Dell PowerVault ML6000, PowerVault TL2000, PowerVault TL4000, PowerVault Encryption Key Manager User Manual
Dell™PowerVault™Encryption Key Manager
User's Guide
© 2007, 2010 Dell Inc. All rights reserved.
Information in this document is subject to change without notice.
Reproduction in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden.
Trademarks used in this text: Dell, the DELL logo and PowerVault are trademarks of Dell Inc.
Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks
and names or their products. Dell Inc. disclaims any proprietary interest in trademarks and trade names other than
its own.
Contents
Figures ...............v
Tables ...............vii
Preface ...............ix
About this Book .............ix
Who Should Read this Book ........ix
Conventions and Terminology Used in this Book ix
Attention Notice .............ix
Related Publications ............x
Linux Information ...........x
Microsoft Windows Information .......x
Online Support ............x
Read this First............xi
Contacting Dell .............xi
Chapter 1. Tape Encryption Overview 1-1
Components ..............1-1
Managing Encryption ...........1-2
Application-Managed Tape Encryption ....1-4
Library-Managed Tape Encryption .....1-5
About Encryption Keys ..........1-5
Chapter 2. Planning Your Encryption
Key Manager Environment ......2-1
Encryption Setup Tasks at a Glance ......2-1
Encryption Key Manager Setup Tasks ....2-1
Planning for Library-Managed Tape Encryption 2-1
Hardware and Software Requirements .....2-2
Linux Solution Components .......2-2
Windows Solution Components ......2-3
Keystore Considerations ..........2-3
The JCEKS Keystore ..........2-3
Encryption Keys and the LTO 4 and LTO 5 Tape
|
Drives ...............2-4
Backing up Keystore Data ........2-5
Multiple Key Managers for Redundancy . . . 2-7
Encryption Key Manager Server Configurations 2-7
Disaster Recovery Site Considerations .....2-9
Considerations for Sharing Encrypted Tapes Offsite 2-9
Federal Information Processing Standard 140-2
Considerations.............2-10
Chapter 3. Installing the Encryption
Key Manager and Keystores .....3-1
Downloading the Latest Version Key Manager ISO
|
Image................3-1
|
Installing the Encryption Key Manager on Linux 3-1
Installing the Encryption Key Manager on
Windows ...............3-2
Using the GUI to Create a Configuration File,
Keystore, and Certificates .........3-5
Generating Keys and Aliases for Encryption on
LTO4andLTO5............3-9
|
Creating and Managing Key Groups .....3-14
Chapter 4. Configuring the Encryption
Key Manager ............4-1
Using the GUI to Configure the Encryption Key
Manager ...............4-1
Configuration Strategies ..........4-1
Automatically Update Tape Drive Table....4-1
Synchronizing Data Between Two Key Manager
Servers ..............4-2
Configuration Basics ...........4-3
Chapter 5. Administering the
Encryption Key Manager.......5-1
Starting, Refreshing, and Stopping the Key
Manager Server .............5-1
The Command Line Interface Client ......5-5
CLI Commands .............5-7
Chapter 6. Problem Determination . . 6-1
Check These Important Files for Encryption Key
Manager Server Problems .........6-1
Debugging Communication Problems Between the
CLI Client and the EKM Server .......6-2
Debugging Key Manager Server Problems ....6-2
Encryption Key Manager-Reported Errors ....6-5
Messages ...............6-9
Config File not Specified .........6-9
Failed to Add Drive ..........6-10
Failed to Archive the Log File ......6-10
Failed to Delete the Configuration .....6-10
Failed to Delete the Drive Entry ......6-11
Failed to Import ...........6-11
Failed to Modify the Configuration .....6-11
File Name Cannot be Null ........6-11
File Size Limit Cannot be a Negative Number 6-12
No Data to be Synchronized .......6-12
Invalid Input ............6-12
Invalid SSL Port Number in Configuration File 6-13
Invalid TCP Port Number in Configuration File 6-13
Must Specify SSL Port Number in
Configuration File ..........6-13
Must Specify TCP Port Number in
Configuration File ..........6-14
Server Failed to Start .........6-14
Sync Failed .............6-14
The Specified Audit Log File is Read Only . . 6-15
Unable to Load the Admin Keystore ....6-15
Unable to load the keystore .......6-16
Unable to Load the Transport Keystore . . . 6-16
Unsupported Action ..........6-16
iii
Chapter 7. Audit Records ......7-1
Audit Overview ............7-1
Audit Configuration Parameters .......7-1
Audit.event.types ...........7-1
Audit.event.outcome ..........7-2
Audit.eventQueue.max .........7-2
Audit.handler.file.directory ........7-2
Audit.handler.file.size..........7-3
Audit.handler.file.name .........7-3
Audit.handler.file.multithreads .......7-4
Audit.handler.file.threadlifespan ......7-4
Audit Record Format ...........7-4
Audit Points in the Encryption Key Manager . . 7-5
Audit Record Attributes .........7-5
Audited Events .............7-7
Linux Platforms ...........A-1
Sample Configuration Files.........A-1
Appendix B. Encryption Key Manager
Configuration Properties Files ....B-1
Encryption Key Manager Server Configuration
Properties File .............B-1
CLI Client Configuration Properties File ....B-9
Appendix C. Frequently Asked
Questions .............C-1
Notices ..............D-1
Trademarks ..............D-1
Chapter 8. Using Metadata ......8-1
Appendix A. Sample Files ......A-1
Sample startup daemon script ........A-1
Glossary .............E-1
Index ...............X-1
iv
Dell Encryption Key Mgr User's Guide
Figures
1-1. The Encryption Key Manager’s four main
components ...........1-2
1-2. Two possible locations for encryption policy
engine and key management. .....1-4
1-3. Encryption Using Symmetric Encryption
|
|
|
|
||
||
|
||
Keys..............1-6
2-1. LTO 4 or LTO 5 Tape Drive Request for
Encryption Write Operation ......2-4
