HP Enterprise Secure Key Manager User's Guide
HP StoreEver MSL Tape Libraries
Encryption Key Server Configuration Guide
Abstract
This document includes information on configuring HP StoreEver 1/8 G2 Tape Autoloader and MSL Tape Libraries for supported
encryption key servers, including the HP Enterprise Secure Key Manager (ESKM) and KMIP-based key servers. This document
is intended for system administrators experienced with configuring tape libraries and encryption key servers.
You can always download the most up-to-date firmware files from http://www.hp.com/support. See the user and service guide
for your product for instructions on updating firmware
HP Part Number: QU625-96335
Published: September 2014
Edition: 2
© Copyright 2014 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express
warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions contained herein.
Warranty
WARRANTY STATEMENT: To obtain a copy of the warranty for this product, see the warranty information website:
http://www.hp.com/go/storagewarranty
Contents
1 Introduction...............................................................................................4
Using an encryption key server...................................................................................................4
Considerations for using an encryption key server.........................................................................5
Media compatibility for drives supporting encryption.....................................................................5
Licensing.................................................................................................................................5
Installing the encryption license..............................................................................................6
2 HP Enterprise Secure Key Manager (ESKM) integration....................................7
3 KMIP-based key server integration..............................................................12
Creating the client user name and password on the server...........................................................12
Configuring the KMIP feature for the MSL6480...........................................................................13
Using the KMIP Wizard......................................................................................................14
Configuring the KMIP feature for the 1/8 G2 Tape Autoloader and other MSL Tape Libraries...........17
Set or enter the KMIP security password................................................................................17
Entering the KMIP client credentials......................................................................................18
Generating the client certificate request.................................................................................18
Signing the client certificate on the server..............................................................................19
Installing the signed client certificate.....................................................................................19
Configuring access to the key servers....................................................................................21
Enabling KMIP-based encryption..........................................................................................21
4 Verifying that the encryption key server integration is working........................23
Connectivity test.....................................................................................................................23
Basic encryption test...............................................................................................................25
Failover test...........................................................................................................................25
5 Support and other resources......................................................................27
Contacting HP........................................................................................................................27
Typographic conventions.........................................................................................................27
6 Documentation feedback...........................................................................28
Contents 3
1 Introduction
This document includes information about configuring and using encryption key servers with the
1/8 G2 Tape Autoloader and MSL Tape Libraries with LTO-4 and later generation tape drives.
The LTO-4 and later generation tape drives include hardware capable of encrypting data while it
is being written, and decrypting data when reading. Hardware encryption can be used with or
without compression while maintaining the full speed and capacity of the tape drive and media.
NOTE: An LTO-4 or later generation tape drive will not write encrypted data to an LTO-3 or
earlier generation tape. For additional compatibility information, see Media compatibility (page 5).
Encryption is the process of changing data into a form that cannot be read until it is deciphered
with the key used to encrypt the data, protecting the data from unauthorized access and use. LTO-4
and later generation tape drives use the 256-bit version of the industry-standard AES encrypting
algorithm to protect your data.
Your company policy will determine when and how to use encryption. For example, encryption
may be mandatory for company confidential and financial data, but not for personal data. Company
policy will also define how encryption keys should be generated and managed, how frequently
they should be changed, and how passwords are managed.
Encryption is primarily designed to protect the media once it is offline and to prevent it from being
accessed by unauthorized users. You will be able to read and append the encrypted media as
long as a key server token containing the correct key is installed and the appropriate passwords
are available.
For more information about AES encryption, encryption keys, and using hardware encryption with
your HP Ultrium tape drive, see the White Papers at http://h18006.www1.hp.com/storage/
tapewhitepapers.html.
Using an encryption key server
When a key manager is enabled and properly configured, tape data will automatically be encrypted
with keys delivered from the key manager. Tapes are encrypted on a key-per-tape basis. Some
key managers support additional options, such as having a key per partition.
Write and append operations: The tape drive will request a key when data is written. The tape
library, acting as an intermediary, may request the key manager to create a key. The library then
obtains that key and delivers it to the tape drive. The key is identified by a name, which is associated
with the media identifier. The key is retained in the tape drive until the tape is unloaded.
Read operations: The tape drive will request a key. The tape library, acting as an intermediary,
obtains the key identifier, requests that key from the key manager, and delivers it to the tape drive.
The key is retained in the tape drive until the tape is unloaded and is used for any remaining read
and operations.
HP Enterprise Secure Key Manager (ESKM)
All ESKM versions support the ESKM encryption protocol, which can be used by the MSL6480
and requires an ESKM Encryption license for the library.
ESKM 4.0 and later versions also support the KMIP protocol, which can be used by the 1/8 G2
Tape Autoloader and the MSL2024, MSL4048, MSL6480, MSL8048, and MSL8096 Tape Libraries.
Accessing the ESKM 4.0 with the KMIP protocol requires a KMIP Encryption license for the library.
The same ESKM 4.0 server can serve libraries configured to use the ESKM protocol and libraries
configured to use the KMIP protocol at the same time. Use the protocol that corresponds with the
encryption license for your library.
For configuration information, see “HP Enterprise Secure Key Manager (ESKM) integration”
(page 7) or “KMIP-based key server integration” (page 12).
4 Introduction
KMIP-based key servers
The 1/8 G2 Tape Autoloader and the MSL2024, MSL4048, MSL6480, MSL8048, and MSL8096
Tape Libraries support integration with non-HP key servers through the KMIP protocol. This requires
a KMIP Encryption license for the library. For configuration information, see “KMIP-based key
server integration” (page 12).
