Occasionally, you might need to move an appliance between data centers to copy data from multiple locations. Locking an appliance before moving it ensures that the data is encrypted and not accessible when the appliance comes in contact with third-party shipping services or people outside of your organization.
Generate encryption keys
You must manage a key pair to lock and unlock the appliance. When creating and managing keys, consider the following:
-
When you unlock your appliance, the private key you enter must match the public key from the key pair used when the appliance was locked. Attempting to unlock the appliance with an incorrect private key that does not match the key pair results in an error.
Losing the private key after the appliance is locked causes the Transfer Appliance to be permanently locked. The data can then only be recovered if the appliance is sent back to the Google data center.
Keys must be stored in a secure location. Do not store keys on the appliance or the appliance disk during lock/unlock.
Generate a public/private key pair using OpenSSL
Generate a private key using the RSA algorithm using a key size with a minimum length of 2048 bits. Use the following command:
openssl genrsa -out yourcompany.key 2048
This command generates a private key in the current directory named
yourcompany.key
(out yourcompany.key) using the RSA algorithm (genrsa) with a key length of 2048 bits (2048).Use the following command to view the raw, encoded contents of the private key:
cat yourcompany.key
Extract your public key
The private key file contains both the private key and the public key. Use the following command to extract the public key:
openssl rsa -in yourcompany.key -pubout -out yourcompany_public.key
After the keys have been generated, the output contains a large block of text with Begin RSA Private Key and Begin Public Key headers. Ensure that you save your public/private key pair as you will need to provide them to enable lock/unlock.
Lock an appliance
Use the following command to enable lock:
Run
ta lock
.When the following command prompt appears, paste the public key that was extracted earlier:
Paste public encryption key here: When finished, press Enter, ctrl + ], and Enter again...
Include the key's headers and footers when pasting the key. If the key is incorrect, the command prompt appears again until the correct key has been entered.
You have now successfully locked your appliance.
Unlock an appliance
To unlock your appliance, you need the private key that you generated to lock the appliance.
Run
ta unlock
.When the following command prompt appears, paste the private key that was generated when you first used OpenSSL to generate a public/private key pair:
Paste private RSA encryption key here: When finished, press Enter, ctrl+ ], and Enter again...
Include the key's headers and footers when pasting the key. If the key is incorrect, the command prompt appears again until the correct key has been entered.
You have now successfully unlocked the Transfer Appliance and can access data again.
Update network settings
Optional: After ta unlock
succeeds, you are prompted to initialize a
command to reconfigure network settings. An example of a possible command is:
ta config --data_Port=QSFP--ip=dhcp --network_only.
Note that the network_only flag is necessary, otherwise all config settings including NFS mounts and data mounts will be reconfigured.