<html><body>
<p><tt><font size="2">Hi Chris,</font></tt><br>
<br>
<tt><font size="2">Based on your question I think you are aware of this already, but just in case...</font></tt><br>
<br>
<tt><font size="2">There is not currently an encrypt-in-place solution for GPFS encryption. A file's encryption state is determined at create-time. In order to encrypt your existing 100TB of data, you will need to apply an encryption policy to the current (or a new) GPFS file system(s) and then do something like:</font></tt><br>
<tt><font size="2"> cp file file.enc #now file.new is encrypted</font></tt><br>
<tt><font size="2"> mv file.enc file #replace the unencrypted file with the encrypted file</font></tt><br>
<br>
<tt><font size="2">This can be done in parallel using mmapplypolicy if you want. In 4.1.1 (forthcoming) I plan to provide an improved version of the /usr/lpp/mmfs/samples/ilm/mmfind (a find-esque interface to mmapplypolicy) that shipped in the last release; this should be an effective tool for the job.</font></tt><br>
<br>
<tt><font size="2">Cheers,</font></tt><br>
<br>
<tt><font size="2">Jamie</font></tt><br>
<br>
<font size="2" face="sans-serif">Jamie Davis<br>
GPFS Functional Verification Test (FVT)<br>
jamiedavis@us.ibm.com</font><br>
<br>
<img width="16" height="16" src="cid:1__=0ABBF4B9DFDED2378f9e8a93df938@us.ibm.com" border="0" alt="Inactive hide details for Daniel Kidger ---17-04-2015 08:16:54 AM---Hi Chris, The Crypto feature of GPFS 4.1 requires the addi"><font size="2" color="#424282" face="sans-serif">Daniel Kidger ---17-04-2015 08:16:54 AM---Hi Chris, The Crypto feature of GPFS 4.1 requires the addition of just one extra</font><br>
<br>
<font size="1" color="#5F5F5F" face="sans-serif">From: </font><font size="1" face="sans-serif">Daniel Kidger <daniel.kidger@uk.ibm.com></font><br>
<font size="1" color="#5F5F5F" face="sans-serif">To: </font><font size="1" face="sans-serif">gpfsug main discussion list <gpfsug-discuss@gpfsug.org></font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Date: </font><font size="1" face="sans-serif">17-04-15 08:16 AM</font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Subject: </font><font size="1" face="sans-serif">Re: [gpfsug-discuss] Experiences upgrading in place to GPFS 4.1?</font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Sent by: </font><font size="1" face="sans-serif">gpfsug-discuss-bounces@gpfsug.org</font><br>
<hr width="100%" size="2" align="left" noshade style="color:#8091A5; "><br>
<br>
<br>
<font size="2" face="sans-serif">Hi Chris,</font><font size="3" face="serif"> <br>
</font><font size="2" face="sans-serif"><br>
The Crypto feature of GPFS 4.1 requires the addition of just one extra RPM over the standard edition. Other RPMs remain the same.</font><font size="3" face="serif"> </font><font size="2" face="sans-serif"><br>
It also requires licenses for "Advanced Edition". These are of the order of 30% more expensive than the standard edition.</font><font size="3" face="serif"> <br>
</font><font size="2" face="sans-serif"><br>
The model for GPFS encryption at rest is that the client node fetches the encrypted file from the fileserver. <br>
The file remains encrypted in transfer and is only decrypted by the client node using a key it holds.</font><font size="3" face="serif"> </font><font size="2" face="sans-serif"><br>
A result is end-to-end encryption as well as encryption of data at rest,</font><font size="3" face="serif"> <br>
</font><font size="2" face="sans-serif"><br>
Encryption can be on a per file level if desired. Hence a way to migrate from an existing non-encrypted. setup. <br>
note inodes should be 4kB to make sure there is enough room to store the encryption attributes.</font><font size="3" face="serif"> <br>
</font><font size="2" face="sans-serif"><br>
A side effect of adding encryption is that you also need additional remote key management (RKM) servers to handle the key management. These need licensed software.</font><font size="3" face="serif"> </font><font size="2" face="sans-serif"><br>
see </font><a href="http://www-01.ibm.com/support/knowledgecenter/SSFKCN_4.1.0.4/com.ibm.cluster.gpfs.v4r104.gpfs200.doc/bl1adv_encryptionsetupreqs.htm"><font size="2" color="#0000FF" face="sans-serif"><u>http://www-01.ibm.com/support/knowledgecenter/SSFKCN_4.1.0.4/com.ibm.cluster.gpfs.v4r104.gpfs200.doc/bl1adv_encryptionsetupreqs.htm</u></font></a><font size="3" face="serif"> <br>
</font><font size="2" face="sans-serif"><br>
I am sure DDN can help you with all of this.</font><font size="3" face="serif"> <br>