Considerations for using an encryption key server
The libraries only support the configuration of one encryption key method at a time. For example,
if the library is configured to obtain encryption keys from an encryption key server, it will not also
be able to obtain encryption keys from the HP MSL Encryption Kit nor from a backup application.
Media compatibility for drives supporting encryption
Table 1 Media compatibility
LTO-6 driveLTO-5 driveLTO-4 drive
IncompatibleIncompatibleIncompatibleLTO-1 media
IncompatibleIncompatibleRead onlyLTO-2 media
IncompatibleRead onlyRead/Write (no encryption)LTO-3 media
Read onlyRead/WriteRead/WriteLTO-4 media — unencrypted
LTO-4 media — encrypted
Licensing
The KMIP and ESKM features require that the applicable license for the library be installed before
the feature can be enabled and configured.
Table 2 KMIP and ESKM encryption licenses
Read/Write with
encryption key
IncompatibleLTO-5 media — encrypted
IncompatibleLTO-5 media — encrypted
License namePart numberLibraries
HP StoreEver MSL6480 KMIP 1.2 Key Manager LicenseD4T76AMSL6480
Read/Write with
encryption key
Read/Write with
encryption key
Read/Write with
encryption key
IncompatibleIncompatibleLTO-6 media — encrypted
Read only with encryption
key
Read/WriteRead/WriteIncompatibleLTO-5 media — unencrypted
Read/Write with encryption
key
Read/WriteRead/WriteIncompatibleLTO-5 media — unencrypted
Read/Write with encryption
key
Read/WriteIncompatibleIncompatibleLTO-6 media — unencrypted
Read/Write with encryption
key
1/8 G2 Tape
•
Autoloader
• MSL2024
HP StoreEver MSL6480 KMIP 1.2 Key Manager E-LicenseD4T76AAE
HP StoreEver MSL6480 ESKM Encryption LicenseTC469A
HP StoreEver MSL6480 ESKM Encryption E-LicenseTC469AAE
HP StoreEver MSL2024/4048/8096 KMIP LicenseTC468A
HP StoreEver MSL2024/4048/8096 KMIP E-LicenseTC468AAE
Considerations for using an encryption key server 5
Table 2 KMIP and ESKM encryption licenses (continued)
• MSL4048
• MSL8096
Installing the encryption license
The license is installed from the library RMI or with HP Command View for Tape Libraries version
3.7 or later.
MSL6480
Install the license from the Configuration > System > License Key Handling screen. Enter the License
Key and then click Add License
License namePart numberLibraries
Autoloader and MSL2024, MSL4048, and MSL8096
Install the license from the RMI Configuration: License Key page. Enter the key and then press
Submit.
6 Introduction
2 HP Enterprise Secure Key Manager (ESKM) integration
The MSL6480 library supports integration of all versions of the ESKM using the ESKM protocol.
Integration with the ESKM allows encryption keys and encrypted tapes to be shared with the ESL
G3 and other tape libraries that support the ESKM.
NOTE: If you are using ESKM 4.0 with the KMIP protocol, see the configuration instructions in
“KMIP-based key server integration” (page 12).
With the ESKM Wizard you can configure use of the HP Enterprise Secure Key Management server
with the MSL6480. Access the wizard from the Encryption menu on the RMI, which is only available
to the security user and requires that the ESKM license has been added from the Configuration >
System > License Key Handling screen. For licensing information, see “Licensing” (page 5).
NOTE: The library only allows one encryption key manager type to be used at a time. For
example, if ESKM is enabled and in use, the MSL Encryption Kit cannot also be used for encryption
key generation and retrieval.
For additional information on configuring ESKM for use with the library, see the HP Enterprise
Secure Key Manager Configuration Guide for HP Tape Libraries.
Before running the wizard, verify that:
• The library configuration is complete, including defining all library partitions.
• A 2048-bit server certificate for each HP ESKM device in the cluster has been created.
• The ESKM server certificate has been signed by the Certificate Authority (CA) you intend to
use and has been installed on the ESKM.
• SSL is enabled on the ESKM KMS server.
• The HP ESKM Management Console is open and ready for use. The ESKM Management
Console and library RMI are used together to configure the library for ESKM.
• All tape drives are empty.
• The necessary license has been installed in the library. For licensing information and instructions
on installing the license, see “Licensing” (page 5).
Using the ESKM Wizard
1. From the MSL6480 RMI, click Encryption→ESKM Wizard to start the wizard.
2. The Wizard Information screen displays information about the wizard. If the library
configuration is complete, click Next.
3. The Certificate Authority Information screen displays prerequisites for using the ESKM certificate.
When the prerequisites are met, click Next.
4. The Certificate Authority Certificate Entry screen displays instructions for obtaining the certificate
for the ESKM server. Follow the instructions to copy the certificate from the management
console. Paste the certificate into the wizard and then click Next.
7
5. The Library Certificate Information screen displays prerequisites for generating and signing
the certificate for the library. When you have verified that SSL has been enabled on the ESKM
device and that the ESKM management console is open and ready for use, click Next.
6. In the ESKM Client Configuration screen enter the username and password that the library will
use to communicate with the ESKM.
8 HP Enterprise Secure Key Manager (ESKM) integration
NOTE: This username and password must match the client username and password created
on the ESKM server.
If the username and password have not already been set up on the ESKM device, follow the
instructions in the HP Enterprise Secure Key Manager User Guide to create a client account
for the library.
Enter the client username and password, and then click Next.
7. The Certificate Generation screen displays the current library certificate, if one exists. Select
whether to keep the current certificate or generate a new one and then click Next.
9
Loading...