HP StorageWorks XP Data Integrity Check XP Software User Manual
HP XP P9000 DKA Encryption User Guide
Abstract
This guide describes and provides instructions for using the HP XP P9000 DKA Encryption License Key software to configure
and perform HP DKA Encryption License Key operations. The intended audience is a storage system administrator or authorized
service provider with independent knowledge of HP XP P9000 disk arrays and the HP Remote Web Console.
HP Part Number: AV400-96578
Published: July 2013
Edition: Tenth
© Copyright 2010, 2013 Hewlett-Packard Development Company, L.P.
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial
Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under
vendor's standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express
warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions contained herein.
Export Requirements
You may not export or re-export this document or any copy or adaptation in violation of export laws or regulations.
Without limiting the foregoing, this document may not be exported, re-exported, transferred or downloaded to or within (or to a national resident
of) countries under U.S. economic embargo, including Cuba, Iran, North Korea, Sudan, and Syria. This list is subject to change.
This document may not be exported, re-exported, transferred, or downloaded to persons or entities listed on the U.S. Department of Commerce
Denied Persons List, Entity List of proliferation concern or on any U.S. Treasury Department Designated Nationals exclusion list, or to parties directly
or indirectly involved in the development or production of nuclear, chemical, biological weapons, or in missile technology programs as specified
in the U.S. Export Administration Regulations (15 CFR 744).
Revision History
DescriptionDateEdition
Applies to microcode version 70-01-01-00/00 or later.October 2010First
Applies to microcode version 70-01-24-00/00 or later.November 2010Second
Applies to microcode version 70-01-62-00/00 or later.January 2011Third
Applies to microcode version 70-02-01-00/00 or later.May 2011Fourth
Applies to microcode version 70-02-5x-00/00 or laterSeptember 2011Fifth
Applies to microcode version 70-03-00-00/00 or later.November 2011Sixth
Applies to microcode version 70-03-00-xx/xx or later.April 2012Seventh
Applies to microcode version 70-03-00-xx/xx or later.August 2012Eighth
Applies to microcode version 70-03-00-xx/xx or later.November 2012Ninth
Applies to microcode version 70-06-00-00/00 or later.July 2013Tenth
Contents
1 DKA Encryption Overview...........................................................................6
DKA Encryption benefits............................................................................................................6
DKA Encryption support specifications.........................................................................................6
Primary and secondary data encryption license keys.....................................................................6
KMIP key management server support.........................................................................................7
Data encryption at the parity-group level workflow........................................................................7
Data encryption on existing data workflow..............................................................................7
Disable encrypted data workflow................................................................................................7
Change data encryption license key workflow..............................................................................8
Migration practices with encryption........................................................................................8
Audit logging of encryption events..............................................................................................8
Encryption states and protection.................................................................................................8
Interoperability with other software applications............................................................................9
2 DKA Encryption Installation........................................................................10
DKA Encryption installation workflow........................................................................................10
System requirements................................................................................................................10
Enabling the DKA Encryption feature.........................................................................................10
Assigning users to user groups.................................................................................................11
3 Key Management Server Connections.........................................................12
Key management server requirements........................................................................................12
Root and client certificates...................................................................................................12
Root certificate on the key management server..................................................................12
Client certificate password..............................................................................................12
Preparing the client certificate workflow................................................................................13
Private key file creation workflow.....................................................................................13
Creating a private SSL key file........................................................................................13
Creating a public SSL key file.........................................................................................13
Converting the client certificate to the PKCS#12 format.......................................................14
Configuring the connection settings to the key management server.......................................14
Key management server settings workflow..................................................................................14
Viewing the key management server connection settings.........................................................15
Configuring the connection settings to the key management server...........................................15
4 Managing data encryption license keys.......................................................17
Data encryption license key creation workflow............................................................................17
Creating data encryption license keys...................................................................................17
Back up secondary data encryption license key workflow........................................................17
Backing up keys as a file................................................................................................18
Backing up keys to a key management server...................................................................18
Enable data encryption at the parity-group level workflow............................................................19
Enabling data encryption at the parity-group level..................................................................19
Disable data encryption at the parity-group level workflow...........................................................20
Blocking LDEVs at the parity-group level................................................................................20
Disabling data encryption at the parity-group level.................................................................21
LDEV encryption formatting at the parity-group level...............................................................21
Unblocking LDEVs at the parity-group level............................................................................22
Moving unencrypted data to an encrypted environment workflow..................................................22
Data encryption license key restoration workflow........................................................................22
Blocking LDEVs using a file.................................................................................................23
Blocking LDEVs on the key management server......................................................................23
Restoring keys from a file....................................................................................................23
Contents 3
