<font size=2 face="sans-serif">An "Encrypt-in-place" feature
would not survive a serious, paranoid security audit.</font>
<br>
<br><font size=2 face="sans-serif">If sensitive data ever was written to
a disk, then the paranoid would say you can never be 100% sure that you
have erased it.</font>
<br>
<br><font size=2 face="sans-serif">That said, you decide how worried or
paranoid you'd like to be and you can do an almost in place encryption
as James Davis suggests by</font>
<br><font size=2 face="sans-serif">simply copying the unencrypted file
to a new file that will be subject to a GPFS encryption policy (SET ENCRYPTION)
rule.</font>
<br>
<br><font size=2 face="sans-serif">The safest way would be to copy-encrypt
all the data to a new file system and then crush all the equipment that
was used to store the clear-text files.<br>
</font>
<br><font size=2 face="sans-serif">If crushing is too extreme, you might
settle for a multipass sector by sector soft scrubbing by writing both
carefully chosen and random data patterns.</font>
<br>
<br><font size=2 face="sans-serif">Even then, unless you trust the manufacturer
AND the manufacturer has provided you the means to "scrub" all
the tracks/sectors of the disk you won't be sure... Suppose that
some sensitive data was written to a sector number that was later declared
(partially) defective and remapped by the disk micro-code, and the original
sector is put in a bad sector list that you can no longer address with
standard disk driver software... </font>
<br>
<br><font size=2 face="sans-serif">Or it could be on some NVRAM or a disk
that a service technician swapped out... Ooops... it went out the
door... and is now in the hands of the bad guys...</font>
<br>
<br><img align=left src=cid:_1_0711BA900711B8240050618485257E2A alt="Marc A Kaplan" style="border:0px solid;">
<br>
<br>
<br>
<br><font size=1 color=#5f5f5f face="sans-serif">From:
</font><font size=1 face="sans-serif">James Davis/Poughkeepsie/IBM@IBMUS</font>
<br><font size=1 color=#5f5f5f face="sans-serif">To:
</font><font size=1 face="sans-serif">gpfsug main discussion
list <gpfsug-discuss@gpfsug.org></font>
<br><font size=1 color=#5f5f5f face="sans-serif">Date:
</font><font size=1 face="sans-serif">04/17/2015 10:12 AM</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Subject:
</font><font size=1 face="sans-serif">Re: [gpfsug-discuss]
Experiences upgrading in place to GPFS 4.1?</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Sent by:
</font><font size=1 face="sans-serif">gpfsug-discuss-bounces@gpfsug.org</font>
<br>
<hr noshade>
<br>
<br>
<br><tt><font size=2>Hi Chris,</font></tt><font size=3><br>
</font><tt><font size=2><br>
Based on your question I think you are aware of this already, but just
in case...</font></tt><font size=3><br>
</font><tt><font size=2><br>
There is not currently an encrypt-in-place solution for GPFS encryption.
