HP 8/80 Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 27
Data encryption key life cycle management
View all HP 8/80 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 27 highlights
Data encryption key life cycle management 1 Data encryption key life cycle management Data encryption keys (DEKs) are generated by the encryption engine. Data is encrypted and decrypted using the same DEK, so a DEK must be preserved at least long enough to decrypt the ciphertext that it created. The length of time data is stored before it is retrieved can vary greatly, and some data may be stored for years or decades before it is accessed. To be sure the data remains accessible, DEKs may also need to be stored for years or decades. Key management systems provide life cycle management for all DEKs created by the encryption engine. Key management systems are provided by third party vendors. Figure 4 shows the relationship of the LAN connections to the key vault and between encryption nodes. Key Management System Node 1 EE LAN Management Group Node 2 Node 3 EE EE Group Leader IO Sync LAN Node 4 EE FIGURE 4 LAN connections to the key vault, and between encryption nodes Regardless of the length of the life cycle, there are four stages in the life of a DEK, as shown in Figure 5. A DEK is created by an encryption engine, distributed, and stored in a key vault. The key is used to encrypt and decrypt data at least once, and possibly many times. A DEK may be configured to expire in a certain time frame, or it may become compromised. Under those conditions, it must be used one more time to decrypt the data, and the resulting cleartext is encrypted with a new key (re-keyed). Fabric OS Encryption Administrator's Guide 9 53-1001864-01