Restoring keys from a key management server........................................................................24
Viewing backup data encryption license keys.............................................................................24
Data encryption license key change management workflow.........................................................24
Data encryption license key deletion workflow............................................................................25
Deleting data encryption license keys...................................................................................25
Deleting backup data encryption license keys from the server...................................................26
Exporting encryption license key table information......................................................................26
5 Troubleshooting........................................................................................27
Encryption events in the audit log..............................................................................................27
DKA Encryption processes that the audit log records...............................................................27
Problems and solutions............................................................................................................27
6 Support and other resources......................................................................29
Contacting HP........................................................................................................................29
Subscription service............................................................................................................29
Documentation feedback....................................................................................................29
Related information.................................................................................................................29
HP websites......................................................................................................................29
Conventions for storage capacity values....................................................................................30
Typographic conventions.........................................................................................................30
A Conventions............................................................................................32
Business Copy, Business Copy Z, and Snapshot volumes..............................................................32
B DKA Encryption GUI Reference...................................................................33
Top window when selecting Encryption Keys..............................................................................33
Summary section...............................................................................................................33
Encryption Keys tab............................................................................................................34
View Key Management Server Properties window.......................................................................34
Key Management Server Properties table..............................................................................35
Setup Key Management Server wizard......................................................................................35
Setup Key Management Server window................................................................................36
Confirm window................................................................................................................37
Create Keys wizard.................................................................................................................38
Create Keys window..........................................................................................................38
Selected Keys table on Create Keys window.....................................................................38
Confirm window................................................................................................................38
Selected Keys table on Confirm window...........................................................................39
Edit Password Policy wizard......................................................................................................39
Edit Password Policy window...............................................................................................39
Confirm window................................................................................................................40
Backup Keys to File wizard.......................................................................................................41
Backup Keys to File window................................................................................................41
Confirm window................................................................................................................42
Backup Keys to Server wizard...................................................................................................43
Backup Keys to Server window............................................................................................43
Confirm window................................................................................................................44
Restore Keys from file wizard....................................................................................................44
Restore Keys from File window.............................................................................................44
Confirm window................................................................................................................45
Restore Keys from Server wizard...............................................................................................46
Restore Keys from Server window.........................................................................................46
Confirm window................................................................................................................46
Delete Keys wizard.................................................................................................................47
Delete Keys window...........................................................................................................47
Confirm window................................................................................................................48
4 Contents
Delete Backup Keys on Server window......................................................................................48
View Backup Keys on Server window........................................................................................49
Backup Keys table..............................................................................................................50
Edit Encryption wizard.............................................................................................................50
Edit Encryption window......................................................................................................51
Available Parity Groups table.........................................................................................51
Selected Parity Groups table...........................................................................................52
Confirm window................................................................................................................53
Selected Parity Groups table...........................................................................................54
Glossary....................................................................................................55
Index.........................................................................................................56
Contents 5
1 DKA Encryption Overview
To guarantee the security of the data, use the DKA Encryption (EDKA) feature to store encrypted
data in an LDEV and encrypt them. The EDKA feature provides redundant backup and restore
capabilities to ensure data availability.
DKA Encryption benefits
Encrypting data can prevent information loss or leaks if a disk drive is physically removed from
the system. Failure, loss, or theft are the most common reasons for information loss.
The following lists the benefits of using the EDKA feature:
• Hardware-based AES 256 encryption in XTS mode for open and mainframe systems.