A file's encryption state is determined at create-time. In order to encrypt
your existing 100TB of data, you will need to apply an encryption policy
to the current (or a new) GPFS file system(s) and then do something like:<br>
cp file file.enc #now file.new is encrypted<br>
mv file.enc file #replace the unencrypted file with the encrypted
file</font></tt><font size=3><br>
</font><tt><font size=2><br>
This can be done in parallel using mmapplypolicy if you want. In 4.1.1
(forthcoming) I plan to provide an improved version of the /usr/lpp/mmfs/samples/ilm/mmfind
(a find-esque interface to mmapplypolicy) that shipped in the last release;
this should be an effective tool for the job.</font></tt><font size=3><br>
</font><tt><font size=2><br>
Cheers,</font></tt><font size=3><br>
</font><tt><font size=2><br>
Jamie</font></tt><font size=3><br>
</font><font size=2 face="sans-serif"><br>
Jamie Davis<br>
GPFS Functional Verification Test (FVT)<br>
jamiedavis@us.ibm.com</font><font size=3><br>
<br>
</font><img src=cid:_1_10172934101720400050618485257E2A alt="Inactive hide details for Daniel Kidger ---17-04-2015 08:16:54 AM---Hi Chris, The Crypto feature of GPFS 4.1 requires the addi" style="border:0px solid;"><font size=2 color=#424282 face="sans-serif">Daniel
Kidger ---17-04-2015 08:16:54 AM---Hi Chris, The Crypto feature of GPFS
4.1 requires the addition of just one extra</font><font size=3><br>
</font><font size=1 color=#5f5f5f face="sans-serif"><br>
From: </font><font size=1 face="sans-serif">Daniel Kidger <daniel.kidger@uk.ibm.com></font><font size=1 color=#5f5f5f face="sans-serif"><br>
To: </font><font size=1 face="sans-serif">gpfsug main discussion list <gpfsug-discuss@gpfsug.org></font><font size=1 color=#5f5f5f face="sans-serif"><br>
Date: </font><font size=1 face="sans-serif">17-04-15 08:16 AM</font><font size=1 color=#5f5f5f face="sans-serif"><br>
Subject: </font><font size=1 face="sans-serif">Re: [gpfsug-discuss] Experiences
upgrading in place to GPFS 4.1?</font><font size=1 color=#5f5f5f face="sans-serif"><br>
Sent by: </font><font size=1 face="sans-serif">gpfsug-discuss-bounces@gpfsug.org</font><font size=3><br>
</font>
<hr noshade><font size=3><br>
<br>
</font><font size=2 face="sans-serif"><br>
Hi Chris,</font><font size=3> </font><font size=2 face="sans-serif"><br>
<br>
The Crypto feature of GPFS 4.1 requires the addition of just one
extra RPM over the standard edition. Other RPMs remain the same.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
It also requires licenses for "Advanced Edition". These
are of the order of 30% more expensive than the standard edition.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
<br>
The model for GPFS encryption at rest is that the client node fetches the
encrypted file from the fileserver. <br>
The file remains encrypted in transfer and is only decrypted by the client
node using a key it holds.</font><font size=3> </font><font size=2 face="sans-serif"><br>
A result is end-to-end encryption as well as encryption of data at rest,</font><font size=3>
</font><font size=2 face="sans-serif"><br>
<br>
Encryption can be on a per file level if desired. Hence a way to migrate
from an existing non-encrypted. setup. <br>
note inodes should be 4kB to make sure there is enough room to store the
encryption attributes.</font><font size=3> </font><font size=2 face="sans-serif"><br>
<br>
A side effect of adding encryption is that you also need additional remote
key management (RKM) servers to handle the key management. These need licensed
software.</font><font size=3> </font><font size=2 face="sans-serif"><br>
see </font><a href="http://www-01.ibm.com/support/knowledgecenter/SSFKCN_4.1.0.4/com.ibm.cluster.gpfs.v4r104.gpfs200.doc/bl1adv_encryptionsetupreqs.htm"><font size=2 color=blue face="sans-serif"><u>http://www-01.ibm.com/support/knowledgecenter/SSFKCN_4.1.0.4/com.ibm.cluster.gpfs.v4r104.gpfs200.doc/bl1adv_encryptionsetupreqs.htm</u></font></a><font size=3>
</font><font size=2 face="sans-serif"><br>
<br>
I am sure DDN can help you with all of this.</font><font size=3> </font><font size=2 face="sans-serif"><br>
<br>
Hope this helps,</font><font size=3> </font><font size=2 face="sans-serif"><br>
Daniel</font><font size=3> </font>
<table width=592 style="border-collapse:collapse;">
<tr height=8>
<td width=592 colspan=4 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;">
<hr>
<tr height=8>
<td width=592 colspan=4 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><img align=bottom src=cid:_1_0990324010175EFC0050618485257E2A width=1 height=1 style="border:0px solid;">
<tr height=8>
<td width=328 colspan=2 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><font size=2 face="Arial"><b>Dr.Daniel
Kidger</b></font><font size=3> </font>
<td width=151 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><font size=1 color=#5f5f5f face="Arial">No.
