HP STORAGEWORKS MSL4048, STORAGEWORKS MSL2024, STORAGEWORKS 1/8 G2, STORAGEWORKS MSL8096 User Manual
HP StorageWorks 1/8 G2 and MSL Encryption
Kit
User guide
Part number: AM495-96001
irst edition: June 2008
F
Legal and notice information
© Copyright 2008 Hewlett-Packard Development Company, L.P.
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and
12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are
licensed to the U.S. Government under vendor's standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth
in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting
an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Intel, Itanium, Pentium, Intel Inside, and the Intel Inside logo are trademarks or registered trademarks of Intel Corporation or its
subsidiaries in the United States and other countries.
Microsoft, Windows, Windows XP, and Windows NT are U.S. registered trademarks of Microsoft Corporation.
Adobe and Acrobat are trademarks of Adobe Systems Incorporated.
Java is a US trademark of Sun Microsystems, Inc.
Oracle is a registered US trademark of Oracle Corporation, Redwood City, California.
UNIX is a registered trademark of The Open Group.
Printed in the US
Contents
Aboutthisguide .......................... 7
Intendedaudience...................................... 7
Prerequisites ........................................ 7
Relateddocumentation.................................... 7
Documentconventionsandsymbols .............................. 8
HPtechnicalsupport..................................... 8
Customerselfrepair ..................................... 9
Productwarranties...................................... 9
Subscriptionservice ..................................... 9
HPwebsites......................................... 9
Documentationfeedback ................................... 9
1 Features and overview ...................... 11
ConsiderationsforusingtheEncryptionKit .......................... 11
LTO-4tapedrivesandencryption............................... 12
RequirementsforusingtheEncryptionKit ........................... 12
Autoloader or Library firmwarerequirements........................ 13
Tape drive and drive firmwarerequirements ........................ 13
AccesstotheUSBport................................. 13
ThekeyservertokenLED .................................. 14
Thekeysonthekeyservertoken............................... 14
Thetokendatabackupandrestoreprocesses ......................... 15
Scenario1 ...................................... 16
Scenario2 ...................................... 16
Scenario3 ...................................... 17
2Creatingyourkeymanagementprocesses ............. 19
Whentocreateanewencryptionkey............................. 19
Enablingautomaticgenerationofnewkeys ........................ 19
Backingupthekeyservertokendata............................. 19
Managingthetokenpassword(PIN) ............................. 22
Namingkeyservertokens.................................. 22
Maintainingencryptioncapabilityintheeventofapowerloss.................. 22
3 Installing and configuringtheEncryptionKit............. 23
Identifyingproductcomponents ............................... 23
PreparingtheAutoloaderorLibrary ............................. 23
Logintotheremotemanagementinterface ........................ 23
Verify your Autoloader or Library firmwareversion ..................... 23
LocatetheUSBport .................................. 24
Preparingthekeyservertokens ............................... 24
Configuringencryption................................... 25
Insertthekeyservertoken................................ 25
EnterthePIN ..................................... 25
Configuretheencryptionmodeandfeatures........................ 26
Backingupthekeyservertokendata............................. 27
4UsingtheEncryptionKit ..................... 31
User guide
3
EnteringthePIN...................................... 31
ChangingthePIN ..................................... 32
Generatinganewencryptionkey .............................. 32
Enablingordisablingencryption............................... 32
Backingupthetokendata ................................. 33
Restoringthetokendata .................................. 34
Restoringencrypteddata.................................. 35
Whentoobtainanewkeyservertoken............................ 35
Restoringencrypteddataduringdisasterrecovery ....................... 35
UsingtheEncryptionKitwithlogicallibraries ......................... 36
Restoring the encryption configuration after a chassis or library controller replacement . . . . . . . . 36
5Troubleshooting . . ....................... 37
Installationproblems.................................... 37
TheLibrarydoesnothaveaUSBport........................... 37
Operationproblems .................................... 37
EncryptiontokenLED.................................. 37
Troubleshootingtable.................................. 38
Errorcodes........................................ 40
Warningeventsandmessages................................ 41
Index .............................. 43
4
Figures
1
Configuration:Securitytab............................ 13
2
USB port locati
3
KeyservertokenLED .............................. 14
4
RMI Status: Security page showing the Current key and key creation dates . . . . . . . 15
5
EncryptionKitcomponents............................ 23
6
RMI Configur
7
USBportlocation................................ 24
8
Inserting
9
Security Configuration pane of the Configuration:Securitypage............ 26
10
Generate a
11
Back up Token to File pane of the Configuration:Securitypage ............ 28
12
Restore T
13
Configuration:Securitypage........................... 31
14
RMILogoutlink................................. 32
15
Changing the PIN in the Configuration:Securitypage................ 32
16
Generating a new encryption key in the Configuration:Securitypage ......... 32
17
Enabling encryption in the Configuration:Securitypage ............... 33
on................................ 14
ation:Securitytab.......................... 24
thekeyservertoken........................... 25
new write key pane of the Configuration:Securitypage .......... 27
oken from File pane of the Configuration:Securitypage ........... 29
18
Back up Token to File pane of the Configuration:Securitypage ............ 33
19
Restore Token from File pane of the Configuration:Securitypage ........... 34
20
Restore Token from File pane of the RMI Configuration:Securitypage ......... 34
21
RMI Configuration:Save/Restoretab ....................... 36
22
USBportlocation................................ 37
User guide
5
Tables
1
2
3
4
5
6
Documentconventions............................... 8
Tokenstatus .................................. 14
Exampletokendatabackupprocesses....................... 21
Troubleshootingtable .............................. 38
Errorcodes .................................. 40
Warningeventsandmessages .......................... 41
6
About this guide
This guide provides information about:
• Developing key management processes.