• You can apply encryption to some or all of the internal drives without throughput or latency
impacts for data I/O and little to no disruption to existing applications and infrastructure.
• Simplified and integrated key management that does note require specialized key management
infrastructure.
• Data-center friendliness. The EDKA feature:
Uses little additional power (equivalent of one 25 watt light bulb).◦
◦ Produces negligible amounts of additional heat.
◦ Does not require additional rack space.
DKA Encryption support specifications
The following table lists the DKA feature’s support specifications.
specifications
encrypt
Emulation type
Creating data encryption license keysManaging data
encryption license keys
Scope of data encryption license keys
SpecificationItem
Advanced Encryption Standard (AES) 256 bit.Encryption algorithmHardware
XTS mode.Encryption mode
Open, mainframe, multiplatformVolume typeLDEVs that you can
All emulation types including OPEN-V and
3390-x.
Internal LDEVs only.Internal/external LDEVs
Supported. Requires data migration.LDEV with existing data
Use Remote Web Console (RWC) to create the
data encryption license key.
Use RWC to delete data encryption license keys.Deleting data encryption license keys
32 data encryption license keys per storage
system.
Parity group.Unit of encryption/decryption
Backup/Restore functionality
Redundant (P-VOL and S-VOL) backup/restore
copies.
Primary and secondary data encryption license keys
The P9500 storage system uses the EDKA feature to set up the data encryption license keys to
encrypt and decrypt data.
6 DKA Encryption Overview
You can use the EDKA feature to back up data encryption license keys. The P9500 storage system
automatically creates a primary backup of the data encryption license key, and stores this backup
on each MP package.
You can create a secondary backup data encryption license key. The secondary backup is required
to restore the key if the primary backup is unavailable.
For more information about backing up secondary data encryption license keys, see “Back up
secondary data encryption license key workflow” (page 17).
KMIP key management server support
Using the P9500 storage system, you can create backup and restore data encryption license keys
on a key management server that supports Key Management Interoperability Protocol (KMIP).
For more information about backing up data encryption license keys to a key management server,
see “Backing up keys to a key management server” (page 18).
Data encryption at the parity-group level workflow
The EDKA feature provides data encryption at the parity-group level. Use the following process to
set up for data encryption and enable data encryption on the parity group:
1. Back up a secondary data encryption license key.
For more information about backing up secondary keys, see “Back up secondary data
encryption license key workflow” (page 17).
2. Enable data encryption at the parity-group level.
For more information about enabling data encryption at the parity-group level, see “Enabling
data encryption at the parity-group level” (page 19).
3. Format the logical devices (LDEVs) in the parity group.
For more information about formatting LDEVs at the parity-group level, see “LDEV encryption
formatting at the parity-group level” (page 21).
Data encryption on existing data workflow
Data encryption on existing data goes through the following process:
1. A new parity group is created.
For more information about creating parity groups, see the HP XP P9000 Provisioning for
Mainframe Systems User Guide.
2. Data encryption on the parity group is enabled.
For more information about enabling data encryption at the parity-group level, see “Enable
data encryption at the parity-group level workflow” (page 19).
3. The LDEVs in the encrypted parity group are formatted.
For more information about formatting LDEVs in the encrypted parity group, see “LDEV
encryption formatting at the parity-group level” (page 21).
4. The existing data is migrated to the new LDEVs in the encrypted parity group.
For more information about migrating existing data to the new LDEVs in the encrypted parity
group, see “Moving unencrypted data to an encrypted environment workflow” (page 22).
For more information about how to move unencrypted data to an encrypted environment, see
“Moving unencrypted data to an encrypted environment workflow” (page 22).
Disable encrypted data workflow
Disabling encryption goes through the following process:
KMIP key management server support 7
1. Data in the parity group is backed up.
2. Data encryption at the parity-group level is disabled.
3. The LDEVs in the parity group are formatted.
4. The LDEVs are unblocked.
For more information about disabling encryption, see “Disabling data encryption at the parity-group
level” (page 21).