1 The Square,</font><font size=3> </font>
<td width=113 rowspan=3 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;">
<div align=right><img align=bottom src=cid:_1_0990647C099060A80050618485257E2A style="border:0px solid;"></div>
<tr height=8>
<td width=328 colspan=2 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><font size=1 color=#5f5f5f face="Arial">Technical
Specialist SDI (formerly Platform Computing)</font><font size=3>
</font>
<td width=151 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><font size=1 color=#5f5f5f face="Arial">Temple
Quay,<br>
Bristol BS1 6DG</font><font size=3> </font>
<tr height=8>
<td width=70 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><font size=1 color=#5f5f5f face="Arial">Mobile:</font><font size=3>
</font>
<td width=258 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><font size=1 color=#5f5f5f face="Arial">+44-07818
522 266</font><font size=3> </font>
<td width=151 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><font size=1 color=#5f5f5f face="Arial">United
Kingdom</font><font size=3> </font>
<tr height=8>
<td width=70 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><font size=1 color=#5f5f5f face="Arial">Landline:</font><font size=3>
</font>
<td width=258 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><font size=1 color=#5f5f5f face="Arial">+44-02392
564 121 (Internal ITN 3726 9250)</font><font size=3> </font>
<td width=151 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><font size=1 color=#5f5f5f face="Arial"> </font><font size=3>
</font>
<td width=113 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><img align=bottom src=cid:_1_099076C8099072F40050618485257E2A width=1 height=1 style="border:0px solid;">
<tr height=8>
<td width=70 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><font size=1 color=#5f5f5f face="Arial">e-mail:</font><font size=3>
</font>
<td width=258 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><font size=1 color=#5f5f5f face="Arial">daniel.kidger@uk.ibm.com</font><font size=3>
</font>
<td width=151 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><font size=1 color=#5f5f5f face="Arial">
</font>
<td width=113 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><img align=bottom src=cid:_1_0990881C099084480050618485257E2A width=1 height=1 style="border:0px solid;">
<tr height=8>
<td width=592 colspan=4 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;">
<hr></table>
<br><font size=3><br>
<br>
<br>
</font><font size=1 color=#5f5f5f face="sans-serif"><br>
<br>
From: </font><font size=1 face="sans-serif">Frank
Leers <fleers@gmail.com></font><font size=3> </font><font size=1 color=#5f5f5f face="sans-serif"><br>
To: </font><font size=1 face="sans-serif">gpfsug
main discussion list <gpfsug-discuss@gpfsug.org></font><font size=3>
</font><font size=1 color=#5f5f5f face="sans-serif"><br>
Date: </font><font size=1 face="sans-serif">16/04/2015
23:21</font><font size=3> </font><font size=1 color=#5f5f5f face="sans-serif"><br>
Subject: </font><font size=1 face="sans-serif">Re:
[gpfsug-discuss] Experiences upgrading in place to GPFS 4.1?</font><font size=3>
</font><font size=1 color=#5f5f5f face="sans-serif"><br>
Sent by: </font><font size=1 face="sans-serif">gpfsug-discuss-bounces@gpfsug.org</font><font size=3>
<br>
</font>
<hr noshade><font size=3><br>
<br>
<br>
Hi Chris, <br>
<br>
Since you mention GRIDScaler, I assume that you are a DDN customer and
that you have a support contract with them. If not, then feel free
to take the advice that follows with a measure of salt although it mostly
still applies ;-) <br>
With 4.1, there are now 'Editions' of GPFS, which break out various feature
sets into a tiered arrangement, with each tier being licensed (and possibly
priced) differently. <br>
