Dell PowerVault TL4000 Dell PowerVault ML6000 Encryption Key Manager User's - Page 25

Backing up Keystore Data

Get Dell PowerVault TL4000 PDF manuals and user guides View all Dell PowerVault TL4000 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 25 highlights

3. If no alias is specified in the request and no alias is specified in the drive table, Encryption Key Manager selects an alias from the set of aliases or the key group in the keyAliasList. 4. Encryption Key Manager fetches a corresponding DK from the keystore. 5. Encryption Key Manager converts the alias to a DKi and wraps the DK with a key the drive can decrypt 6. Encryption Key Manager sends the DK and DKi to the tape drive 7. Tape drive unwraps the DK and writes encrypted data and DKi to tape Figure 2-2 shows how keys are processed for encrypted read operation. 4 DK 5 Key Manager 6 3 DKi Alias 1 Config File 2 Key store Drive Table | Figure 2-2. LTO 4 or LTO 5 Tape Drive Request for Encryption Read Operation 1. Tape drive receives read request and sends DKi to Encryption Key Manager 2. Encryption Key Manager verifies tape device in Drive Table 3. Encryption Key Manager translates DKi to alias and fetches corresponding DK from keystore 4. Encryption Key Manager wraps the DK with a key the drive can decrypt 5. Encryption Key Manager sends the wrapped DK to tape drive 6. Tape drive unwraps the DK and uses it to decrypt the data Backing up Keystore Data Note: Due to the critical nature of the keys in your keystore, it is vital that you back up this data on a non-encrypted device so that you can recover it as needed and be able to read the tapes that were encrypted using those certificates associated with that tape drive or library. Failure to backup your keystore properly will result in irrevocably losing all access to your encrypted data. There are many ways to backup this keystore information. Each keystore type has it own unique characteristics. These general guidelines apply to all: v Keep a copy of all certificates loaded into the keystore (usually a PKCS12 format file). v Use system backup capabilities (such as RACF) to create a backup copy of the keystore information (be careful not to encrypt this copy using the encrypting tape drives as it would impossible to decrypt it for recovery). Chapter 2. Planning Your Encryption Key Manager Environment 2-5

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
3.
If no alias is specified in the request and no alias is specified in the drive table,
Encryption Key Manager selects an alias from the set of aliases or the key
group in the keyAliasList.
4.
Encryption Key Manager fetches a corresponding DK from the keystore.
5.
Encryption Key Manager converts the alias to a DKi and wraps the DK with a
key the drive can decrypt
6.
Encryption Key Manager sends the DK and DKi to the tape drive
7.
Tape drive unwraps the DK and writes encrypted data and DKi to tape
Figure 2-2 shows how keys are processed for encrypted read operation.
1.
Tape drive receives read request and sends DKi to Encryption Key Manager
2.
Encryption Key Manager verifies tape device in Drive Table
3.
Encryption Key Manager translates DKi to alias and fetches corresponding DK
from keystore
4.
Encryption Key Manager wraps the DK with a key the drive can decrypt
5.
Encryption Key Manager sends the wrapped DK to tape drive
6.
Tape drive unwraps the DK and uses it to decrypt the data
Backing up Keystore Data
Note: Due to the critical nature of the keys in your keystore, it is vital that you
back up this data on a non-encrypted device so that you can recover it as
needed and be able to read the tapes that were encrypted using those
certificates associated with that tape drive or library. Failure to backup
your keystore properly will result in irrevocably losing all access to your
encrypted data.
There are many ways to backup this keystore information. Each keystore type has
it own unique characteristics. These general guidelines apply to all:
v
Keep a copy of all certificates loaded into the keystore (usually a PKCS12 format
file).
v
Use system backup capabilities (such as RACF) to create a backup copy of the
keystore information (be careful not to encrypt this copy using the encrypting
tape drives as it would impossible to decrypt it for recovery).
Config
File
Key
store
Drive
Table
Key Manager
1
2
4
5
6
3
DKi
Alias
DK
Figure2-2. LTO 4 or LTO 5 Tape Drive Request for Encryption Read Operation
Chapter 2. Planning Your Encryption Key Manager Environment
2-5
|