Change data encryption license key workflow
You must migrate data to encrypt data with a different data encryption license key on the P9500
storage system.
For more information about migration practices with encryption, see “Migration practices with
encryption” (page 8).
Changing encryption license keys goes through the following process:
1. A new parity group is created.
2. Encryption is enabled with a new data encryption license key.
3. The LDEVs in the encrypted parity group are formatted.
4. The source data is migrated to the new target LDEVs in the encrypted parity group.
5. The data is encrypted with the new data encryption license key on the P9500 storage system.
Migration practices with encryption
Migrate encrypted source data by encrypting the target LDEV. Migrate data on a per-LDEV basis.
As a best practice, match encrypted areas with other encrypted areas. Do not mix encrypted and
unencrypted areas.
NOTE: When migrating an encrypted LUSE LDEV, migrate all LDEVs within the LUSE volume so
that you do not have encrypted and non-encrypted areas.
For more information about encrypting an LDEV, see “Enable data encryption at the parity-group
level workflow” (page 19).
Audit logging of encryption events
The P9500 storage system Audit Log feature provides audit logging of events that happen in the
system. The audit log records events related to data encryption and data encryption license keys.
For more information about audit logging, audit log events, and the Audit Log feature, see the HP
XP P9000 Remote Web Console User Guide and the HP XP P9000 Audit Log User Guide.
Encryption states and protection
Match the encryption states of the primary (P-VOL) and secondary (S-VOL), pool (pool-VOL), journal,
or virtual volume (V-VOL). The encryption states must match to copy data or differential data and
to protect the data. If the state of the P-VOL is “Encrypt”, then the state of all other LDEVs referenced
by or associated with the P-VOL should also be “Encrypt”.
This practice also applies to migration situations.
For more information about migration and encryption, see “Migration practices with encryption”
(page 8).
8 DKA Encryption Overview
Interoperability with other software applications
Use the following table to determine the interoperability of software applications with data
encryption.
Interoperability notesSoftware application
Encrypt the P-VOL and S-VOLs to ensure data security.Business Copy, Continuous Access
Synchronous, Compatible FlashCopy,
and Compatible XRC
Snapshot and Fast Snap
Continuous Access Journal
Thin Provisioning, Smart Tiers, Thin
Provisioning Z, and Smart Tiers Z
Flex Copy XP
Match the encryption states of the P-VOL and pool-VOL. If the P-VOL is
encrypted, encrypt all of the pool-VOLs. If the data pool contains
non-encrypted pool-VOL, the differential data of the P-VOL is not encrypted.
Match the encryption states of a P-VOL and S-VOL. If you encrypt the P-VOL
only, the data copied on the S-VOL is not encrypted is not protected.
When you encrypt a P-VOL or S-VOL, use a journal to which only encrypted
LDEVs are registered as journal volumes. If the encryption states of the P-VOL,
S-VOL, and journal volumes do not match, the journal data in the P-VOL is
not encrypted, and the security of the data cannot be guaranteed.
Encrypt all LDEVs to ensure all areas are encrypted.LUN Expansion (LUSE)
For more information about LUSE LDEVs and migration practices, see
“Migration practices with encryption” (page 8).
When enabling encryption for data written to a data pool with a V-VOL, use
a data pool that consists of encrypted volumes.
Encrypt the source LDEV and the target LDEV. The encryption states of the
source and target LDEVs must match for the EDKA feature to encrypt and
guarantee the security of the data on the target LDEV.
Interoperability with other software applications 9
2 DKA Encryption Installation
This chapter discusses how to install the EDKA feature.
DKA Encryption installation workflow
Use the following workflow to install the EDKA feature:
1. Ensure your system meets the system requirements.
For more information about the system requirements, see “System requirements” (page 10).
2. Ensure your product suite interoperates the way you want it to with the EDKA feature.
3. Enable the EDKA feature.
For more information about enabling the EDKA feature, see “Enabling the DKA Encryption
feature” (page 10).
