MEKs are stored in remote key management (RKM) servers and are cached by GPFS components. GPFS receives information about the RKM servers in a separate /var/mmfs/etc/RKM.conf configuration file. Encryption rules present in the encryption policy define which MEKs should be used, and the /var/mmfs/etc/RKM.conf file provides a means of accessing those keys. The /var/mmfs/etc/RKM.conf also specifies how to access RKMs containing MEKs used to encrypt files created under previous encryption policies.
An MEK is identified with a unique Keyname that combines the name of the key and the RKM server on which it resides. See Encryption policy rules for Keyname format.
A wrapped FEK cannot be decoded without access to the MEK (or MEKs) used to wrap it. Therefore, a wrapped FEK is useless to an attacker and does not require any special handling at object deletion time. If necessary, an FEK can be rewrapped using a new set of MEKs to allow for operations like MEK expiration and rotation, compromised key removal, and data expiration.