HP Secure Encryption
ho installs, administers,
Part Number: 759078-001
Installation and User Guide
Abstract
This document includes feature, installation, and configuration information about HP Smart Encryption and is for the person w
and troubleshoots servers and storage systems. HP assumes you are qualified in the servicing of computer equipment and trained in recognizing
hazards in products with hazardous energy levels.
January 2014
Edition: 1
© Copyright 2014 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express
warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions contained herein.
Microsoft® is a U.S. registered trademark of Microsoft Corporation.Google™ is a trademark of Google Inc.
Contents
Overview ..................................................................................................................................... 5
About HP Secure Encryption ....................................................................................................................... 5
Benefits .......................................................................................................................................... 6
Encryption features .......................................................................................................................... 6
Solution components ........................................................................................................................ 8
Planning .................................................................................................................................... 12
Encryption setup guidelines ...................................................................................................................... 12
Recommended security settings at remote sites ............................................................................................ 12
Encrypted backups .................................................................................................................................. 12
Security domains ..................................................................................................................................... 13
Deployment scenarios .............................................................................................................................. 13
Remote and local key management requirements ............................................................................... 13
Configuration ............................................................................................................................. 14
Local key management mode .................................................................................................................... 14
Configuring the controller (local mode) ............................................................................................. 14
Remote Key Management Mode ............................................................................................................... 16
Configuring Remote Key Management Mode .................................................................................... 16
Operations ................................................................................................................................. 32
Accessing Encryption Manager ................................................................................................................. 32
Opening Encryption Manager ......................................................................................................... 32
Logging into Encryption Manager .................................................................................................... 32
Managing passwords .............................................................................................................................. 33
Set or change the Crypto Officer password ...................................................................................... 33
Set or change the password recovery question .................................................................................. 34
Set or change user account password .............................................................................................. 34
Set or change the controller password .............................................................................................. 35
Suspending the controller password ................................................................................................. 36
Resuming the controller password .................................................................................................... 37
Working with keys .................................................................................................................................. 38
Changing the Master Encryption Key ............................................................................................... 38
Rekeying the Drive Encryption Keys ................................................................................................. 38
Rescanning keys ............................................................................................................................ 39
Creating a plaintext volume ...................................................................................................................... 39
Converting plaintext volumes into encrypted volumes ................................................................................... 42
Changing key management modes ............................................................................................................ 43
Enabling/disabling plaintext volumes ......................................................................................................... 44
Enabling/disabling the firmware lock ........................................................................................................ 45
Enabling/disabling local key cache ........................................................................................................... 46
Importing drive sets in Local Key Management Mode ................................................................................... 47
Importing drives with different Master Keys ....................................................................................... 47
Maintenance .............................................................................................................................. 49
Controllers .............................................................................................................................................. 49
Clearing the controller .................................................................................................................... 49
Replacing an encrypted controller .................................................................................................... 49
Contents 3
Replacing a server while retaining the controller ................................................................................ 49
Preconfiguring replacement components ........................................................................................... 49
Flashing firmware .......................................................................................................................... 50
Drives .................................................................................................................................................... 50
Replacing a physical drive .............................................................................................................. 50
Validating the number of encrypted drives for license compliance ........................................................ 50
Groups .................................................................................................................................................. 51
Locating groups associated with a drive ........................................................................................... 51
Displaying log information ........................................................................................................................ 55
Running queries ...................................................................................................................................... 56
Troubleshooting .......................................................................................................................... 60
Common issues ....................................................................................................................................... 60
Lost or forgotten Crypto Officer password ......................................................................................... 60
Lost or forgotten controller password ................................................................................................ 60
Lost or forgotten Master Key ............................................................................................................ 61
Forgotten which Master key goes with which drive ............................................................................ 63
Logical drives remain offline ........................................................................................................... 64
Master key not exporting ................................................................................................................ 64
Testing the connection between HP iLO and the HP ESKM 3.1 ...................................................................... 65
Potential errors encountered ...................................................................................................................... 66
Clearing the encryption configuration ........................................................................................................ 68
Support and other resources ........................................................................................................ 69
Before you contact HP .............................................................................................................................. 69
HP contact information ............................................................................................................................. 69
Appendix ................................................................................................................................... 70
Encryption algorithms .............................................................................................................................. 70
Glossary .................................................................................................................................... 71
Documentation feedback ............................................................................................................. 74
Index ......................................................................................................................................... 75
Contents 4
Overview
About HP Secure Encryption
HP Secure Encryption is a controller-based, enterprise-class data encryption solution that protects data at rest
on bulk storage HDDs and SSDs attached to an HP Smart Array Px3x controller. The solution is compatible
with HP key manager products and can operate with or without the presence of a key manager in the
environment, depending on individual customer settings.
HP Secure Encryption provides encryption for data at rest as an important component for complying with
data privacy requirements found in government regulations like HIPAA and Sarbanes-Oxley. HP Secure
Encryption secures any data deemed sensitive and requiring extra levels of protection through the
application of XTS-AES 256-bit data encryption. Many companies under government regulations require that
sensitive privacy data must be secured and uncompromised using NIST-approved algorithms and
methodologies for key management. As a result, HP has applied for FIPS-140-2 Level 2 validation for
controllers supporting encryption. For more information, see the Implementation Guidance for FIPS PUB
140-2 and the Cryptographic Module Validation Program on the National Institute of Standards and
Technology website (http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf).
The core components for HP Secure Encryption are the following:
• An HP ProLiant Gen8 server. For more information, see "HP ProLiant Gen8 servers (on page 8)".
• HP Smart Array Px3x controller. For a list of currently supported controllers, see "HP Smart Array
Controller (on page 9)."
• HP Secure Encryption license, per drive
• HP Smart Storage Administrator, version 1.50 or later
• Compatible SAS/SATA HDD and SSD drive
• Compatible storage enclosure
HP Secure Encryption can operate in Remote Key Management Mode, or Remote Mode, through the use of
a separate, clustered, appliance-based server call the HP Enterprise Secure Key Manager 3.1. The HP ESKM
3.1 manages all encryption keys throughout the data center. When utilizing the HP ESKM 3.1, the
communication path between the HP ESKM 3.1 and the HP Smart Array Px3x controller is established
through the HP iLO interface. The controller communicates with the HP ESKM 3.1 as new keys are generated
and as old keys are retired. The HP ESKM 3.1 acts as a key vault where all keys are managed via a web
browser interface. For more information about the HP ESKM 3.1, see "HP Enterprise Secure Key Manager
3.1 (on page 10)." For more information about HP iLO connectivity, see "HP iLO (on page 10)."
The additional components required for operating HP Secure Encryption in Remote Mode are the following:
• Integrated Lights Out (iLO) Advanced or Scale Out Edition license, per ProLiant Gen8 server
• HP Enterprise Secure Key Manager 3.1
HP Secure Encryption can also operate without an attached key management solution through Local Key
Management Mode, or Local Mode.
Overview 5
Loading...