Overview
This document applies to Cloud Object Storage (COS) and describes how to encrypt files at rest. Encryption ensures that, even if someone gains access to the COS bucket through means other than IBM i, they cannot read or use the stored objects.
This approach is valid for saving libraries, objects, and IFS data using both native IBM i OS400 save/restore commands and Backup, Recovery and Media Services (BRMS).
Note: Functionality was verified on IBM i version V7R5
⚠️ Important Warning: If you are using IBM Cloud Storage Solutions for i V1.2.0 with encryption or compression enabled, it will not be possible to recover system data in the event of a Disaster Recovery. Plan your backup strategy accordingly and ensure that critical data remains recoverable under all scenarios.
Configuring Cloud Storage Solutions file transfer encryption
🔧 Execute the following actions on System/LPAR A and System/LPAR B:
Follow this PDF, starting on page 5, or if you are on PowerVS you can follow this Certificate configuration for IBM i communication with IBM Cloud Object Storage
Once ICC has been successfully configured within Digital Certificate Manager (DCM), proceed to create a non-encrypted ICC resource using WRKCFGICC. For detailed guidance, refer to the PDF starting on page 9.
Next, test the CPYTOCLD and CPYFRMCLD functions on the same System/LPAR to verify proper connectivity and data transfer.
If both functions complete successfully, you may proceed with the subsequent configuration steps.
Configuring Cloud Storage Solutions file at rest encryption
💡 Note: In the example provided, Master Key 1 was used for the configuration. However, you can select a different Master Key number based on your organizational policies or encryption requirements. Just ensure the chosen key is properly initialized and available on the system before proceeding.
- ADDMSTPART MSTKEY(1) PASSPHRASE('mytransferkey')
- SETMSTKEY MSTKEY(1)
🔄 Steps 2 to 6 in the procedure below—marked in blue—are replaced by the two steps outlined above.
To ensure consistency across all LPARs, execute the command CHKMSTKVV MSTKEY(1) VERSION(*CURRENT) and verify that the output is identical. Next, refer to this PDF, starting from page 8, and follow the instructions provided.
🗂️ The following section contains the material extracted from page 8 of the PDF document.
Configuring Cloud Storage Solutions file at rest encryption
You can configure Cloud Storage Solutions to make sure files are encrypted while they are "at rest" in the cloud, and are decrypted when they are copied back from the cloud.
About this task
Cloud Storage Solutions encrypts at rest files using the Advanced Encryption Standard (AES) symmetric encryption algorithm with a 128-bit key length. To encrypt files, you must create a keystore file. Then you create a key with a label and add the key to the keystore file. After you create the keystore file and key, you can create or change a resource and provide keystore and key information. Then files copied to the cloud using that resource are encrypted before they are copied, and remain encrypted while at rest in the cloud. When you copy encrypted files from the cloud back to a host IBM i computer using the same resource, the files are decrypted using the same key that encrypted them. To encrypt files as they are copied to and from the cloud using SSL, see “Configuring Cloud Storage Solutions file transfer encryption” on page 5 . If SSL and at rest encryption are both enabled, the files are double-encrypted while they are copied. If your cloud provider has their own at rest encryption, it is recommended that you use their encryption. At rest encryption is available with the Cloud Storage Solutions Advanced Edition. For more information on creating keystore files and labeled keys on IBM i, see the topic Managing cryptographic keystore files in the IBM Knowledge Center. For comprehensive IBM i security information, see the IBM System i Security: Protecting i5/OS Data with Encryption redbook.
Procedure
Take the following steps to configure at rest encryption:
- Log into IBM Navigator for i.
- In the navigation pane, click Security > All Tasks > Cryptographic Services Key Management > Manage Master Keys.
- Select 1, and then in the Select Action drop down, select Load Part.
- In the Load Master Key Part dialog, type a passphrase and then click OK.
- In the Manage Mast Keys dialog, select 1 again, and in the Select Action drop down, select Set. In the 1 row, the Type column value is Set and the Current Key Verification Value column contains a long alphanumeric value.
- Click Close.
- In the navigation pane, click Security > All Tasks > Cryptographic Services Key Management > Manage Keystores.
- Click Create New Keystore, then type keystore details and click OK. In the Manage Keystores dialog you should see the new keystore listed. 🛎️
- Select the new keystore and click Actions > Open keystore.
- Click New Key Record, type a label for the new key, and then click Next.
- In the Functions not allowed dialog, do not select any functions. Click Next.
- In the Key type dialog, select AES, and then click Next.
- In the Key value generation dialog, select Generate automatically, and then click Next.
- In the AES key size (in bits) field, type 128, and then click Next.
- In the Summary dialog, make sure your selections are accurate. Click Back to make changes, or click Finish.
🛎️ Note for step 8: At the time of writing, the keystore did not appear in the list within Navigator for i unless the “Add this keystore to the current keystores list” checkbox was selected.
💡Note: The steps that follow assume the keystore and its corresponding record are both named COS, and located in the QGPL library, as defined earlier in the setup. If your environment uses different names or library locations, please substitute accordingly
Object Duplication and Transfer from System/LPAR A to B
🔧 Execute the following actions on System/LPAR A:
- CRTDUPOBJ OBJ(COS) FROMLIB(QGPL) OBJTYPE(*FILE) TOLIB(QGPL) NEWOBJ(COSTRANSF) ASPDEV(*) TOASPDEV(*ASPDEV) DATA(*YES) CST(*YES) TRG(*YES) FILEID(*NO)
- CRTSAVF FILE(QGPL/COSFTP) - Create this SAVF also on System/LPAR B
- SAVOBJ OBJ(COSTRANSF) LIB(QGPL) DEV(*SAVF) SAVF(QGPL/COSFTP)
- FTP 'System/LPAR B IP' - Transfer the SAVF to System/LPAR B
- lcd QGPL
- cd QGPL
- bin
- put COSFTP
Object Restoration on System/LPAR B
🔧 Execute the following actions on System/LPAR B:
- RSTOBJ OBJ(COSTRANSF) SAVLIB(QGPL) DEV(*SAVF) SAVF(QGPL/COSFTP)
- WRKOBJ OBJ(QGPL/COS*)
- Delete - COS *FILE PF
- And rename COSTRANSF to COS
WRKCFGICC Configuration: Enable Encryption
🔧 Execute the following actions on System/LPAR A and System/LPAR B:
Change the ICC resource on WRKCFGICC:
Resource name . . . . . . . . : COSENC
Resource type . . . . . . . . : AWSS3
Resource description . . . . . : Bucket bccemad-enc
Use compression . . . . . . . : *YES
Use encryption . . . . . . . . : *YES
Keystore file . . . . . . . . : COS - Upper case
Library . . . . . . . . . . : QGPL
Key label . . . . . . . . . . : COS - Upper case
⚠️ Important Note
For long-term data integrity and disaster recovery readiness, it is critical to store the QGPL/COS keystore file and the encryption passphrase used during key initialization (e.g., 'mytransferkey') in a secure and access-controlled location.
Loss of either the keystore file or the passphrase will result in permanent inability to decrypt the stored files. Ensure these assets are protected in accordance with your organization's security policies—preferably in an encrypted vault or a dedicated credential management system.
📚 References