Dell PowerVault TL4000 Dell PowerVault ML6000 Encryption Key Manager User's - Page 43

Sample Alias and Symmetric Key Setup for LTO 4 and LTO 5, Encryption Using a JCEKS Keystore, alias

Get Dell PowerVault TL4000 PDF manuals and user guides View all Dell PowerVault TL4000 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 43 highlights

[-storetype ] [-providerName ] [-exportfile ] [-providerClass ] [providerArg ] These parameters are of particular importance when exporting data keys for | Encryption Key Manager to serve to the LTO 4 and LTO 5 drives for tape encryption: -alias Specify an alias value for a single data key with up to 12 printable characters (for example, abcfrg or key123tape). -aliasrange When exporting multiple data keys, aliasrange is specified as a 3-character alphabetic prefix followed by lower and upper limits for a series of 16-character (hexadecimal) strings with leading zeroes filled in automatically to construct aliases 21-characters in length. For example, specifying key1-a would yield a series of aliases from KEY000000000000000001 through KEY00000000000000000A. Specifying an aliasrange value of xyz01-FF would yield XYZ000000000000000001 through XYZ0000000000000000FF -exportfile Specifies the file to store the data keys when they are exported. -keyalias Specifies the alias of a public key in keystore to encrypt all the data keys. Ensure that the keystore where the symmetric (data) keys will be imported contains the corresponding private key. | Sample Alias and Symmetric Key Setup for LTO 4 and LTO 5 Encryption Using a JCEKS Keystore Invoke the KeyTool with the -aliasrange option. Note that key algorithm (-keyalg) must be specified as AES and key size (-keysize) must be specified as 256, as follows: /bin/keytool -genseckey -v -aliasrange AES01-FF -keyalg AES -keysize 256 -keypass password -storetype jceks -keystore path/filename.jceks These KeyTool invocations generate 255 sequential aliases in the range AES000000000000000001 through AES0000000000000000FF and associated AES 256-bit symmetric keys. Either can be repeated cumulatively as many times as necessary to setup the full number of ranged and standalone key aliases that are desired for robust key manager operation. For example, to generate an additional | alias and symmetric key for LTO 4 and LTO 5: /bin/keytool -genseckey -v -alias abcfrg -keyalg AES -keysize 256 -keypass password -storetype jceks -keystore path/filename.jceks This invocation adds standalone alias abcfrg cumulatively to the named keystore, which already contains 255 aliases from the invocation above yielding 256 symmetric keys in the jceks file named in -keystore option. Update the symmetricKeySet property in the KeyManagerConfig.properties file to add the following line to match any or all of the alias ranges used above, and the filename under which the symmetric keys were stored. Note that the Encryption Key Manager may not start if an invalid alias is specified. Other causes for validation check failure may include incorrect bit size (for AES keysize MUST be 256) or an invalid algorithm for the platform. -keyalg must be AES and -keysize Chapter 3. Installing the Encryption Key Manager and Keystores 3-13

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
[-storetype <storetype>] [-providerName <name>]
[-exportfile <exportfile>] [-providerClass <provider_class_name>]
[providerArg <arg>]
These parameters are of particular importance when exporting data keys for
Encryption Key Manager to serve to the LTO 4 and LTO 5 drives for tape
encryption:
-alias
Specify an
alias
value for a single data key with up to 12 printable characters
(for example,
abcfrg
or
key123tape
).
-aliasrange
When exporting multiple data keys,
aliasrange
is specified as a 3-character
alphabetic prefix followed by lower and upper limits for a series of
16-character (hexadecimal) strings with leading zeroes filled in automatically to
construct aliases 21-characters in length. For example, specifying
key1-a
would
yield a series of aliases from
KEY000000000000000001
through
KEY00000000000000000A
. Specifying an
aliasrange
value of
xyz01-FF
would yield
XYZ000000000000000001
through
XYZ0000000000000000FF
-exportfile
Specifies the file to store the data keys when they are exported.
-keyalias
Specifies the alias of a public key in keystore to encrypt all the data keys.
Ensure that the keystore where the symmetric (data) keys will be imported
contains the corresponding private key.
Sample Alias and Symmetric Key Setup for LTO 4 and LTO 5
Encryption Using a JCEKS Keystore
Invoke the
KeyTool
with the
-aliasrange
option.
Note that key algorithm (-keyalg) must be specified as AES and key size (–keysize)
must be specified as
256
, as follows:
/bin/keytool –genseckey –v –aliasrange AES01-FF –keyalg AES –keysize 256
–keypass
password
-storetype jceks –keystore
path
/
filename
.jceks
These KeyTool invocations generate 255 sequential aliases in the range
AES000000000000000001 through AES0000000000000000FF and associated AES
256-bit symmetric keys. Either can be repeated cumulatively as many times as
necessary to setup the full number of ranged and standalone key aliases that are
desired for robust key manager operation. For example, to generate an additional
alias and symmetric key for LTO 4 and LTO 5:
/bin/keytool –genseckey –v –alias abcfrg –keyalg AES –keysize 256
–keypass
password
-storetype jceks –keystore
path
/
filename
.jceks
This invocation adds standalone alias
abcfrg
cumulatively to the named keystore,
which already contains 255 aliases from the invocation above yielding 256
symmetric keys in the jceks file named in –keystore option.
Update the symmetricKeySet property in the KeyManagerConfig.properties file to
add the following line to match any or all of the alias ranges used above, and the
filename under which the symmetric keys were stored. Note that the Encryption
Key Manager may not start if an invalid alias is specified. Other causes for
validation check failure may include incorrect bit size (for AES keysize MUST be
256) or an invalid algorithm for the platform. -keyalg must be AES and -keysize
Chapter 3. Installing the Encryption Key Manager and Keystores
3-13
|
|
|