4. Assign the Security Administrator (View & Modify) role to the administrator who creates, backs
up, and restores data encryption license keys.
For more information about assigning roles, see “Assigning users to user groups” (page 11).
System requirements
The following table lists the system requirements for using the EDKA feature.
P9500 storage system
Remote Web Console
P9500 storage system (Web server)
Data volumes
RequirementItem
• Microcode 70-01-0x and later.
• Microcode 70-04-0x and later if you backup and restore data
encryption license keys on a key management server.
• DKA Encryption software license.
• Virtual LVI/LUN Manager software.
• Security Administrator (View & Modify) role to enable or disable data
encryption and to back up or restore keys.
For more information about enabling data encryption, see “Enabling
the DKA Encryption feature” (page 10).
For more information about disabling data encryption, see “Disable
encrypted data workflow” (page 7).
To connect to the key management server by specifying the host name
instead of IP address, you need the DNS server settings. For P9500 storage
system configuration, give your service representative the IP address of
the DNS server.
All open-systems and mainframe host platforms are supported.Host platforms
All volume types and emulations are supported: open-systems, mainframe,
and multiplatform.
Supported volumes: Internal
Enabling the DKA Encryption feature
Enable the EDKA feature in Remote Web Console.
1. Log onto RWC.
2. Type the software license key.
10 DKA Encryption Installation
Assigning users to user groups
Assign administrator privileges to users in RWC by adding the users to a user group.
A user’s membership to a user group determines the user’s level of permission. You change these
permissions by changing the user’s membership to a user group. A user can belong to multiple
user groups.
You must have Security Administrator (View & Modify) role to assign or change a user’s role.
1. In RWC, in the resource tree, click Administration > User Groups.
2. In the User Groups tab, select the administrator user group to which to add the user and then
click Add Users.
3. In the Add User dialog box, select the user and then click Add.
4. Click Finish.
5. In the Confirm window, complete the following and then click Apply:
• Confirm the settings.
• For Task Name, type a name or description for this task.
• Select Go to tasks window for status to open the Tasks window.
The user is added as a member to the administrator user group.
Assigning users to user groups 11
3 Key Management Server Connections
You can use an optional key management server with P9500 storage systems. This chapter provides
information on how to set up the key management server.
Key management server requirements
If you are using a key management server, it must meet the following requirements:
• Protocol: Key Management Interoperability Protocol 1.0 (KMIP1.0)
• Software: SafeNet KeySecure k460 6.1.0
• Certificates:
Root certificate of the key management server (X.509)◦
◦ Client certificate in PKCS#12 format
Root and client certificates
Root and client certificates are required to connect to KMIP servers and to ensure that the network
access is good. You upload the certificates to the P9500 storage system.
To access the key management server, the client certificate must be current and not have expired.
For more information about the client certificate password in PKCS#12 format:
• Contact the key management server administrator.
• See “Client certificate password” (page 12).
To get copies of the root and client certificates, contact the key management server administrator.
For more information about uploading the client certificates, see “Converting the client certificate
to the PKCS#12 format” (page 14).
Root certificate on the key management server
If you use SafeNet KeySecure on the key management server, create and put the root certificate
on the server.
For more information about SafeNet KeySecure, see the SafeNet KeySecure k460 6.1.0
documentation.
The root certificate of the key management server must be in X.509 format.
Client certificate password
The password is a string of characters that can be zero up to 128 characters in length. Valid
characters are:
• Numbers (0 to 9)
• Upper case (A-Z)
• Lower case (a-z)
• Symbols: ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
For more information about converting the client certificate to PKCS#12 format, see “Converting
the client certificate to the PKCS#12 format” (page 14).
For more information about client certificates, see “Root and client certificates” (page 12).
12 Key Management Server Connections
Preparing the client certificate workflow
Use the following process to prepare the client certificate, which includes setting the client certificate
expiration date and password:
1. Download and install openssl.exe from http://www.openssl.org/ to the C:\openssl
folder.
2. Create the key file. You can create the following types of key files:
• Private key file.
For more information about creating a private key file, see “Creating a private SSL key
file” (page 13).