2-2. LTO 4 or LTO 5 Tape Drive Request for
Encryption Read Operation ......2-5
2-3. Backup Critical Files Window .....2-6
2-4. Single Server Configuration ......2-7
2-5. Two Servers with Shared Configurations 2-8
2-6. Two Servers with Different Configurations
Accessing the Same Devices ......2-9
3-1. Choose Destination Location window 3-3
3-2. Set this version of JVM to default 3-3
3-3. Start Copying Files window ......3-4
3-4. EKM Server Configuration Page.....3-6
3-5. EKM Server Certificate Configuration Page 3-7
3-6. Backup Critical Files Window .....3-8
3-7. Create a Group of Keys .......3-15
3-8. Change Default Write Key Group 3-16
3-9. Assign Group to Drive .......3-17
3-10. Delete Drive ...........3-18
5-1. Server Status ...........5-1
5-2. Login Window ..........5-2
v
vi Dell Encryption Key Mgr User's Guide
Tables
1. Typographic Conventions used in this Book ix
1-1. Encryption Key Summary .......1-7
2-1. Minimum Software Requirements for Linux 2-2
2-2. Minimum Software Requirements for
Windows ............2-3
6-1. Errors that are reported by the encryption
key manager ...........6-5
7-1. Audit record types that the Encryption Key
Manager writes to audit files ......7-5
7-2. Audit record types by audited event 7-7
8-1. Metadata Query Output Format .....8-2
vii
viii Dell Encryption Key Mgr User's Guide
Preface
About this Book
This manual contains information and instructions necessary for the installation
and operation of the Dell
procedures pertaining to:
|
v Encryption-capable LTO 4 and LTO 5 Tape Drives
v Cryptographic keys
v Digital certificates
™
Encryption Key Manager. It includes concepts and
Who Should Read this Book
This book is intended for storage and security administrators responsible for
security and backup of vital data, and anyone assisting in the setup and
maintenance of Encryption Key Manager servers in the operating environment. It
assumes the reader has a working knowledge of storage devices and networks.
Conventions and Terminology Used in this Book
This book uses the following typographic conventions:
Table 1. Typographic Conventions used in this Book
Convention Usage
bold Bold words or characters represent system
elements that you must use literally, such as
command names, file names, flag names,
path names, and selected menu options.
constant width Examples, text specified by the user, and
information that the system displays appear
in constant width typeface.
italic Italicized words or characters represent
variable values that you must supply.
[item] Indicates optional items.
{item} Encloses a list from which you must choose
an item in format and syntax descriptions.
| A vertical bar separates items in a list of
choices.
<Key> Indicates keys you press.
Attention Notice
An attention notice indicates the possibility of damage to a program, device,
system, or to data. An exclamation point symbol may accompany an attention
notice, but is not required. Sample attention notices follow:
Attention: If you use a power screwdriver to perform this
procedure it could destroy the tape.
ix
Related Publications
Refer to the following publications for more information:
v Getting Started with the Dell™PowerVault™TL2000 and TL4000 Tape Libraries
provides installation information.
™
v Dell
provides supported SCSI commands and protocol governing the behavior of
SCSI interface.
Linux Information
Red Hat Information
The following URL relates to Red Hat Linux®systems:
v http://www.redhat.com
SuSE Information
The following URL relates to SuSE Linux systems:
v http://www.suse.com
Microsoft Windows Information
The following URL provides access to information about Microsoft®Windows
systems:
v http://www.microsoft.com
PowerVault™TL2000 Tape Library and TL4000 Tape Library SCSI Reference
®
Online Support
Visit http://support.dell.com for the following related publication:
Dell Encryption Key Manager Quick Start Guide provides information for setting
up a basic configuration.
Visit http://www.dell.com for the following related publication:
The Library Managed Encryption for Tape white paper suggests best practices for
LTO tape encryption.
x Dell Encryption Key Mgr User's Guide
Read this First
Contacting Dell
For customers in the United States, call 800-WWW-DELL (800-999-3355).
Note: If you do not have an active Internet connection, you can find contact
Dell provides several online and telephone-based support and service options.
Availability varies by country and product, and some services may not be available
in your area. To contact Dell for sales, technical support, or customer service
issues:
1. Visit http://support.dell.com.
2. Verify your country or region in the Choose A Country/Region drop-down
3. Click Contact Us on the left side of the page.
4. Select the appropriate service or support link based on your need.
5. Choose the method of contacting Dell that is convenient for you.
information on your purchase invoice, packing slip, bill, or Dell product
catalog.
menu at the bottom of the page.
xi
xii Dell Encryption Key Mgr User's Guide
Chapter 1. Tape Encryption Overview
Data is one of the most highly valued resources in a competitive business
environment. Protecting that data, controlling access to it, and verifying its
authenticity while maintaining its availability are priorities in our
security-conscious world. Data encryption is a tool that answers many of these
needs. The Dell Encryption Key Manager (referred to as the Encryption Key
Manager from this point forward) simplifies encryption tasks.
|
|
|
|
The LTO 4 and LTO 5 drives are capable of encrypting data as it is written to any
LTO 4 and LTO 5 Data Cartridges. This new capability adds a strong measure of
security to stored data without the processing overhead and performance
degradation associated with encryption performed on the server or the expense of
a dedicated appliance.
