1. Field of the Invention
The present invention relates to a computer program product, system and method for a redundant key server encryption environment.
2. Description of the Related Art
In certain encryption environments, storage subsystems may request a symmetric key from a key server and then use that symmetric key to unlock a disk drive or use the symmetric key to encrypt and decrypt data to tape. Using a graphical interface or command line, the customer first configures the key server with an asymmetric key pair and an associated key label comprising text. The customer may then enter in a key label comprising text using a graphical interface or command line as input to an encryption group create operation on the storage device. In response to a request from the subsystem for the symmetric key that is part of the encryption group create command, the key server generates the encryption key and provides the storage subsystem the encryption key encrypted with the storage subsystem's public key, which the storage subsystem can decrypt with the corresponding private key of an asymmetric key pair. The key server also provides the storage subsystem with a copy of the encryption key encrypted by the public key the key server previously generated for the key label, which the storage subsystem cannot decrypt. The storage subsystem public key is transient or ephemeral, as determined by a key lifecycle manager. The storage subsystem stores the encryption key encrypted with the key label private key and the key label in the key repository which resides as a persistent file on the storage subsystem initialization disk. The encryption key is stored in the memory and available for use until a cluster reboot, in which case it is erased from memory. To later access the storage after reboot or a power cycle event, the storage subsystem would send the key server the encryption key encrypted with the key label public key for the key server to decrypt. The key server would then send to the storage subsystem the encryption key encrypted with the storage subsystem public key which the storage subsystem decrypts with the storage subsystem private key to obtain the encryption key.
Two companies may want to securely export data between their companies on removable media. To export data from company A to company B, company B configures an asymmetric key pair with key label B on its key server and provides the public key and key label to company A. Company A then configures that public key with key label B on his key server. Company A has also previously configured an asymmetric key pair and key label A on his key server for the purposes of managing his own encrypted storage. Company A then configures a storage device with both key labels A and B. If a sending storage subsystem at company A wants to export the data in storage to a receiving storage subsystem at company B, then the sending storage subsystem provides to the Company A key server the company A and company B key labels in the request for the symmetric encryption key used to encrypt the exported data. The key server would then provide to the sending storage subsystem the two copies of the encryption key that can be used to decrypt the exported data, one encrypted with the company A key label public key and another encrypted with the company B key label. The sending storage subsystem stores both of these encryption keys encrypted with the A and B key labels on the removable medium. To access the exported storage, the receiving storage subsystem would send the company B key server the key label B with the encryption key encrypted with the public key of key label B to decrypt using the private key of the key label B, and then encrypt with the receiving storage subsystem's public key to return to the receiving storage subsystem to use. Transfer of data from company B to company A is handled equivalently by company A providing a key label and public key to company B. In this way, the public parts of the key label pairs are interchanged between the sending and the receiving companies, but the private part of the key pairs are not interchanged.
An encryption deadlock situation may occur when all key servers within a computing environment are rendered inoperable because key server data is stored on an encryption storage device that is dependent on the key server to access the data (i.e., the encryption keys themselves have been included within the data that was encrypted using those keys).
If an encryption deadlock occurs, then the key servers may not be able to complete their initial program load (IPL) and become operational or may not be able to provide key services to storage subsystems. The required code and data objects includes not only the boot image and application image for the operating system that runs on the key server, but also any other data required by that operating system and their associated software stacks to run the key server application, to allow the key server to access its key store and communicate with storage clients. While an encryption deadlock exists, the customer is unable to access any encrypted data on the encrypted storage. If the possible key server instances are in encryption deadlock, then the customer cannot obtain the keys needed to decrypt attached storage, and the encryption deadlock can become a permanent encryption deadlock such that all encrypted data managed by the key servers is permanently lost, which can have substantially detrimental effects to the business whose data is now inaccessible.