• Public key file.
For more information about creating a public key file, see “Creating a public SSL key
file” (page 13).
3. Convert the client certificate to PKCS#12 format.
For more information about converting the client certificate, see “Converting the client certificate
to the PKCS#12 format” (page 14).
4. Upload the root and client certificates to the P9500 storage system.
For more information uploading the root and client certificate, see “Converting the client
certificate to the PKCS#12 format” (page 14).
Private key file creation workflow
(Windows Vista) Prepare private and public SSL key files to use with the EDKA feature.
1. If the read-only attribute is set, release it from the c:\key folder.
2. Create the private key file.
For more information about creating a private key file, see “Creating a private SSL key file”
(page 13).
3. Create the public key file.
For more information about creating public key files, see “Creating a public SSL key file”
(page 13).
Creating a private SSL key file
Create a private SSL key file to use with the EDKA feature. A private key file has the extension
(.key).
1. Open a command prompt.
2. Move the current directory to the folder where you have saved the key file (for example, c:\
key).
3. From a command prompt, run the following command:
c:\key > c:\openssl\bin\openssl genrsa -out server.key 1024
Creating a public SSL key file
Create a public SSL key file to use with the EDKA feature. A public key file has the extension (.csr).
1. Open a command prompt.
2. Move the current directory to the folder where you have saved the key file (for example, c:\
key).
3. From a command prompt, run the following command:
c:\key > c:\openssl req -sha256 -new -key server.key -config
c:\openssl\bin\openssl.cfg -out server.csr
Key management server requirements 13
4. Complete the following information:
• Country Name (two-letter code)
• Email Address
• (Optional) Challenge password
• (Optional) Common name - To obtain a signed and trusted certificate, ensure that the
server name is the same as the host name of the storage device.
• State or Province Name
• Locality Name
• Organization Name
• Organization Unit Name
• Common Name
5. Send the public key to the Certificate Authority (CA) of the key management server, and
request that the CA issue a signed certificate. Use the signed certificate as the client certificate.
For more information, see the SafeNet KeySecure k460 6.1.0 documentation.
Converting the client certificate to the PKCS#12 format
Convert the client certificate to the PKCS#12 format, which includes uploading the client certificate
in the PKCS#12 format to the 200 Storage Virtualization System (P9500 storage system).
1. From an open command prompt, change the current directory to the folder where you want
to save the client certificate in the PKCS#12 format.
2. Move the private SSL key file (.key) and the client certificate to the folder in the current directory,
and run the command.
The following is an example for an output folder of c:\key, private key file (client.key),
and a client certificate file (client.crt:
C:\key>c:\openssl\bin\openssl pkcs12 -export -in client.crt -inkey
client.key -out client.p12
3. Upload the client certificate in the PKCS#12 format to the P9500 storage system and type the
client certificate password.
For more information about uploading the client certificate, see “Converting the client certificate
to the PKCS#12 format” (page 14).
Configuring the connection settings to the key management server
Configure the connection settings to the key management server, which includes uploading the
root certificate of the key management server and the client certificate in the PKCS#12 format to
the P9500 storage system.
1. On the menu bar, click Settings > Environmental Setting > View Key Management Server
Properties.
2. In the View Key Management Server Properties window, click Setup Key Management Server.
If you have not set the connection to the key management server, a message is displayed.
Click OK.
3. In the Setup Key Management Server window, upload the root certificate of the key
management server and the client certificate in the PKCS#12 format to the P9500 storage
system.
Key management server settings workflow
To use a key management server, you must configure the connection and network settings.
14 Key Management Server Connections
For more information about the appropriate connection settings, contact the key management
server administrator. For more information about the network settings, contact your network
administrator.
Backing up connection settings to the key management server does not back up the client certificate.
Use the following process to back up the connection settings to the key management server:
NOTE: When you back up the connection settings to the key management server, the system
does not back up the client certificate. Make sure that you back up a copy of the connection settings
to the key management server and save a copy of the client certificate separately.
