Dell PowerVault TL4000 Dell PowerVault ML6000 Encryption Key Manager User's - Page 15

locations within an enterprise. A command line interface client provides a robust

set of commands to customize the Encryption Key Manager for your environment

and monitor its operation. Many customization and monitoring functions are also

available on the Dell Encryption Key Manager graphical user interface (GUI). The

Encryption Key Manager uses one or more keystores to hold the certificates and

keys (or pointers to the certificates and keys) required for all encryption tasks. See

“Keystore Considerations” on page 2-3 for detailed information.

IMPORTANT Encryption Key Manager HOST SERVER CONFIGURATION

INFORMATION: It is recommended that machines hosting the Dell

Encryption Key Manager program use ECC memory in order to minimize

the risk of data loss. The Encryption Key Manager performs the function of

requesting the generation of encryption keys and passing those keys to the

LTO 4 and LTO 5 tape drives. The key material, in wrapped (encrypted

form) resides in system memory during processing by the Encryption Key

Manager. Note that the key material must be transferred without error to the

appropriate tape drive so that data written on a cartridge may be recovered

(decrypted). If for some reason key material is corrupted due to a bit error in

system memory, and that key material is used to write data to a cartridge,

then the data written to that cartridge will not be recoverable (i.e. decrypted

at a later date). There are safeguards in place to make sure that such data

errors do not occur. However, if the machine hosting the Encryption Key

Manager is not using Error Correction Code (ECC) memory there remains a

possibility that the key material may become corrupted while in system

memory and the corruption could then cause data loss. The chance of this

occurrence is small, but it is always recommended that machines hosting

critical applications (like the Encryption Key Manager) use ECC memory.

The Encryption Key Manager acts as a background process awaiting key

generation or key retrieval requests sent to it through a TCP/IP communication

path between itself and the tape library. When a tape drive writes encrypted data,

it first requests an encryption key from the Encryption Key Manager. Upon receipt

of the request, the Encryption Key Manager performs the following tasks.

The Encryption Key Manager fetches an existing AES key from a keystore and

wraps it for secure transfer to the tape drive where it is unwrapped upon arrival

and used to encrypt the data being written to tape.

When an encrypted tape is read by an LTO 4 or LTO 5 drive, the Encryption Key

Manager fetches the required key from the keystore, based on the information in

the Key ID on the tape, and serves it to the tape drive wrapped for secure transfer.

There are two methods of encryption management to choose from. These methods

differ in where the encryption policy engine resides, where key management is

performed for your solution, as well as how the Encryption Key Manager is

connected to the drive. Your operating environment determines which is the best

for you. Key management and the encryption policy engine may be located in any

one of the following two environmental layers.

Chapter 1. Tape Encryption Overview

1-3

|

|

Section	Page
Contents	3
Figures	5
Tables	7
Preface	9
About this Book	9
Who Should Read this Book	9
Conventions and Terminology Used in this Book	9
Attention Notice	9
Related Publications	10
Linux Information	10
Red Hat Information	10
SuSE Information	10
Microsoft Windows Information	10
Online Support	10
Read this First	11
Contacting Dell	11
Chapter 1. Tape Encryption Overview	13
Components	13
Managing Encryption	14
Application-Managed Tape Encryption	16
Library-Managed Tape Encryption	17
About Encryption Keys	17
Chapter 2. Planning Your Encryption Key Manager Environment	21
Encryption Setup Tasks at a Glance	21
Encryption Key Manager Setup Tasks	21
Planning for Library-Managed Tape Encryption	21
Hardware and Software Requirements	22
Linux Solution Components	22
Windows Solution Components	23
Keystore Considerations	23
The JCEKS Keystore	23
Encryption Keys and the LTO 4 and LTO 5 Tape Drives	24
Backing up Keystore Data	25
Multiple Key Managers for Redundancy	27
Encryption Key Manager Server Configurations	27
Single-Server Configuration	27
Two-Server Configurations	28
Disaster Recovery Site Considerations	29
Considerations for Sharing Encrypted Tapes Offsite	29
Federal Information Processing Standard 140-2 Considerations	30
Chapter 3. Installing the Encryption Key Manager and Keystores	31
Downloading the Latest Version Key Manager ISO Image	31
Installing the Encryption Key Manager on Linux	31
Installing the Encryption Key Manager on Windows	32
Using the GUI to Create a Configuration File, Keystore, and Certificates	35
Generating Keys and Aliases for Encryption on LTO 4 and LTO 5	39
Creating and Managing Key Groups	44
Chapter 4. Configuring the Encryption Key Manager	51
Using the GUI to Configure the Encryption Key Manager	51
Configuration Strategies	51
Automatically Update Tape Drive Table	51
Synchronizing Data Between Two Key Manager Servers	52
Configuration Basics	53
Chapter 5. Administering the Encryption Key Manager	57
Starting, Refreshing, and Stopping the Key Manager Server	57
The Command Line Interface Client	61
CLI Commands	63
Chapter 6. Problem Determination	71
Check These Important Files for Encryption Key Manager Server Problems	71
Debugging Communication Problems Between the CLI Client and the EKM Server	72
Debugging Key Manager Server Problems	72
Encryption Key Manager-Reported Errors	75
Messages	79
Config File not Specified	79
Failed to Add Drive	80
Failed to Archive the Log File	80
Failed to Delete the Configuration	80
Failed to Delete the Drive Entry	81
Failed to Import	81
Failed to Modify the Configuration	81
File Name Cannot be Null	81
File Size Limit Cannot be a Negative Number	82
No Data to be Synchronized	82
Invalid Input	82
Invalid SSL Port Number in Configuration File	83
Invalid TCP Port Number in Configuration File	83
Must Specify SSL Port Number in Configuration File	83
Must Specify TCP Port Number in Configuration File	84
Server Failed to Start	84
Sync Failed	84
The Specified Audit Log File is Read Only	85
Unable to Load the Admin Keystore	85
Unable to load the keystore	86
Unable to Load the Transport Keystore	86
Unsupported Action	86
Chapter 7. Audit Records	89
Audit Overview	89
Audit Configuration Parameters	89
Audit.event.types	89
Audit.event.outcome	90
Audit.eventQueue.max	90
Audit.handler.file.directory	90
Audit.handler.file.size	91
Audit.handler.file.name	91
Audit.handler.file.multithreads	92
Audit.handler.file.threadlifespan	92
Audit Record Format	92
Audit Points in the Encryption Key Manager	93
Audit Record Attributes	93
Audited Events	95
Chapter 8. Using Metadata	97
Appendix A. Sample Files	101
Sample startup daemon script	101
Linux Platforms	101
Sample Configuration Files	101
Appendix B. Encryption Key Manager Configuration Properties Files	103
Encryption Key Manager Server Configuration Properties File	103
CLI Client Configuration Properties File	111
Appendix C. Frequently Asked Questions	113
Notices	115
Trademarks	115
Glossary	117
Index	119
A	119
C	119
D	119
E	119
F	119
G	119
H	119
I	119
J	119
K	119
L	119
M	119
N	119
P	119
R	120
S	120
T	120
W	120

Dell PowerVault TL4000 Dell PowerVault ML6000 Encryption Key Manager User's - Page 15

Manager fetches the required key from the keystore, based on the information

Page 15 highlights