Have a look here (Q 1.3) for the 4.1 licensing notes - </font><a href="http://www-01.ibm.com/support/knowledgecenter/SSFKCN/com.ibm.cluster.gpfs.doc/gpfs_faqs/gpfsclustersfaq.html"><font size=3 color=blue><u>http://www-01.ibm.com/support/knowledgecenter/SSFKCN/com.ibm.cluster.gpfs.doc/gpfs_faqs/gpfsclustersfaq.html</u></font></a><font size=3>
<br>
<br>
With GPFS 3.5, you are most likely running the equivalent of the 'Standard
Edition' today. The crypto feature set comes with the 'Advanced Edition',
which is licensed differently. <br>
<br>
Have a look at Chapter 15 of the Advanced Admin Guide for 4.1 as a primer
... </font><a href="http://www-01.ibm.com/support/knowledgecenter/SSFKCN_4.1.0.4/gpfs4104_content.html"><font size=3 color=blue><u>http://www-01.ibm.com/support/knowledgecenter/SSFKCN_4.1.0.4/gpfs4104_content.html</u></font></a><font size=3>
<br>
<br>
-frank <br>
<br>
<br>
On Thu, Apr 16, 2015 at 1:33 PM, Garrison, E Chris <</font><a href=mailto:ecgarris@iu.edu target=_blank><font size=3 color=blue><u>ecgarris@iu.edu</u></font></a><font size=3>>
wrote: </font><font size=2 face="Calibri"><br>
Hello,</font><font size=3> </font><font size=2 face="Calibri"><br>
<br>
My site is working up to upgrading our paired GridScaler system from GPFS
3.5 to 4.1. There is a mandate to provide encryption at rest, and that's
an advertised feature of 4.1. We already have over 100 TB of data, synchronously
replicated between two geographically separated sites, and we have concerns
about how the upgrade, as well as the application of encryption to all
that data, will go.</font><font size=3> </font><font size=2 face="Calibri"><br>
<br>
I'd like to hear from admins who've been through this upgrade. What gotchas
should we look out for? Can it easily be done in place, or would we need
some extra equipment to "slosh" our data to and from so that
it is written to an encrypted GPFS?</font><font size=3> </font><font size=2 face="Calibri"><br>
<br>
Thank you for your time, and for any sage advice on this process.</font><font size=3>
</font><font size=2 face="Calibri"><br>
<br>
Chris</font><font size=3> </font><font size=2 face="Calibri"><br>
--</font><font size=3> </font><font size=2 face="Calibri"><br>
Chris Garrison</font><font size=3> </font><font size=2 face="Calibri"><br>
Indiana University</font><font size=3> </font><font size=2 face="Calibri"><br>
Research Systems Storage</font><font size=3> <br>
<br>
_______________________________________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at </font><a href=http://gpfsug.org/ target=_blank><font size=3 color=blue><u>gpfsug.org</u></font></a><font size=3 color=blue><u><br>
</u></font><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss" target=_blank><font size=3 color=blue><u>http://gpfsug.org/mailman/listinfo/gpfsug-discuss</u></font></a><tt><font size=2><br>
<br>
_______________________________________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at gpfsug.org</font></tt><font size=3 color=blue><u><br>
</u></font><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss"><tt><font size=2 color=blue><u>http://gpfsug.org/mailman/listinfo/gpfsug-discuss</u></font></tt></a><font size=2 face="sans-serif"><br>
<br>
<br>
Unless stated otherwise above:<br>
IBM United Kingdom Limited - Registered in England and Wales with number
741598. <br>
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU</font><tt><font size=2>_______________________________________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at gpfsug.org</font></tt><tt><font size=2 color=blue><u><br>
</u></font></tt><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss"><tt><font size=2 color=blue><u>http://gpfsug.org/mailman/listinfo/gpfsug-discuss</u></font></tt></a><font size=3><br>
</font><tt><font size=2>_______________________________________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at gpfsug.org<br>
</font></tt><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss"><tt><font size=2>http://gpfsug.org/mailman/listinfo/gpfsug-discuss</font></tt></a><tt><font size=2><br>
</font></tt>
<br>