCLI session. Standby...
Please enter keystore authentication key:
Key ->
Key accepted. This session is authenticated for the next 10 minutes or until YBCLI exits.
Determining system status
Retrieving blade details. Standby...
No blades are currently using encryption. Enabling encryption initially will take the database stack down.
Type yes to continue: yes
Stopping YBD services before enabling encryption. Standby... Done
Enabling encryption on manager node(s). Standby...
Manager: yb00-mgr0.yellowbrick.io (local node)
Drive-sda - Serial: 17381914CAF2 -> Generating key. Standby... KEY: REDACTED
Enabling encryption. Standby... Encryption enabled
Drive-sdb - Serial: 17381914CB3A -> Generating key. Standby... KEY: REDACTED
Enabling encryption. Standby... Encryption enabled
Manager: yb00-mgr1.yellowbrick.io (remote node)
Drive-sda - Serial: S3D2NX0J507797Y -> Generating key. Standby... KEY: REDACTED
Enabling encryption. Standby... Encryption enabled
Drive-sdb - Serial: S3D2NX0J507787F -> Generating key. Standby... KEY: REDACTED
Enabling encryption. Standby... Encryption enabled
Enabling encryption on blades. Standby...
Stopping YBD services before enabling encryption on blades. Standby... Done
Retrieving blade details. Standby...
Blade in bay: 1 - UUID: 00000000-0000-0000-0000-38B8EBD00483
Drive-0 - Serial: S3EWNWAJ318665L -> Generating key. Standby... KEY: REDACTED
Enabling encryption. Standby... Encryption enabled
Drive-1 - Serial: S3EWNWAJ318656W -> Generating key. Standby... KEY: REDACTED
Enabling encryption. Standby... Encryption enabled
Drive-2 - Serial: S3EWNWAJ318660F -> Generating key. Standby... KEY: REDACTED
Enabling encryption. Standby... Encryption enabled
Drive-3 - Serial: S3EWNWAJ318658M -> Generating key. Standby... KEY: REDACTED
Enabling encryption. Standby... Encryption enabled
Drive-4 - Serial: S3EWNWAJ318653X -> Generating key. Standby... KEY: REDACTED
Enabling encryption. Standby... Encryption enabled
Drive-5 - Serial: S3EWNWAJ318652L -> Generating key. Standby... KEY: REDACTED
Enabling encryption. Standby... Encryption enabled
Drive-6 - Serial: S3EWNWAJ318657P -> Generating key. Standby... KEY: REDACTED
Enabling encryption. Standby... Encryption enabled
Drive-7 - Serial: S3EWNWAJ318651N -> Generating key. Standby... KEY: REDACTED
Enabling encryption. Standby... Encryption enabled
...
One or more drives had encryption enabled. Initiating keystore backup.
Stopping the keystore service before backup. Standby... Done
Backing up keystore. Standby... Done
Starting the keystore service after backup. Standby... Done
The keystore has been backed up successfully to:
/tmp/ybd-ks-11-03-2019-12-03-01.tar.gz
Please copy the backup to another machine. The backup is located on this system at:
yb00-mgr0.yellowbrick.io:/tmp/ybd-ks-11-03-2019-12-03-01.tar.gz
MD5: 613d33018355d4c7f19e7d3921b075c7
Do you want to unlock the keystore (not required)?
Type yes to continue: no
Keystore will not be unlocked
YBCLI (PRIMARY)>5. Copy the Keystore Backup Again
Repeat step 3, using the new backup file, which now contains the encryption keys for the drives.
6. Unlock the Keystore
Alternatively, you can unlock the keystore when you enable encryption or when you run encryption status.
YBCLI (PRIMARY)> keystore unlock
Please enter an unlock key to begin unlocking the keystore:
Key ->
Key was submitted to the keystore but it is not yet fully unlocked.
Do you want to enter another key?
Note: The keystore maintains its state; if needed, you can enter the remaining key(s) later.
If the system restarts or fails over, you will have to enter all of the keys again.
Type yes to continue: yes
Please enter another keystore key to continue unlocking the keystore (Progress: 1/2):
Key ->
Verifying keystore status. Standby...
Keystore locked: NO
Keystore was successfully unlocked7. Check Encryption Status
Run the encryption status command.
YBCLI (PRIMARY)> encryption status
Do you want this command to show the actual drive keys?
WARNING: The keys will be shown in clear text. Saying anything but yes below will not display the keys
Type yes to show drive keys: no
Not displaying keys in clear text
Authenticating to the keystore for this YBCLI session. Standby...
Please enter keystore authentication key:
Key ->
Key accepted. This session is authenticated for the next 10 minutes or until YBCLI exits.
Retrieving manager node encryption status. Standby...
Local Manager drive encryption status:
Supports encryption: 2/2
Encryption enabled : 2/2
Drives locked : 0/2
DRIVE-sda - Serial: 17381914CAF2 -> KEY PRESENT
DRIVE-sdb - Serial: 17381914CB3A -> KEY PRESENT
Remote Manager drive encryption status:
Supports encryption: 2/2
Encryption enabled : 2/2
Drives locked : 0/2
DRIVE-sda - Serial: S3D2NX0J507797Y -> KEY PRESENT
DRIVE-sdb - Serial: S3D2NX0J507787F -> KEY PRESENT
Retrieving blade encryption status. Standby...
Retrieving blade details. Standby...
Blade in bay: 1 - UUID: 00000000-0000-0000-0000-38B8EBD00483
Supports encryption: 8/8
Encryption enabled : 8/8
Drives locked : 0/8
DRIVE-0 - Serial: S3EWNWAJ318665L -> KEY PRESENT
DRIVE-1 - Serial: S3EWNWAJ318656W -> KEY PRESENT
DRIVE-2 - Serial: S3EWNWAJ318660F -> KEY PRESENT
DRIVE-3 - Serial: S3EWNWAJ318658M -> KEY PRESENT
DRIVE-4 - Serial: S3EWNWAJ318653X -> KEY PRESENT
DRIVE-5 - Serial: S3EWNWAJ318652L -> KEY PRESENT
DRIVE-6 - Serial: S3EWNWAJ318657P -> KEY PRESENT
DRIVE-7 - Serial: S3EWNWAJ318651N -> KEY PRESENT
Blade in bay: 2 - UUID: 00000000-0000-0000-0000-38B8EBD00CBC
Supports encryption: 8/8
Encryption enabled : 8/8
Drives locked : 0/8
DRIVE-0 - Serial: S3EWNWAJ316127E -> KEY PRESENT
DRIVE-1 - Serial: S3EWNWAJ330178F -> KEY PRESENT
DRIVE-2 - Serial: S3EWNWAJ330176R -> KEY PRESENT
DRIVE-3 - Serial: S3EWNWAJ330173Y -> KEY PRESENT
DRIVE-4 - Serial: S3EWNWAJ338486F -> KEY PRESENT
DRIVE-5 - Serial: S3EWNWAJ338488E -> KEY PRESENT
DRIVE-6 - Serial: S3EWNWAJ316128T -> KEY PRESENT
DRIVE-7 - Serial: S3EWNWAJ338479X -> KEY PRESENT
...Parent topic:Setting Up Encryption