</font><font size="2" face="sans-serif"><br>
Hope this helps,</font><font size="3" face="serif"> </font><font size="2" face="sans-serif"><br>
Daniel</font><font size="3" face="serif"> </font>
<table border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="594" colspan="4" valign="middle">
<ul style="padding-left: 0pt"><hr width="100%" size="2" align="left"></ul>
</td></tr>
<tr valign="top"><td width="594" colspan="4" valign="middle"><img width="1" height="1" src="cid:2__=0ABBF4B9DFDED2378f9e8a93df938@us.ibm.com" border="0" alt=""></td></tr>
<tr valign="top"><td width="330" colspan="2" valign="middle">
<ul style="padding-left: 0pt"><font size="2" face="Arial"><b>Dr.Daniel Kidger</b></font><font size="3" face="serif"> </font></ul>
</td><td width="151" valign="middle">
<ul style="padding-left: 0pt"><font size="1" color="#5F5F5F" face="Arial">No. 1 The Square,</font><font size="3" face="serif"> </font></ul>
</td><td width="113" rowspan="3" valign="middle"><div align="right"><img src="cid:3__=0ABBF4B9DFDED2378f9e8a93df938@us.ibm.com" width="83" height="30" align="bottom"></div></td></tr>
<tr valign="top"><td width="330" colspan="2" valign="middle">
<ul style="padding-left: 0pt"><font size="1" color="#5F5F5F" face="Arial">Technical Specialist SDI (formerly Platform Computing)</font><font size="3" face="serif"> </font></ul>
</td><td width="151" valign="middle">
<ul style="padding-left: 0pt"><font size="1" color="#5F5F5F" face="Arial">Temple Quay,<br>
Bristol BS1 6DG</font><font size="3" face="serif"> </font></ul>
</td></tr>
<tr valign="top"><td width="70" valign="middle">
<ul style="padding-left: 0pt"><font size="1" color="#5F5F5F" face="Arial">Mobile:</font><font size="3" face="serif"> </font></ul>
</td><td width="258" valign="middle">
<ul style="padding-left: 0pt"><font size="1" color="#5F5F5F" face="Arial">+44-07818 522 266</font><font size="3" face="serif"> </font></ul>
</td><td width="151" valign="middle">
<ul style="padding-left: 0pt"><font size="1" color="#5F5F5F" face="Arial">United Kingdom</font><font size="3" face="serif"> </font></ul>
</td></tr>
<tr valign="top"><td width="70" valign="middle">
<ul style="padding-left: 0pt"><font size="1" color="#5F5F5F" face="Arial">Landline:</font><font size="3" face="serif"> </font></ul>
</td><td width="258" valign="middle">
<ul style="padding-left: 0pt"><font size="1" color="#5F5F5F" face="Arial">+44-02392 564 121 (Internal ITN 3726 9250)</font><font size="3" face="serif"> </font></ul>
</td><td width="151" valign="middle">
<ul style="padding-left: 0pt"><font size="1" color="#5F5F5F" face="Arial"> </font><font size="3" face="serif"> </font></ul>
</td><td width="113" valign="middle"><img width="1" height="1" src="cid:2__=0ABBF4B9DFDED2378f9e8a93df938@us.ibm.com" border="0" alt=""></td></tr>
<tr valign="top"><td width="70" valign="middle">
<ul style="padding-left: 0pt"><font size="1" color="#5F5F5F" face="Arial">e-mail:</font><font size="3" face="serif"> </font></ul>
</td><td width="258" valign="middle">
<ul style="padding-left: 0pt"><font size="1" color="#5F5F5F" face="Arial">daniel.kidger@uk.ibm.com</font><font size="3" face="serif"> </font></ul>
</td><td width="151" valign="middle">
<ul style="padding-left: 0pt"><font size="1" color="#5F5F5F" face="Arial"> </font></ul>
</td><td width="113" valign="middle"><img width="1" height="1" src="cid:2__=0ABBF4B9DFDED2378f9e8a93df938@us.ibm.com" border="0" alt=""></td></tr>
<tr valign="top"><td width="594" colspan="4" valign="middle">
<ul style="padding-left: 0pt"><hr width="100%" size="2" align="left"></ul>
</td></tr>
</table>
<font size="3" face="serif"><br>
<br>
<br>
<br>
</font><font size="1" color="#5F5F5F" face="sans-serif"><br>
From: </font><font size="1" face="sans-serif">Frank Leers <fleers@gmail.com></font><font size="3" face="serif"> </font><font size="1" color="#5F5F5F" face="sans-serif"><br>
To: </font><font size="1" face="sans-serif">gpfsug main discussion list <gpfsug-discuss@gpfsug.org></font><font size="3" face="serif"> </font><font size="1" color="#5F5F5F" face="sans-serif"><br>
Date: </font><font size="1" face="sans-serif">16/04/2015 23:21</font><font size="3" face="serif"> </font><font size="1" color="#5F5F5F" face="sans-serif"><br>
Subject: </font><font size="1" face="sans-serif">Re: [gpfsug-discuss] Experiences upgrading in place to GPFS 4.1?</font><font size="3" face="serif"> </font><font size="1" color="#5F5F5F" face="sans-serif"><br>
Sent by: </font><font size="1" face="sans-serif">gpfsug-discuss-bounces@gpfsug.org</font><font size="3" face="serif"> <br>
</font><hr width="100%" size="2" align="left" noshade><font size="3" face="serif"><br>