The tape drive encryption solution comprises three major elements:
The Encryption-Enabled Tape Drive
All LTO 4 and LTO 5 Tape Drives must be enabled through the library
interface.
See “Hardware and Software Requirements” on page 2-2 for more information
on tape drives.
Encryption Key Management
Encryption involves the use of several kinds of keys, in successive layers. The
generation, maintenance, control, and transmission of these keys depends upon
the operating environment where the encrypting tape drive is installed. Some
applications are capable of performing key management. For environments
without such applications or those where application-agnostic encryption is
desired, Dell Encryption Key Manager performs all necessary key management
tasks. “Managing Encryption” on page 1-2 describes these tasks in more detail.
Encryption Policy
This is the method used to implement encryption. It includes the rules that
govern which volumes are encrypted and the mechanism for key selection.
How and where these rules are set up depends on the operating environment.
See “Managing Encryption” on page 1-2 for more information.
Components
The Encryption Key Manager is part of the Java environment and uses the Java
Security components for its cryptographic capabilities. (For more information on
the Java Security components please see the related publications section.) The
Encryption Key Manager has three main components that are used to control its
behavior. These components are:
Java security keystore
The keystore is defined as part of the Java Cryptography Extension (JCE)
and an element of the Java Security components, which are, in turn, part of
the Java runtime environment. A keystore holds the certificates and keys
(or pointers to the certificates and keys) used by the Encryption Key
Manager to perform cryptographic operations. Several types of Java
keystores are supported offering different operational characteristics to
meet your needs. These characteristics are discussed in detail in “Keystore
1-1
Considerations” on page 2-3.
It is impossible to overstate the importance of preserving your keystore data.
Without access to your keystore you will be unable to decrypt your
encrypted tapes. Please carefully read the topics below to understand the
methods available for protecting your keystore data.
Configuration files
The configuration files allow you to customize the behavior of the
Encryption Key Manager to meet the needs of your organization. These
behavioral choices are described extensively in this document, first in
Chapter 2, “Planning Your Encryption Key Manager Environment,” on
page 2-1, then in the Chapter 4, “Configuring the Encryption Key
Manager,” on page 4-1, and later in Appendix B where the full set of
configuration options is described.
Tape drive table
The tape drive table is used by the Encryption Key Manager to keep track
of the tape devices it supports. The tape drive table is a non-editable,
binary file whose location is specified in the configuration file. You can
change its location to meet your needs.
KeyGroups.xml file
This password-protected file contains the names of all encryption key
groups and the aliases of the encryption keys associated with each key
group.
Encryption Key Manager
Generates encryption keys
and manages their transfer
to and from tape devices
Config
File
Holds public/private key
pairs and certificates
Figure 1-1. The Encryption Key Manager’s four main components
Key
store
Key
Groups
Organizes
encryption
keys into
groups
Managing Encryption
The Dell Encryption Key Manager is a Java™software program that assists
encryption-enabled tape drives in generating, protecting, storing, and maintaining
encryption keys that are used to encrypt information being written to, and decrypt
information being read from, tape media (tape and cartridge formats). The
Encryption Key Manager operates on Linux (SLES and RHEL) and Windows, and
is designed to run in the background as a shared resource deployed in several
Records Keystore location and
defines
Encryption Key
Manager
behavior
Drive
Table
Tracks which tape
devices
Manager
Encryption Key
supports
a14m0234
1-2 Dell Encryption Key Mgr User's Guide
locations within an enterprise. A command line interface client provides a robust
set of commands to customize the Encryption Key Manager for your environment
and monitor its operation. Many customization and monitoring functions are also
available on the Dell Encryption Key Manager graphical user interface (GUI). The
Encryption Key Manager uses one or more keystores to hold the certificates and
keys (or pointers to the certificates and keys) required for all encryption tasks. See
“Keystore Considerations” on page 2-3 for detailed information.
IMPORTANT Encryption Key Manager HOST SERVER CONFIGURATION
INFORMATION: It is recommended that machines hosting the Dell
Encryption Key Manager program use ECC memory in order to minimize
the risk of data loss. The Encryption Key Manager performs the function of
requesting the generation of encryption keys and passing those keys to the
|
LTO 4 and LTO 5 tape drives. The key material, in wrapped (encrypted
form) resides in system memory during processing by the Encryption Key
Manager. Note that the key material must be transferred without error to the
appropriate tape drive so that data written on a cartridge may be recovered
(decrypted). If for some reason key material is corrupted due to a bit error in
system memory, and that key material is used to write data to a cartridge,
then the data written to that cartridge will not be recoverable (i.e. decrypted
at a later date). There are safeguards in place to make sure that such data
errors do not occur. However, if the machine hosting the Encryption Key
Manager is not using Error Correction Code (ECC) memory there remains a
possibility that the key material may become corrupted while in system
memory and the corruption could then cause data loss. The chance of this
occurrence is small, but it is always recommended that machines hosting
critical applications (like the Encryption Key Manager) use ECC memory.
The Encryption Key Manager acts as a background process awaiting key
generation or key retrieval requests sent to it through a TCP/IP communication
path between itself and the tape library. When a tape drive writes encrypted data,
it first requests an encryption key from the Encryption Key Manager. Upon receipt
of the request, the Encryption Key Manager performs the following tasks.