• Configuring the Tape Autoloader or Tape Library to implement the security policy based on the
Encryption Kit.
• Using and administering the Tape Autoloader or Tape Library with the Encryption Kit.
• Troubleshooting problems with the Tape Autoloader or Tape Library when using the Encryption Kit.
Intended audience
This guide is
• Tape Autoloader or Tape Library administration and operation
• Security policies and procedures
Prerequisites
Prerequisitesforusingthisproductinclude:
• An HP StorageWorks 1/8 G2 Tape Autoloader, or MSL2024, MSL4048, or MSL8096 Tape
Library with at least one LTO-4 tape drive installed.
intended for system adm inistrators with knowledge of:
Related do
The following documents provide related information:
• HP StorageWorks 1/8 G2 Tape Autoloader user and service guide
• HP Storage
You can find
h
ttp://w
In the Storage section, click Tape Storage and Media and then select your product.
cumentation
WorksMSL2024,MSL4048,andMSL8096userandserviceguide
these documents from the Manuals page of the HP Business Support Center website:
ww.hp.com/support/manuals
User guide
7
Document conven
Table 1 Document conventions
tions and symbols
Convention
Blue text: Table 1
Blue, underlined text: http://www.hp.com
Bold text
Italic text Text emphasis
Monospace text
Monospa
Monospace, bold text
ce, italic text
Element
Cross-reference links and e-mail addresses
Website addresses
• Keys that are p
• Text typed in
• GUI elements
menu and lis
• File and directory names
• System output
• Code
• Commands, their arguments, and argument values
• Code variables
• Command variables
Emphasized monospace text
ressed
to a GUI element, such as a box
that are clicked or selected, such as
titems,buttons,tabs,andcheckboxes
CAUTION:
Indicates that failure to follow directions could result in damage to equipment or data.
IMPORTANT:
Provides clarifying information or specific instructions.
NOTE:
Provides additional information.
TIP:
Provides helpful hints and shortcuts.
HP technical support
For worldwide technical support information, see the HP support website:
h
ttp://www.hp.com/support
Before contacting HP, collect the following information:
• Product model names and numbers
• Technical support registration number (if applicable)
• Product serial numbers
• Error messages
• Operating system type and revision level
8
About this guide
• Detailed questions
Customer self r
HP customer sel
part needs replacing, HP ships the part directly to you so that you can install it at your convenience.
Some parts do not qualify for CSR. Your HP-authorized service provider will determine whether a repair
can be accomplished by CSR.
For more infor
h
ttp://www.hp.com/go/selfrepair
This product has no customer replaceable components.
epair
f repair (CSR) programs allow you to repair your StorageWorks product. If a CSR
mation about CSR, contact your local service provider, or see the CSR website:
Product warranties
For information about HP StorageWorks product warranties, see the warranty information website:
h
ttp://www.hp.com/go/storagewarranty
Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
h
ttp://www.hp.com/go/e-updates
After registering, you will receive e-mail notification of product enhancements, new driver versions,
firmware updates, and other product resources.
