HP Secure Encryption HP Enterprise Secure Key Manager 3.1 and later, HP Eskm and key management

Page 11

management database, key management, encryption activation, and audit support for the devices within the platform.

For the full implementation of HP Secure Encryption with the HP ESKM, HP iLO Advanced or HP iLO Scale Out editions are required to connect and auto-register with the HP ESKM. HP iLO provides key exchange support between the HP Smart Array Controller and the HP ESKM to enable pre-boot support for OS disk encryption. Audit support is provided for all for key management transactions.

For more information about HP iLO, see the HP website (http://www.hp.com/go/ilo).

HP Enterprise Secure Key Manager 3.1 and later

HP Enterprise Secure Key Manager 3.1 and later acts as a secure, reliable repository for keys used by HP Secure Encryption. In Remote Key Management Mode, HP iLO connects to the HP ESKM using username/password and digital certificate authentication to securely store and retrieve keys. Each HP iLO must be registered as an HP ESKM user by an administrator, or Crypto Officer, of the HP ESKM for access to be granted. If a user is registered and has the necessary permissions, the HP ESKM accepts requests and provides keys to the client. As standard practice, communication with the HP ESKM is configured for SSL to ensure the security of the connection and authorized access to keys.

The HP ESKM keys and users can be organized into different groups depending on the policies set by an administrator. These groups determine whether a particular user can retrieve a particular key, and supports both key sharing and separation for multi-tenant and hosted service provider environments.

Characteristics

Used only in Remote Mode, requiring a network connection

Supports high-availability clustering of 2-8 HP ESKM nodes for automatic replication and failover

Provides key services to HP iLO clients using username and password, certificate authentication, or both

Communicates using SSL encryption to ensure the security of the connection and authorized access to keys

Provides reliable, secure access to business-critical encryption keys

Supports audit and compliance requirements, including PCI-DSS and HIPAA/HITECH

Provides scalability for multiple data centers, thousands of clients, and millions of keys

Uses a FIPS-140-2 Level 2 validated secure appliance which supports the latest NIST cryptographic guidance

HP ESKM and key management

The HP Smart Array Controller manages keys by separating them into the following categories:

Keys stored off-controller on the HP ESKM

Keys stored on the drive media

Keys stored on the controller

The separation of keys helps ensure the safety of the data residing on the drives, the portability of the drives, and the ability to manage keys in a centralized manner. The controller uses the HP ESKM to back up a segment of its keys using an encryption method that protects the keys from exposure in plaintext.

Overview 11

Page 10 Page 12
Image 11
Page 10 Page 12
Contents HP Secure Encryption Installation and User Guide Page Contents Support and other resources About HP Secure Encryption OverviewBenefits Encryption featuresFeature Description Eskm HP ProLiant servers Solution componentsHP Smart Storage Administrator Minimum requirements HP Smart Array ControllerHP SmartCache HP iLOHP Eskm and key management HP Enterprise Secure Key Manager 3.1 and laterLicensing Planning Encryption setup guidelinesRecommended security settings at remote sites Encrypted backupsRemote and local key management requirements Security domainsDeployment scenarios Configuring the controller local mode ConfigurationLocal key management mode Configuration Configuring Remote Key Management Mode Remote Key Management ModeAdding a user Configuring the HP EskmLogging in to the HP Eskm Configuration Adding a group Assigning a user to a group Configuration Configuration Creating a Master Key Running a key query Placing a key in a groupConfiguration Assigning a key to a group Configuring HP iLO Connecting HP iLO to HP Eskm Configuration Configuring the controller remote mode Configuration Logging into Encryption Manager Accessing Encryption ManagerOperations Opening Encryption ManagerSet or change the Crypto Officer password Managing passwordsSet or change user account password Set or change the password recovery questionSet or change the controller password Suspending the controller password Resuming the controller password Rekeying the Drive Encryption Keys Working with keysChanging the Master Encryption Key Rescanning keys Creating a plaintext volumeOperations Operations Converting plaintext volumes into encrypted volumes Changing key management modes Enabling/disabling plaintext volumes Enabling/disabling the firmware lock Enabling/disabling local key cache Importing drives with different Master Keys Importing drive sets in Local Key Management ModeOperations Controllers MaintenanceEncryption Manager DrivesFlashing firmware Replacing a physical driveQuery by drive serial number GroupsLocating groups associated with a drive Maintenance Query by previous server name Maintenance Displaying log information Running queries Maintenance Maintenance Maintenance Lost or forgotten controller password TroubleshootingCommon issues Lost or forgotten Crypto Officer passwordLost or forgotten Master Key Local modeRemote mode Locating the key using the HP EskmLocating the key using iLO Forgotten which Master key goes with which drive Master key not exporting Logical drives remain offlineTesting the connection between HP iLO and the HP Eskm Potential errors encountered Error Description Action Clearing the encryption configuration HP contact information Support and other resourcesBefore you contact HP Encryption algorithms AppendixGlossary Plaintext ILOLocal Master Encryption Key Master Encryption KeyRemote Key Manager Volume encryption keyDocumentation feedback Eskm IndexIndex
Top Page Image Contents