The Encryption Key Manager fetches an existing AES key from a keystore and
wraps it for secure transfer to the tape drive where it is unwrapped upon arrival
and used to encrypt the data being written to tape.
|
When an encrypted tape is read by an LTO 4 or LTO 5 drive, the Encryption Key
Manager fetches the required key from the keystore, based on the information in
the Key ID on the tape, and serves it to the tape drive wrapped for secure transfer.
There are two methods of encryption management to choose from. These methods
differ in where the encryption policy engine resides, where key management is
performed for your solution, as well as how the Encryption Key Manager is
connected to the drive. Your operating environment determines which is the best
for you. Key management and the encryption policy engine may be located in any
one of the following two environmental layers.
Chapter 1. Tape Encryption Overview 1-3
Policy
Application
Data Path
or
Library
Policy
Library Drive Interface
Figure 1-2. Two possible locations for encryption policy engine and key management.
Application Layer
An application program, separate from the key manager, initiates data transfer
for tape storage. See “Application-Managed Tape Encryption” for supported
applications.
Library Layer
The enclosure for tape storage, such as the Dell PowerVault TL2000/TL4000
and ML6000 family. A modern tape library contains an internal interface to
each tape drive within it.
Data Path
a14m0252
Application-Managed Tape Encryption
This method is best where operating environments run an application already
capable of generating and managing encryption policies and keys. Policies
specifying when encryption is to be used are defined through the application
interface. The policies and keys pass through the data path between the application
layer and the encrypting tape drives. Encryption is the result of interaction
between the application and the encryption-enabled tape drive, and does not
require any changes to the system and library layers. Since the application
manages the encryption keys, volumes written and encrypted using the application
method can only be read using the application-managed encryption method, by
the same application that wrote them.
Encryption Key Manager is not required by, or used by, application-managed
tape encryption.
The following minimum version applications can be used to manage encryption:
v CommVault Galaxy 7.0 SP1
v Symantec Backup Exec 12
1-4 Dell Encryption Key Mgr User's Guide
|
Application-managed tape encryption is supported in LTO 4 and LTO 5 Tape
Drives in:
v Dell
v Dell
v Dell™PowerVault™ML6000 Tape Library
See your tape backup software application documentation to learn how to manage
encryption policies and keys.
Library-Managed Tape Encryption
|
Use this method for LTO 4 and LTO 5 tape drives in the Dell™PowerVault
TL2000 Tape Library, Dell™PowerVault™TL4000 Tape Library, or Dell
PowerVault™ML6000 Tape Library. Key generation and management is performed
by the Encryption Key Manager, a Java application running on a library-attached
host. Policy control and keys pass through the library-to-drive interface, therefore
encryption is transparent to the applications.
About Encryption Keys
An encryption key is a random string of bits generated specifically to scramble and
unscramble data. Encryption keys are created using algorithms designed to ensure
that each key is unique and unpredictable. The longer the key constructed this
way, the harder it is to break the encryption code. Both the IBM and T10 methods
of encryption use 256-bit AES algorithm keys to encrypt data. 256-bit AES is the
encryption standard currently recognized and recommended by the U.S.
government, which allows three different key lengths. 256-bit keys are the longest
allowed by AES.
™
PowerVault™TL2000 Tape Library
™
PowerVault™TL4000 Tape Library
™
™
Two types of encryption algorithms are used by the Encryption Key Manager:
symmetric algorithms and asymmetric algorithms. Symmetric, or secret key
encryption, uses a single key for both encryption and decryption. Symmetric key
encryption is generally used for encrypting large amounts of data in an efficient
manner. 256-bit AES keys are symmetric keys. Asymmetric, or public/private
encryption, uses a pair of keys. Data encrypted using one key can only be
decrypted using the other key in the public/private key pair. When an asymmetric
key pair is generated, the public key is used to encrypt, and the private key is
used to decrypt.
The Encryption Key Manager uses both symmetric and asymmetric keys;
symmetric encryption for high-speed encryption of user or host data, and
asymmetric encryption (which is necessarily slower) for protecting the symmetric
key.
Encryption keys may be generated for the Encryption Key Manager by a utility
such as keytool. The responsibility for generating AES keys and the manner in
which they are transferred to the tape drive depends on the method of encryption
management. However, it may be helpful to understand the difference between
how the Encryption Key Manager uses encryption keys and how other applications
use them.
Encryption Key Processing by the Dell Encryption Key Manager
|
|
In library-managed tape encryption, unencrypted data is sent to the LTO 4 or LTO
5 Tape Drive and converted to ciphertext using a pre-generated symmetric Data
Key (DK) from a keystore available to the Encryption Key Manager, and is then
Chapter 1. Tape Encryption Overview 1-5
written to tape. The Encryption Key Manager selects a pre-generated DK in round
robin fashion. DKs are reused on multiple tape cartridges when an insufficient
|
number of DKs have been pre-generated. The DK is sent to the LTO 4 or the LTO 5
tape drive in encrypted or wrapped form by the Encryption Key Manager. The
|
|
|
LTO 4 and LTO 5 tape drives unwrap this DK and use it to perform encryption or
decryption. However, no wrapped key is stored anywhere on the LTO 4 or the
LTO 5 tape cartridges. After the encrypted volume is written, the DK must be
accessible based on the alias or key label, and available to the Encryption Key
Manager in order for the volume to be read. Figure 1-3 illustrates this process.
The Dell Encryption Key Manager also gives you the ability to organize your
symmetric keys for LTO encryption into key groups. In this way, you can group
keys according to the type of data they encrypt, the users who have access to
them, or by any other meaningful characteristic. See “Creating and Managing Key
Groups” on page 3-14 for more information.
