Setting Up Encryption

This section summarizes the steps for setting up encryption for the first time on a new appliance. When these steps are complete, the data at rest on the manager node drives and the compute blade drives will be encrypted, but the drives will be unlocked and accessible for routine I/O operations during loading and query processing.

See also Example: Set Up the Keystore and Enable Encryption, which contains the complete output for this procedure in a single ybcli session.

The main steps are creating a keystore, unlocking it, and enabling encryption on the drives.

  1. Start a ybcli session on the primary manager node.
  2. Create a new keystore by running the following command and responding to the prompts.
    YBCLI (PRIMARY)> keystore setup
    
    Setting up the keystore
    ...
    
    This command creates a new keystore and generates a set of keys:
    • A single 36-byte authentication key, which is a required "password" that you have to enter before you can run any encryption commands.
    • One or more 64-byte keys to unlock the keystore
    At least one of each type of key is required.
    Note: You can request up to 5 unlock keys. In this way, multiple administrators can unlock the keystore using a combination of keys. No single key has to be distributed to a single administrator.

    The keystore setup command also asks if you want to back up the keystore. Backing up the keystore is recommended. If you choose not to do a backup now, you can run the keystore backup command manually later.

  3. Store all of the generated keys in a safe and secure location that is physically separate from the appliance. When prompted, you must enter all keys exactly as they were printed to the screen when you ran the keystore setup command.
  4. Unlock the new keystore by entering one or more of the unlock keys that were generated:
    YBCLI (PRIMARY)> keystore unlock
    ...
    
    Here is an example of an unlock key:
    9d046e746d09e264d61533a4a0c3a8ca2709561c86e42fd74376afed98b101b8
  5. Enable encryption on all of the drives by running the following command and entering the authentication key:
    YBCLI (PRIMARY)> encryption enable
    ...
    Here is an example of an authentication key:
    8b6e8b44-9ad5-5e75-36ce-7ed961a46453

    After you enter the authentication key, the ybcli session remains authenticated for 10 minutes. After 10 minutes, or if you exit from the ybcli session and start a new one, you will be prompted to enter the key again.

    You will also be prompted to either print or redact the generated key values on the screen. You may wish to redact them for security reasons. The ybcli keeps a history of commands that have been run; however, this history does not include the key values.

    Enabling encryption on all of the drives takes a few minutes.

  6. Check the encryption status of the drives.
    YBCLI (PRIMARY)> encryption status

    The status information reports whether encryption was enabled successfully on the drives on each blade.