GPFS™ uses encryption policies
to manage aspects of how file encryption is to be implemented, including
the following:
- which files are to be encrypted
- which algorithm is to be used for the encryption
- which MEK (or MEKs) are to be used to wrap the FEK of a file
Encryption policies are configured using the
mmchpolicy command
and are applied at file creation time. When a file is created, encryption
rules are traversed in order until one of the following occurs:
- The last rule is reached.
- The maximum number of SET ENCRYPTION rules
that can be matched (eight) is reached.
- An ENCRYPTION EXCLUDE rule is matched.
If the file matches at least one SET ENCRYPTION rule,
an FEK is generated and used to encrypt its contents. The FEK is wrapped
once for each policy it matches, resulting in one or more versions
of the encrypted FEK being stored in the gpfs.Encryption extended
attribute of the file.
Notes: - When an encryption policy is changed, the changes apply only to
the encryption of subsequently created files.
- Encryption policies are defined on a per–file system basis
by a system administrator. Once the encryption policies are put in
place, they may result in files in different filesets or with different
names being encrypted differently.