<br>
<br>
Hi Chris, <br>
<br>
Since you mention GRIDScaler, I assume that you are a DDN customer and that you have a support contract with them. If not, then feel free to take the advice that follows with a measure of salt although it mostly still applies ;-) <br>
With 4.1, there are now 'Editions' of GPFS, which break out various feature sets into a tiered arrangement, with each tier being licensed (and possibly priced) differently. <br>
Have a look here (Q 1.3) for the 4.1 licensing notes - </font><a href="http://www-01.ibm.com/support/knowledgecenter/SSFKCN/com.ibm.cluster.gpfs.doc/gpfs_faqs/gpfsclustersfaq.html"><font size="3" color="#0000FF" face="serif"><u>http://www-01.ibm.com/support/knowledgecenter/SSFKCN/com.ibm.cluster.gpfs.doc/gpfs_faqs/gpfsclustersfaq.html</u></font></a><font size="3" face="serif"> <br>
<br>
With GPFS 3.5, you are most likely running the equivalent of the 'Standard Edition' today. The crypto feature set comes with the 'Advanced Edition', which is licensed differently. <br>
<br>
Have a look at Chapter 15 of the Advanced Admin Guide for 4.1 as a primer ... </font><a href="http://www-01.ibm.com/support/knowledgecenter/SSFKCN_4.1.0.4/gpfs4104_content.html"><font size="3" color="#0000FF" face="serif"><u>http://www-01.ibm.com/support/knowledgecenter/SSFKCN_4.1.0.4/gpfs4104_content.html</u></font></a><font size="3" face="serif"> <br>
<br>
-frank <br>
<br>
<br>
On Thu, Apr 16, 2015 at 1:33 PM, Garrison, E Chris <</font><a href="mailto:ecgarris@iu.edu" target="_blank"><font size="3" color="#0000FF" face="serif"><u>ecgarris@iu.edu</u></font></a><font size="3" face="serif">> wrote: </font><font size="2" face="Calibri"><br>
Hello,</font><font size="3" face="serif"> <br>
</font><font size="2" face="Calibri"><br>
My site is working up to upgrading our paired GridScaler system from GPFS 3.5 to 4.1. There is a mandate to provide encryption at rest, and that's an advertised feature of 4.1. We already have over 100 TB of data, synchronously replicated between two geographically separated sites, and we have concerns about how the upgrade, as well as the application of encryption to all that data, will go.</font><font size="3" face="serif"> <br>
</font><font size="2" face="Calibri"><br>
I'd like to hear from admins who've been through this upgrade. What gotchas should we look out for? Can it easily be done in place, or would we need some extra equipment to "slosh" our data to and from so that it is written to an encrypted GPFS?</font><font size="3" face="serif"> <br>
</font><font size="2" face="Calibri"><br>
Thank you for your time, and for any sage advice on this process.</font><font size="3" face="serif"> <br>
</font><font size="2" face="Calibri"><br>
Chris</font><font size="3" face="serif"> </font><font size="2" face="Calibri"><br>
--</font><font size="3" face="serif"> </font><font size="2" face="Calibri"><br>
Chris Garrison</font><font size="3" face="serif"> </font><font size="2" face="Calibri"><br>
Indiana University</font><font size="3" face="serif"> </font><font size="2" face="Calibri"><br>
Research Systems Storage</font><font size="3" face="serif"> <br>
<br>
_______________________________________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at </font><a href="http://gpfsug.org/" target="_blank"><font size="3" color="#0000FF" face="serif"><u>gpfsug.org</u></font></a><font size="3" color="#0000FF" face="serif"><u><br>
</u></font><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss" target="_blank"><font size="3" color="#0000FF" face="serif"><u>http://gpfsug.org/mailman/listinfo/gpfsug-discuss</u></font></a><font size="3" face="serif"><br>
</font><tt><font size="2"><br>
_______________________________________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at gpfsug.org</font></tt><font size="3" color="#0000FF" face="serif"><u><br>
</u></font><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss"><tt><font size="2" color="#0000FF"><u>http://gpfsug.org/mailman/listinfo/gpfsug-discuss</u></font></tt></a><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
<br>
Unless stated otherwise above:<br>
IBM United Kingdom Limited - Registered in England and Wales with number 741598. <br>
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU</font><tt><font size="2">_______________________________________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at gpfsug.org<br>
</font></tt><tt><font size="2"><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</a></font></tt><tt><font size="2"><br>
</font></tt><br>
</body></html>