Encryption Key Processing by Other Applications
|
|
In application-managed tape encryption, unencrypted data is sent to the LTO 4 and
LTO 5 Tape Drives and converted to ciphertext using a symmetric DK provided by
the application, and is then written to tape. The DK is not stored anywhere on the
tape cartridge. Once the encrypted volume is written, the DK must be in a location
available to the application, a server database, for example, in order for the volume
to be read.
|
LTO 4 and LTO 5 Tape Drives can use applications such as Yosemite (for Dell
PowerVault TL2000 and TL4000 Tape Libraries), CommVault, and Symantec
Backup Exec for application-managed encryption.
|
Alternatively, LTO 4 and LTO 5 Tape Drives can be used by applications that use
the T10 command set to perform encryption. The T10 command set uses symmetric
256-bit AES keys provided by the application. T10 can use multiple, unique DKs
per tape cartridge, and even write encrypted data and clear data to the same tape
cartridge. When the application encrypts a tape cartridge, it selects or generates a
DK using a method determined by the application and sends it to the tape drive.
The key is not wrapped with an asymmetric public key and it is not stored on the
tape cartridge. Once the encrypted data is written to tape, the DK must be in a
location available to the application in order for the data to be read.
The process for application-managed and library-managed encryption tape
encryption is shown in Figure 1-3.
Clear
Data
DK
Figure 1-3. Encryption Using Symmetric Encryption Keys. Library-Managed and Application-Managed Encryption on
LTO 4 and LTO 5 Tape Drives.
|
1-6 Dell Encryption Key Mgr User's Guide
E {data,DK}
sym
Cipher
Tex t
Encrypted
Tape
a14m0236
In Summary
The number of encryption keys that may be used for each volume depends on the
tape drive, the encryption standard, and method used to manage the encryption.
|
||
For transparent encryption of LTO 4 and LTO 5, (that is, using library-managed
encryption with the Encryption Key Manager,) the uniqueness of DKs depends on
the availability of a sufficient number of pre-generated keys to the Encryption Key
Manager.
Table 1-1. Encryption Key Summary
Encryption Management
Method
Library-Managed Encryption 1 DK / cartridge N/A
Application-Managed
Encryption
DK = Symmetric AES 256-bit DK
IBM Encryption T10 Encryption
Multiple DKs / cartridge Multiple DKs / cartridge
Keys used by
Chapter 1. Tape Encryption Overview 1-7
1-8 Dell Encryption Key Mgr User's Guide
Chapter 2. Planning Your Encryption Key Manager
Environment
This section is intended to provide information to allow you to determine the best
Encryption Key Manager configuration for your needs. Many factors must be
considered when you are planning how to set up your encryption strategy.
Encryption Setup Tasks at a Glance
Before you can use the encryption capability of the tape drive, certain software and
hardware requirements must be met. The following checklists are intended to help
you meet these requirements.
Encryption Key Manager Setup Tasks
Before you can encrypt tapes, the Encryption Key Manager must first be
configured and running so that it can communicate with the encrypting tape
drives. The Encryption Key Manager need not be running while tape drives are
being installed, but it must be running in order to perform encryption.
v Decide what system platform(s) to use as Encryption Key Manager server(s).
v Upgrade server operating system if necessary. (See “Hardware and Software
Requirements” on page 2-2.)
v Install Java Unrestricted Policy Files. (See “Hardware and Software
Requirements” on page 2-2.)
v Upgrade the Encryption Key Manager JAR. (See “Downloading the Latest
|
Version Key Manager ISO Image” on page 3-1.)
v Create keys, certificates, and key groups.
“Using the GUI to Create a Configuration File, Keystore, and Certificates” on
page 3-5
“Creating and Managing Key Groups” on page 3-14
v These steps are not required if you follow the procedure in “Using the GUI to
Create a Configuration File, Keystore, and Certificates” on page 3-5, unless you
wish to take advantage of additional configuration options:
– If necessary, import keys and certificates. (See “Importing Data Keys Using
Keytool -importseckey ” on page 3-12.)
– Define the configuration properties file. (See Chapter 4, “Configuring the
Encryption Key Manager,” on page 4-1.)
– Define tape drives to the Encryption Key Manager or set
drive.acceptUnknownDrives configuration property value on. (See
“adddrive” on page 5-8 to define drives explicitly, or see “Automatically
Update Tape Drive Table” on page 4-1.)
– Start the Encryption Key Manager server. (See “Starting, Refreshing, and
Stopping the Key Manager Server” on page 5-1.)
– Start the command line interface client. (See “The Command Line Interface
Client” on page 5-5.)
Planning for Library-Managed Tape Encryption
In order to perform encryption, you require:
|
v Encryption-capable LTO 4 and LTO 5 Tape Drive(s)
2-1
v Keystore
v Dell Encryption Key Manager
Library-Managed Tape Encryption Tasks
|
|
1. Install and cable the LTO 4 and LTO 5 Tape Drive(s).
v Update library firmware (TL2000, TL4000, ML6000 where necessary). Visit
http://support.dell.com.
™
– Dell
PowerVault™TL2000 Tape Library minimum required firmware
version = 5.xx.
™
– Dell
PowerVault™TL4000 Tape Library minimum required firmware
version = 5.xx.
™
– Dell
PowerVault™ML6000 Tape Library Family minimum required
firmware version = 415G.xxx.
v Update tape drive firmware if necessary The minimum required firmware
version is 77B5.
2. Enable LTO 4 and LTO 5 Tape Drives and Tape Library for library-managed
tape encryption (see your Dell tape library information for details).
v Add Encryption Key Manager Server IP addresses
3. Use library diagnostic functions to verify Encryption Key Manager paths and
encryption configuration (see your Dell tape library information for details).
