HP Cisco MDS 9020 Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 117
Master Key Security Modes
View all HP Cisco MDS 9020 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 117 highlights
Chapter 6 Cisco SME Key Management Master Key Security Modes Send documentation comments to [email protected] Master Key Security Modes To recover encrypted data-at-rest from a specific tape, you need access to the keys that are created for the specific tape cartridge. Because the master key is used to protect all other keys, Cisco SME provides three master key security modes to protect the master key: Basic, Standard, and Advanced. During cluster configuration, you designate the level of security for the master key. Table 6-1 describes the three master key security modes. Basic security writes the encrypted master key to a disk. To unlock the master key, you need access to the file. The file is encrypted and requires a password to retrieve the master key. The Standard and Advanced security modes require the use of smart cards to access the master key. If you select Standard security, you will need one smart card to unlock the master key. If you select Advanced security during cluster configuration, you are prompted to set the minimum number of required smart cards that would unlock the master key. Table 6-1 describes the master key security modes. Table 6-1 Master Key Security Levels Security Level Basic Standard Advanced Definition The master key is stored in a file and encrypted with a password. To retrieve the master key, you need access to the file and the password. Standard security requires one smart card. When you create a cluster and the master key is generated, you are asked for the smart card. The master key is then written to the smart card. To retrieve the master key, you need the smart card and the smart card pin. Advanced security requires five smart cards. When you create a cluster and select Advanced security mode, you designate the number of smart cards (two or three of five smart cards or two of three smart cards) that are required to recover the master key when data needs to be retrieved. For example, if you specify two of five smart cards, then you will need two of the five smart cards to recover the master key. Each smart card is owned by a Cisco SME Recovery Officer. Note The greater the number of required smart cards to recover the master key, the greater the security. However, if smart cards are lost or if they are damaged, this reduces the number of available smart cards that could be used to recover the master key. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-3