Dell PowerStore 1000T EMC PowerStore Security Configuration Guide - Page 34

Key management, Keystore backup file, Re-purpose a drive in an appliance with encryption enabled

Get Dell PowerStore 1000T PDF manuals and user guides View all Dell PowerStore 1000T manuals
Add to My Manuals
Save this manual to your list of manuals

Page 34 highlights

Drive level encryption status is provided for each drive in an appliance and appears as one of the following: • Encrypted - The drive is encrypted. This is the typical state of a drive in an appliance that is encryption capable. • Encrypting - The appliance is enabling encryption on the drive. This status can be seen during the initial activation of encryption on an appliance or during the addition of new drives to a configured appliance. • Disabled - The drive cannot have encryption enabled due to country specific import restrictions. If any drives report this status, then all drives in the cluster will also report the same status. • Unknown - The appliance has not yet attempted to enable encryption on the drive. This status can be seen during the initial activation of encryption on an appliance or during the addition of new drives to a configured appliance. • Unsupported - The drive does not support encryption. • Foreign - The drive is supported, but has been locked by another appliance. It needs to be decommissioned before it can be used. Key management An embedded key manager service (KMS) runs on the active node of each PowerStore appliance. This service manages the local keystore file lockbox storage to support automatic encryption key backup to system and boot drives. It also controls the Self-Encrypting Drive (SED) lock and unlock process on the appliance and is responsible for managing the local keystore content for the appliance. The local keystore file is encrypted with a 256-bit AES key and the keystore file lockbox storage leverages RSA's BSAFE technology. The KMS automatically generates a random authentication key for SEDs during the initialization of the appliance. Each drive has a unique authentication key, including those that are added to the appliance later on, that is used in the SED lock and unlock processes. A key encryption key encrypts authentication and encryption keys in the keystore file storage and in flight within the appliance. Media encryption keys are stored on the dedicated hardware of the SEDs and cannot be accessed. When encryption is enabled, all the authentication keys are stored within the appliance. Keystore backup file The KMS supports the creation and download of an off-appliance backup of the keystore archive file. The off-appliance backup reduces the chances of a catastrophic key loss, which would render an appliance or cluster unusable. If a particular appliance is unavailable when a cluster keystore backup is initiated, the overall operation will succeed, but a warning is issued that the backup does not contain keystore files for all appliances in the cluster and that the operation should be retried when the offline appliance is available. NOTE: The primary appliance in a cluster contains a cluster keystore archive file that contains a copy of keystore backups from each appliance that is discovered in the cluster, including the primary appliance. When changes to the configuration of a system within the cluster occur that result in changes to the keystore, it is recommended that you generate a new keystore archive file for download. Only one backup download operation of the keystore archive file can be run at a time. NOTE: It is strongly recommended that you download the generated keystore archive file to an external, secure location. If the keystore files on a system become corrupted and inaccessible, that system will enter service mode. In this case, the keystore archive file and a service engagement are required for resolution. A user role of Administrator or Storage Administrator is required to back up the keystore archive file. To back up the keystore archive file, click Settings and under Security select Encryption. On the Encryption page under Lockbox backup, click Download Keystore Backup. NOTE: To restore the keystore backup in case of a failure, contact your service provider. Re-purpose a drive in an appliance with encryption enabled About this task A self-encrypting drive (SED) is locked when an appliance is initialized or when it is inserted into an already initialized appliance. The drive cannot be used in another system without first being unlocked. The locked drive becomes unusable when it is inserted into a different appliance and its encryption status appears as Foreign in the new appliance. The drive can be re-purposed for the new appliance, however, all the existing data on the drive will be lost. To re-purpose a drive having an encryption status of Foreign on an appliance, do the following: 34 Data security settings

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
Drive level encryption status is provided for each drive in an appliance and appears as one of the following:
Encrypted – The drive is encrypted. This is the typical state of a drive in an appliance that is encryption capable.
Encrypting – The appliance is enabling encryption on the drive. This status can be seen during the initial activation of encryption on an
appliance or during the addition of new drives to a configured appliance.
Disabled – The drive cannot have encryption enabled due to country specific import restrictions. If any drives report this status, then
all drives in the cluster will also report the same status.
Unknown – The appliance has not yet attempted to enable encryption on the drive. This status can be seen during the initial activation
of encryption on an appliance or during the addition of new drives to a configured appliance.
Unsupported – The drive does not support encryption.
Foreign – The drive is supported, but has been locked by another appliance. It needs to be decommissioned before it can be used.
Key management
An embedded key manager service (KMS) runs on the active node of each PowerStore appliance. This service manages the local keystore
file lockbox storage to support automatic encryption key backup to system and boot drives. It also controls the Self-Encrypting Drive
(SED) lock and unlock process on the appliance and is responsible for managing the local keystore content for the appliance. The local
keystore file is encrypted with a 256-bit AES key and the keystore file lockbox storage leverages RSA’s BSAFE technology.
The KMS automatically generates a random authentication key for SEDs during the initialization of the appliance. Each drive has a unique
authentication key, including those that are added to the appliance later on, that is used in the SED lock and unlock processes. A key
encryption key encrypts authentication and encryption keys in the keystore file storage and in flight within the appliance. Media encryption
keys are stored on the dedicated hardware of the SEDs and cannot be accessed. When encryption is enabled, all the authentication keys
are stored within the appliance.
Keystore backup file
The KMS supports the creation and download of an off-appliance backup of the keystore archive file. The off-appliance backup reduces
the chances of a catastrophic key loss, which would render an appliance or cluster unusable. If a particular appliance is unavailable when a
cluster keystore backup is initiated, the overall operation will succeed, but a warning is issued that the backup does not contain keystore
files for all appliances in the cluster and that the operation should be retried when the offline appliance is available.
NOTE:
The primary appliance in a cluster contains a cluster keystore archive file that contains a copy of keystore
backups from each appliance that is discovered in the cluster, including the primary appliance.
When changes to the configuration of a system within the cluster occur that result in changes to the keystore, it is recommended that
you generate a new keystore archive file for download. Only one backup download operation of the keystore archive file can be run at a
time.
NOTE:
It is strongly recommended that you download the generated keystore archive file to an external, secure location.
If the keystore files on a system become corrupted and inaccessible, that system will enter service mode. In this case,
the keystore archive file and a service engagement are required for resolution.
A user role of Administrator or Storage Administrator is required to back up the keystore archive file. To back up the keystore archive file,
click
Settings
and under
Security
select
Encryption
. On the
Encryption
page under
Lockbox backup
, click
Download Keystore
Backup
.
NOTE:
To restore the keystore backup in case of a failure, contact your service provider.
Re-purpose a drive in an appliance with encryption
enabled
About this task
A self-encrypting drive (SED) is locked when an appliance is initialized or when it is inserted into an already initialized appliance. The drive
cannot be used in another system without first being unlocked. The locked drive becomes unusable when it is inserted into a different
appliance and its encryption status appears as
Foreign
in the new appliance. The drive can be re-purposed for the new appliance,
however, all the existing data on the drive will be lost.
To re-purpose a drive having an encryption status of
Foreign
on an appliance, do the following:
34
Data security settings