HP websites
For additional information, see the following HP websites:
•h
ttp://www.hp.com
•http://www.hp.com/go/storage
•http://www.hp.com/service_locator
•http://www.hp.com/support/manuals
•http://www.hp.com/support/downloads
•http://www.hp.com/go/tape
Documentation feedback
HP welcom
To make comments and suggestions about product documentation, please send a message to
storagedocsFeedback@hp.com. All submissions become the property of HP.
es your feedback.
User guide
9
10
About this guide
1 Features and overview
IMPORTANT:
The Encryption Kit provides secure encryption of your data using key server tokens and passwords. A
thorough understanding and proper use of the Encryption Kit operation will maintain the security of
your data and ensure that only qualifiedpersonshaveaccesstothedata. Managingyourkeyserver
tokens and passwords is critical for preventing unauthorized data access and for avoiding the inability
of qualified personnel to access data from tapes. Read and understand this Encryption Kit user guide
before enabling encryption.
The HP StorageWorks 1/8 G2 & MSL LTO-4 Encryption Kit provides secure generation and storage of
encryption keys. The Encryption Kit may be used with any HP StorageWorks 1/8 G2 Tape Autoloader or
the MSL2024, MSL4048, and MSL8096 Tape Library with at least one LTO-4 tape drive. The Encryption
KitmaynotbeusedwiththeMSL6000.
The Encryption Kit includes two USB key server tokens. One key server token is intended as backup
for the other.
To use the Encryption Kit, a key server token is inserted in the USB port on the back of the Autoloader or
Library, and encryption is enabled and confi gured from the remote management interface (RMI).
The Encryption Kit supports your manual security policies and procedures by providing secure storage for
encryption keys. Access to the key server tokens and their backup files is protected with user-specified
passwords. You will need to create processes to protect the tokens and secure the passwords.
The Encryption Kit requires support from the Autoloader or Library firmware and the tape
drive firmware. See “Autoloader or Library firmware requirements” on page 13 and
“Tape drive and drive firmware requirements” on page 13. You can download Autoloader or Library
firmware files from the HP Support website at h
ttp://www.hp.com/support.
IMPORTANT:
When encryption is enabled with the Encryption Kit, the Autoloader or Library will not use encryption
keys from other sources, such as a key management system or application software. Disable encryption
in applications writing to the Autoloader or Library when encryption is enabled with the Encryption Kit.
Applications that attempt to control encryption while encryption is enabled with the Encryption Kit will
not be able to do so, which can cause backups or other write operations to fail.
Considerations for using the Encryption Kit
The purpose of encryption is to protect data from unauthorized access and use. For LTO-4 tape drives, the
encryption algo rithm is based on encryption keys. With the Encryption Kit, the encryption keys are stored
on the key server token and access to the keys is protected by a password.
To enable, disable, and configure encryption on the Tape Autoloader or Library, you must also be logged
into the Autoloader or Library remote management interface (RMI) using the administrator password
for the Autoloader or Library.
To write encrypted data, you must have the key server token and the password for the key server token.
Only one encryption key is used on a tape cartridge. If the tape cartridge contains previously-encrypted
data, a key server token with the key for the tape must be in the Autoloader or Library.
To read encrypted data, you must have a key server token with the key for the tape and the password
for the key server token. The association between the encryption key and the tape is not stored on
either the key server token or the tape.
User guide
11
CAUTION:
If you lose the key server tokens and token backup files associated with a tape, neither you nor HP will
be able to recov er the encryption keys that were stored on the tokens. HP recommends that the second
key server token be used as a backup of the firstkeyservertoken,andthatoneofthetokensbestored
off site in a secure location.
Ifyoulosethepasswordtothekeyservertoken,neitheryounorHPwillbeabletorecoverorresetthe
password to access the encryption keys. Without the password you will not be able to recover the data
from tapes using the encryption keys on the token. HP recommends that you keep the password in a
secure location, and that at least one copy of the password be kept off site in a secure location.
If the key server token is removed or becomes dislodged from the USB port on the back of the Autoloader
or Library, the tape drive will not be able to read or write encrypted data. This could cause your backup
or other data operation to fail.
Reading encrypted data from a tape cartridge requires the tape cartridge, a key server token with the
encryption key for the tape, the password for the key server token, and the administrator password
for an Autoloader or Library. To prevent unauthorized access to your data, HP recommends keeping
these items in safe and secure locations.
LTO-4 tape drives and encryption
The LTO-4 tape drives include hardware capable of encrypting data while writing data, and decrypting
data when reading. Hardware encryption can be used with or without compression while maintaining
the full speed and capacity of the LTO-4 tape drive and media.