Hardware and Software Requirements
Note: Only the IBM version of the Java Runtime Environment (JRE) for each of the
following platforms supports the Encryption Key Manager.
Linux Solution Components
Operating Systems
v RHEL 4
v RHEL 5
v SLES 9
v SLES 10
|
|
v SLES 11
Encryption Key Manager (Running on Linux)
Table 2-1. Minimum Software Requirements for Linux
IBM Software
Platform
64-bit AMD/Opteron/
EM64T
®
32-bit Intel
compatible
Developer Kit Available at:
Java 6.0 SR5 http://support.dell.com
Tape Libraries
|
|
|
For the Dell PowerVault TL2000 Tape Library, TL4000 Tape Library, and ML6000
Tape Library, assure that the firmware level is the latest available. For firmware
updates, visit http://support.dell.com.
2-2 Dell Encryption Key Mgr User's Guide
Tape Drive
|
|
For the LTO 4 and LTO 5 Tape Drives, assure that the firmware level is the latest
available. For firmware updates, visit http://support.dell.com.
Windows Solution Components
Operating Systems
|
|
|
Windows Server 2003, 2008, and 2008 R2
Dell Encryption Key Manager
The minimum required version of the Encryption Key Manager is 2.1 with a build
date of 20070914 or later, and one of the following IBM Runtime Environments:
Table 2-2. Minimum Software Requirements for Windows
Operating
System IBM Runtime Environment
Windows 2003
Windows 2008
and 2008 R2
®
v IBM
v IBM 32-bit Runtime Environment for Windows, Java 2 Technology
IBM 64-bit Runtime Environment for Windows on AMD64/EM64T
architecture, Java 2 Technology Edition, Version 6.0 SR5
64-bit Runtime Environment for Windows on AMD64/EM64T
architecture, Java 2 Technology Edition, Version 5.0 SR5
Edition, Version 5.0 SR5
Tape Libraries
|
|
|
For the Dell™PowerVault™TL2000 Tape Library, Dell™PowerVault™TL4000 Tape
Library, and Dell™PowerVault™ML6000 Tape Library, assure that the firmware
level is the latest available. For firmware update, visit http://support.dell.com.
Tape Drive
|
|
For the LTO 4 and LTO 5 Tape Drives, assure that the firmware level is the latest
available. For firmware update, visit http://support.dell.com.
Keystore Considerations
The JCEKS Keystore
EKM supports the JCEKS keystore type.
JCEKS (Unix System Services file based) is a file-based keystore supported on all
platforms where EKM runs. Thus it is relatively easy to copy the contents of this
keystore for back up and recovery, and to keep two EKM instances synchronized
for failover. JCEKS provides password-based protection of the contents of the
keystore for security, and provides relatively good performance. File copy methods
such as FTP may be used.
It is impossible to overstate the importance of preserving your keystore data.
Without access to your keystore you will be unable to decrypt your
encrypted tapes. Carefully read the topics below to understand the methods
available for protecting your keystore data.
Chapter 2. Planning Your Encryption Key Manager Environment 2-3
|
Encryption Keys and the LTO 4 and LTO 5 Tape Drives
The Dell Encryption Key Manager and its supported tape drives use symmetric,
256-bit AES keys to encrypt data. This topic explains what you should know about
these keys and certificates.
|
|
|
|
|
When performing encryption tasks on the LTO 4 or LTO 5 Tape Drives for LTO
tape cartridges, Encryption Key Manager uses 256-bit AES symmetric data keys
only.
When an LTO 4 or LTO 5 requests a key, Encryption Key Manager uses the alias
specified for the tape drive. If no alias was specified for the tape drive, an alias
from a key group, key alias list, or range of key aliases specified in the
symmetricKeySet configuration property is used. Lacking a specific alias for the
tape drive, aliases are selected from the other entities in round robin fashion to
balance the use of keys evenly.
The selected alias is associated with a symmetric Data Key (DK) that was
preloaded in the keystore. Encryption Key Manager sends this DK, wrapped with
a different key that the tape drive can decrypt, to the LTO 4 or LTO 5 tape drive to
encrypt the data. The DK is not transmitted through TCP/IP in the clear. The
selected alias is also converted to an entity called Data Key identifier (DKi), which
is written to tape with the encrypted data. In this way, Encryption Key Manager
can use the DKi to identify the correct DK needed to decrypt the data when the
LTO 4 or LTO 5 tape is read.
The adddrive and moddrive topics in “CLI Commands” on page 5-7 show how to
specify an alias for a tape drive. See “Generating Keys and Aliases for Encryption
on LTO 4 and LTO 5” on page 3-9, which includes information on importing keys,
exporting keys, and specifying default aliases in the symmetricKeySet
configuration property. “Creating and Managing Key Groups” on page 3-14 shows
how to define a key group and populate it with aliases from your keystore.
Figure 2-1 shows how keys are processed for encrypted write operation.
5
DK, DKi
6
Key Manager
alias
3
DK
1
Config
File
4
Key
store
Figure 2-1. LTO 4 or LTO 5 Tape Drive Request for Encryption Write Operation
|
1. Tape drive requests key to encrypt tape
2. Encryption Key Manager verifies tape device in Drive Table
2
Drive
Table
7
2-4 Dell Encryption Key Mgr User's Guide
3. If no alias is specified in the request and no alias is specified in the drive table,
Encryption Key Manager selects an alias from the set of aliases or the key
group in the keyAliasList.