1. Ensure the client and root certificates are uploaded to the key management server. If the
certificates are not uploaded:
• Contact the key management server administrator.
• See “Converting the client certificate to the PKCS#12 format” (page 14).
2. Configure the connection settings to the key management server.
For more information about configuring these settings, see “Configuring the connection settings
to the key management server” (page 14).
3. Back up the connection settings to the key management server.
For more information about the tasks related to backing up the connection settings, see your
corporate security policy.
4. Confirm that you can connect to the key management server.
5. Check with the key management server administrator, then save a back up copy of the client
certificate.
6. Save a copy of the configuration files.
For more information on how to save a configuration file, see the HP XP P9000 Remote Web
Console User Guide.
Viewing the key management server connection settings
To view the key management server connection settings:
1. On the menu bar, click Settings > Environmental Setting > View Key Management Server
Properties.
2. In the View Key Management Server Properties window, view the connection settings.
Configuring the connection settings to the key management server
Configure the connection settings to the key management server to set up the key management
server and to back up the data encryption license keys to the key management server.
To connect to the key management server by host name instead of IP address, send the IP address
of the DNS server to your service representative and request that the service representative configure
the P9500 storage system.
If the key management server is unavailable after you complete this task, the settings may be
incorrect. Contact the server or network administrator.
1. View the key management server connection settings.
2. In the View Key Management Server Properties window, click Setup Key Management Server.
3. In the displayed message, if you have not set the connection to the key management server,
click OK.
Key management server settings workflow 15
4. In the Setup Key Management Server window, complete the following:
• Specify the options to connect to the key management server.
• If the key management server is already in use, click Check to test the connection.
Otherwise, click Finish.
Error messages appear if the server configuration test fails.
5. In the Confirm window, to backup data encryption license keys to the key management server,
click Next. Otherwise, complete the following and then click Apply:
• Confirm the settings.
• For Task Name, type a name or description for this task.
• Select Go to tasks window for status to open the Tasks window.
The connection to the key management server is set up.
16 Key Management Server Connections
4 Managing data encryption license keys
This chapter provides information on how to manage data encryption license keys. Managing the
keys includes ensuring availability of keys and accessibility to the encrypted or decrypted data.
Manage data encryption license keys using the EDKA feature in the P9500 storage system.
You must have the Security Administrator (View & Modify) role to manage data encryption license
keys.
Data encryption license key creation workflow
Create a data encryption license key to use with the EDKA feature.
Use the following process to create a data encryption license key:
1. Create the data encryption license key or group of keys.
For more information about creating keys, see “Creating data encryption license keys”
(page 17).
2. Back up a secondary data encryption license key.
Schedule regular backups of all of your data encryption license keys at the same time one
time every week to ensure data availability.
For more information about backing up secondary keys, see “Back up secondary data
encryption license key workflow” (page 17).
Creating data encryption license keys
If you need to change a data encryption license key, create a new data encryption license key.
You can create up to 32 data encryption license keys per storage system. Keep at least two keys
unused at all times so that you can change an existing key.
1. In the Administration tree, click Encryption Keys.
2. In the top window, click the Encryption Keys tab.
3. In the Encryption Keys table, select an unused key ID to use as the new data encryption license
key and then complete one of the following:
• Click Create Keys.
• Click Settings > Security > Encryption Keys > Create Keys.
4. In the Create Keys window of the Create Keys wizard, click Finish.
5. In the Confirm window of the Create Keys wizard, complete the following and then click Apply:
• Confirm the settings.
• For Task Name, type the task name.
• (Optional) Select Go to tasks window for status to open the Tasks window.
The new data encryption license key is created.
Back up secondary data encryption license key workflow
The P9500 storage system automatically creates a primary backup of the data encryption license
key. Back up a secondary data encryption license key.
CAUTION: Securely store the secondary backup data encryption license key. Include this process
in your corporate security policy.
If the primary data encryption license key becomes unavailable and a secondary backup data
encryption license key does not exists, the system cannot decrypt encrypted data.
Data encryption license key creation workflow 17
Loading...