NOTE:
LT O-4 tape drives will only write encrypted data to LTO-4 tapes. LTO-4 tape drives cannot write
encrypted data to LTO-3 tapes.
Encryption is the process of changing data into a form that cannot be read until it is deciphered with key
used to encrypt the data, protecting the data from unauthorized access and use. LTO-4 tape drives use
the 256-bit version of the industry-standard AES encrypting algorithm to protect your data.
Your company policy will determine when and how to use encryption. For example, encryption may be
mandatory for company confidential and financial data, but not for personal data. Company policy
will also define how encryption keys should be generated and managed, how frequently they should
be changed, and how passwords are managed.
Encryption is primarily designed to protect the media once it is offlineandtopreventitfrombeing
accessed by unauthorized users. You will be able to read and append the encrypted media as long as a
key server token containing the correct key is installed and the appropriate passwords are available.
For more information about AES encryption, encryption keys, and using hardware encryption with your HP
Ultriumtapedrive,seetheWhitePapersath
NOTE:
Some earlier LTO-4 tape drive firmware revisions may not support the Encryption Kit functionality.
Before enabling encryption, verify that the tape drive has firmware that supports the Encryption Kit. See
“Tape drive and drive firmware requirements” on page 13 and update the firmware if necessary.
ttp://h18006.www1.hp.com/storage/tapewhitepapers.html.
Requirements for using the Encryption Kit
Using the Encryption Kit requires support from the Autoloader or Library firmware and the tape drive
firmware, as well as a ccess to the USB port on the back of the Autoloader or Library.
12
Features and overview
Autoloader or Library firmware requirements
To see whether your Library or Autoloader firmware supports the Encryption Kit, log into the remote
management interface (RMI) for your product. If the RMI has a Status: Security tab, the firmware
supports the Encryption Kit.
Figure 1 Config
If your Autolo
current Autoloader and Library firmware. You can download Autoloader or Library firmware files from the
HP Support website at h
uration: Securit y tab
ader or Library does not have the Status: Sec urity tab, you must download and install the
ttp://www.hp.com/support.
Tape drive and drive firmware requirements
The Autoloader or Library must have at least one LTO-4 tape drive. LTO-1, LTO-2, and LTO-3 tape drives
do not support native encryption and cannot be used to encrypt or decrypt data with the Encryption Kit.
When encryption is enabled, only LTO-4 tapes can be written in LTO-4 tape drives.
NOTE:
Verify that the tape drive has the correct firmware before enabling encryption. If you enable encryption
with earlier versions of firmware, the Autoloader or Library will disable the tape drive port.
The tape drive must have the following or later versions of tape drive firmware:
Parallel SCSI
Ultrium 1760
Ultrium 1840
To find the version of firmware on your tape drive, see
“Verify your Autoloader or Library firmware version”onpage23.
W22W U26W
B45W
SAS
Not Applicable
Fibre Channel
Not Applicable
H44W
NOTE:
With the above LTO-4 tape drive firmware revisions, the Autoloader or Library will NOT allow LT O-3
media in LTO-4 tape drives when encryption is enabled with the Encryption Kit. Always ensure that your
tape drive has the most recent firmware version. You can download tape drive firmware files from the HP
Support website at h
Access to the USB port
To use the key server tokens included in the Encryption Kit, the USB port on the back of the Autoloader
or Library must be accessible. On some MSL2024 and MSL4048 Libraries you may need to remove
thesilvertapecoveringtheUSBport.
ttp://www.hp.com/support.
User guide
13
Figure 2 USB port location
The key server token LED
11868
The key serv
er token has a green status LED, which is visible through the token label.
11893
Figure 3 Key server token LED
Table 2 Token status
LED behavior Token status
On
Off
Flashing
The token is ready to be used by the Autoloader or Library.
The token is not receiving power and must be fully inserted into the Autoloader or
Library USB port.
The device with the USB port does not have software to communicate with the key
server token. If this occurs when the key server token is plugged into the Autoloader
or Library, update the Autoloader or Library firmware to the current version. See
“Encryption token LED” on page 37 for additional information about the key server
token LED.
NOTE:
The key server token is not a USB flash drive and its contents cannot be read by devices other than the
Autoloader or Library.
The keys on the key server token
The Encryption Kit key server token generates, stores, and retrieves keys used both to encrypt data and to
decrypt data. The same key is used as both the encryption key and the decryption key for a tape, but
different tapes may use different keys.
14
Features and overview
Loading...