4. Encryption Key Manager fetches a corresponding DK from the keystore.
5. Encryption Key Manager converts the alias to a DKi and wraps the DK with a
key the drive can decrypt
6. Encryption Key Manager sends the DK and DKi to the tape drive
7. Tape drive unwraps the DK and writes encrypted data and DKi to tape
Figure 2-2 shows how keys are processed for encrypted read operation.
4
DK
5
Key Manager
3
DKi Alias
1
Config
File
2
Key
store
Figure 2-2. LTO 4 or LTO 5 Tape Drive Request for Encryption Read Operation
|
1. Tape drive receives read request and sends DKi to Encryption Key Manager
2. Encryption Key Manager verifies tape device in Drive Table
3. Encryption Key Manager translates DKi to alias and fetches corresponding DK
from keystore
4. Encryption Key Manager wraps the DK with a key the drive can decrypt
5. Encryption Key Manager sends the wrapped DK to tape drive
6. Tape drive unwraps the DK and uses it to decrypt the data
Drive
Table
6
Backing up Keystore Data
Note: Due to the critical nature of the keys in your keystore, it is vital that you
back up this data on a non-encrypted device so that you can recover it as
needed and be able to read the tapes that were encrypted using those
certificates associated with that tape drive or library. Failure to backup
your keystore properly will result in irrevocably losing all access to your
encrypted data.
There are many ways to backup this keystore information. Each keystore type has
it own unique characteristics. These general guidelines apply to all:
v Keep a copy of all certificates loaded into the keystore (usually a PKCS12 format
file).
v Use system backup capabilities (such as RACF) to create a backup copy of the
keystore information (be careful not to encrypt this copy using the encrypting
tape drives as it would impossible to decrypt it for recovery).
Chapter 2. Planning Your Encryption Key Manager Environment 2-5
v Maintain a primary and secondary Encryption Key Manager and keystore copy
(for backup as well as failover redundancy). Back up the keystores for both
primary and secondary for added redundancy.
v For a JCEKS keystore, simply copy the keystore file and store the clear
(unencrypted) copy in a secure location such as a vault (be careful not to encrypt
this copy using the encrypting tape drives as it would be impossible to decrypt
it for recovery).
At a minimum, you should back up your keystore data whenever you change it.
The Encryption Key Manager does not modify keystore data. The only changes to
the keystore are those that you apply, so be sure to copy the keystore as soon as
you change it.
Backing up Your Files Using the GUI
1. Open the GUI if it is not yet started:
On Windows
Navigate to c:\ekm\gui and click LaunchEKMGui.bat
On Linux platforms
Navigate to /var/ekm/gui and enter . ./LaunchEKMGui.sh
2. Select Backup Critical Files in the navigator on the left of the Encryption Key
Manager GUI.
3. Enter the path for your backup data in the displayed dialog (Figure 2-3).
Figure 2-3. Backup Critical Files Window
4. Click Backup Files.
5. An information message displays the results.
2-6 Dell Encryption Key Mgr User's Guide
a14m0241
Multiple Key Managers for Redundancy
The Encryption Key Manager is designed to work with tape drives and libraries to
allow redundancy, and thus high availability, so you can have multiple key
managers servicing the same tape drives and libraries. Moreover, these key
managers need not be on the same systems as the tape drives and libraries. The
maximum number of key managers depends on your library or proxy. The only
requirement is that they be available to the tape drives through TCP/IP
connectivity.
This allows you to have two Encryption Key Managers that are mirror images of
each other with built-in backup of the critical information about your keystores, as
well as a failover in the event one key manager becomes unavailable. When you
configure your device (or proxy) you can point it to two key managers. If one key
manager becomes unavailable for any reason, your device (or library) will simply
use the alternate key manager.
You also have the capability to keep the two Encryption Key Managers
synchronized. It is critical that you take advantage of this important function when
needed, both for its inherent backup of critical data and also for its failover
capability to avoid any outages in your tape operations. Refer to “Synchronizing
Data Between Two Key Manager Servers” on page 4-2.
Note: Synchronization does not include keystores. They must be copied manually.
Encryption Key Manager Server Configurations
The Encryption Key Manager may be installed on a single-server or on multiple
servers. The following examples show one- and two-key manager configurations
but your library may allow more.
Single-Server Configuration
A single-server configuration, shown in Figure 2-4, is the simplest Encryption Key
Manager configuration. However, because of the lack of redundancy it is not
recommended. In this configuration, all tape drives rely on a single key manager
server with no backup. Should the server go down, the keystore, configuration file,
KeyGroups.xml file, and drive table would be unavailable, making any encrypted
tape unreadable. In a single-server configuration you must ensure that backup
copies of the keystore, configuration file, KeyGroups.xml file, and drive table are
maintained in a safe place, separate from the Encryption Key Manager, so its
function can be rebuilt on a replacement server if the server copies are lost.
|
|
Figure 2-4. Single Server Configuration
|
|
Tape Library
A
Encryption
Key
Manager
Tape Library
B
Key Store
Drive Table
Config File
Key Groups
Tape Library
C
a14m0256
Chapter 2. Planning Your Encryption Key Manager Environment 2-7
Two-Server Configurations
A two-server configuration is recommended. This Encryption Key Manager
configuration will automatically failover to the secondary key manager should the
primary be inaccessible for any reason.
Note: When different Encryption Key Manager servers are used to handle requests
from the same set of tape drives, the information in the associated keystores
MUST be identical. This is required so that regardless which key manager
server is contacted, the necessary information is available to support
requests from the tape drives.
Identical configurations: In an environment with two Encryption Key Manager
servers having identical configurations, such as those shown in Figure 2-5,
processing will automatically failover to the secondary key manager should the
primary go down. In such a configuration it is essential that the two key manager
servers be synchronized. Updates to the configuration file and drive table of one
key manager server can be duplicated on the other automatically using the sync
command, but updates to one keystore must be copied to the other using methods
specific to the keystore(s) being used. The keystores and key groups XML file must
be copied manually. Refer to “Synchronizing Data Between Two Key Manager
Servers” on page 4-2 for more information.
|
Primary
Encryption
Key Manager
Tape Library
A
|
Figure 2-5. Two Servers with Shared Configurations
|
Key Store
Drive Table
Config File
Key Groups
|
Separate configurations: Two Encryption Key Manager servers may share a
common keystore and drive table yet have two different configuration files and
two different sets of key groups defined in their XML files. The only requirement is
that the keys used to serve the common tape drives must be the same for each
server. This allows each key manager server to have its own set of properties. In
this type of configuration, shown in Figure 2-6 on page 2-9, only the drive table
should be synchronized between key manager servers. (Refer to “Synchronizing
Data Between Two Key Manager Servers” on page 4-2 for more information.) Be
sure to specify sync.type = drivetab (do not specify config or all) to prevent the
configuration files from being overwritten.
Note: There is no way to partially share the configuration between servers.
=
=
Drive Table
=
Config File
=
Key Groups
Tape Library
B
Key Store
Secondary
Encryption
Key Manager
Tape Library
C
a14m0254
2-8 Dell Encryption Key Mgr User's Guide
|
Primary
Encryption
Key Manager
Key Store
Drive Table
Config File
Key Groups
=
=
=
Key Store
Drive Table
Config File
Key Groups
Secondary
Encryption
Key Manager
Tape Library
A
|
Figure 2-6. Two Servers with Different Configurations Accessing the Same Devices
|
Tape Library
B
|
Disaster Recovery Site Considerations
If you plan to use a disaster recovery (DR) site, the Encryption Key Manager
provides a number of options to enable that site to read and write encrypted tapes.
These are:
v Create a duplicate Encryption Key Manager at the DR site.
Set up a duplicate Encryption Key Manager at the DR site with the same
information as your local Encryption Key Manager (configuration file, tape drive
table, key groups XML file, and keystore). This key manager would then be in
place and capable of taking over for one of your existing production key
managers to read and write encrypted tapes.
v Create a backup copy of the three Encryption Key Manager data files to be able
to recover as needed.
If you create a current copy of the four data elements needed by the Encryption
Key Manager (configuration file, tape drive table, key groups XML file, and
keystore) then you would be able to start a key manager at any time to act as a
duplicate at the DR site. (Remember that you should not use the Encryption Key
Manager to encrypt the copies of these files as you would not be able to decrypt
it without a functioning key manager). If your DR site uses different tape drives
from your primary site, the configuration file and tape drive table must contain
the correct information for the DR site.
Tape Library
C
a14m0255
Considerations for Sharing Encrypted Tapes Offsite
Note: It is important to verify the validity of any certificate received from a
business partner by checking the chain of trust of such a certificate back to
the Certificate Authority (CA) that ultimately signed it. If you trust the CA,
then you can trust that certificate. Alternately, the validity of a certificate can
be verified if it was securely guarded in transit. Failure to verify a
certificate’s validity in one of these ways may open the door to a
“Man-in-the-Middle” attack.
|
|
Sharing LTO 4 and LTO 5 Tape
In order to share encrypted data on an LTO 4 or LTO 5 tape, a copy of the
symmetric key used to encrypt the data on the tape must be made available to the
other organization to enable them to read the tape. In order for the symmetric key
to be shared, the other organization must share their public key with you. This
public key will be used to wrap the symmetric key when it is exported from the
Encryption Key Manager keystore using keytool (see “Exporting Data Keys Using
Chapter 2. Planning Your Encryption Key Manager Environment 2-9
Keytool -exportseckey ” on page 3-12). When the other organization imports the
symmetric key into their Encryption Key Manager keystore, it will be unwrapped
using their corresponding private key (see “Importing Data Keys Using Keytool
-importseckey ” on page 3-12). This ensures that the symmetric key is safe in
transit since only the holder of the private key is able to unwrap the symmetric
key. With the symmetric key that was used to encrypt the data in their Encryption
Key Manager keystore, the other organization will then be able to read the data on
the tape.
Federal Information Processing Standard 140-2 Considerations
Federal Information Processing Standard 140-2 has become important now that the
Federal government requires all its cryptographic providers to be FIPS 140
certified. This standard has also been adopted in a growing private sector
community. The certification of cryptographic capabilities by a third party in
accordance with government standards is felt to have increased value in this
security-conscious world.
The Encryption Key Manager does not provide cryptographic capabilities itself and
therefore does not require, nor is it allowed to obtain, FIPS 140-2 certification.
However, the Encryption Key Manager takes advantage of the cryptographic
capabilities of the IBM JVM in the IBM Java Cryptographic Extension component
and allows the selection and use of the IBMJCEFIPS cryptographic provider, which
has a FIPS 140-2 level 1 certification. By setting the fips configuration parameter to
on in the Configuration Properties file, you make the Encryption Key Manager use
the IBMJCEFIPS provider for all cryptographic functions.
See the documentation from specific hardware and software cryptographic
providers for information on whether their products are FIPS 140-2 certified.
2-10 Dell Encryption Key Mgr User's Guide
Loading...