HP Secure Encryption manual Planning, Encryption setup guidelines, Encrypted backups

Page 13

Planning

Encryption setup guidelines

When setting up HP Secure Encryption, consider the information described in the following table.

Configuration

Options

Deciding factors

 

 

 

 

Encryption mode

Local Key

Choose Local Key Management Mode when:

 

Management Mode

Data is stored at a site without network access.

 

Remote Key

In a small deployment center or lab

 

 

Management Mode

Manual key management is available.

 

 

 

Choose Remote Key Management Mode when:

 

 

 

Using a large number of servers

 

 

 

A network is available between the HP ESKM

 

 

 

and a server.

 

 

 

Automatic key management is preferred,

 

 

 

including backups and redundancy

 

 

 

configurations

 

 

 

 

Plaintext volumes

Allow

Allow future plaintext logical drives when:

 

Disallow (default)

Drive migration might occur to a non-encrypting

 

 

 

controller.

 

 

 

Data is not privacy-sensitive.

 

 

 

For more information, see "Enabling/disabling

 

 

 

plaintext volumes (on page 45)."

 

 

 

Key naming conventions

Master Encryption Keys

Create a specific naming convention when

 

are customizable.

managing multiple keys and multiple servers.

Recommended security settings at remote sites

For added security, HP recommends the following configuration when operating HP Secure Encryption at remote sites outside the main data center.

Firmware lock enabled ("Enabling/disabling the firmware lock" on page 46)

Controller password enabled ("Set or change the controller password" on page 36)

Plaintext volumes disabled ("Enabling/disabling plaintext volumes" on page 45)

Local Key Cache disabled

Applies to Remote Key Management Mode only

Encrypted backups

At system startup, all encrypted data-at-rest becomes accessible to the host system in unencrypted form via the controller and the appropriate keys. This method of startup allows the system to boot into an operating system installed on an encrypted volume. As a result, encrypted backups are not available, and all data appears

Planning 13

Page 12 Page 14
Image 13
Page 12 Page 14
Contents HP Secure Encryption Installation and User Guide Page Contents Support and other resources About HP Secure Encryption OverviewBenefits Encryption featuresFeature Description Eskm HP Smart Storage Administrator Solution componentsHP ProLiant servers HP SmartCache HP Smart Array ControllerHP iLO Minimum requirementsHP Eskm and key management HP Enterprise Secure Key Manager 3.1 and laterLicensing Recommended security settings at remote sites Encryption setup guidelinesEncrypted backups PlanningDeployment scenarios Security domainsRemote and local key management requirements Local key management mode ConfigurationConfiguring the controller local mode Configuration Configuring Remote Key Management Mode Remote Key Management ModeLogging in to the HP Eskm Configuring the HP EskmAdding a user Configuration Adding a group Assigning a user to a group Configuration Configuration Creating a Master Key Running a key query Placing a key in a groupConfiguration Assigning a key to a group Configuring HP iLO Connecting HP iLO to HP Eskm Configuration Configuring the controller remote mode Configuration Operations Accessing Encryption ManagerOpening Encryption Manager Logging into Encryption ManagerSet or change the Crypto Officer password Managing passwordsSet or change user account password Set or change the password recovery questionSet or change the controller password Suspending the controller password Resuming the controller password Changing the Master Encryption Key Working with keysRekeying the Drive Encryption Keys Rescanning keys Creating a plaintext volumeOperations Operations Converting plaintext volumes into encrypted volumes Changing key management modes Enabling/disabling plaintext volumes Enabling/disabling the firmware lock Enabling/disabling local key cache Importing drives with different Master Keys Importing drive sets in Local Key Management ModeOperations Controllers MaintenanceFlashing firmware DrivesReplacing a physical drive Encryption ManagerLocating groups associated with a drive GroupsQuery by drive serial number Maintenance Query by previous server name Maintenance Displaying log information Running queries Maintenance Maintenance Maintenance Common issues TroubleshootingLost or forgotten Crypto Officer password Lost or forgotten controller passwordRemote mode Local modeLocating the key using the HP Eskm Lost or forgotten Master KeyLocating the key using iLO Forgotten which Master key goes with which drive Master key not exporting Logical drives remain offlineTesting the connection between HP iLO and the HP Eskm Potential errors encountered Error Description Action Clearing the encryption configuration Before you contact HP Support and other resourcesHP contact information Encryption algorithms AppendixGlossary Local Master Encryption Key ILOMaster Encryption Key PlaintextRemote Key Manager Volume encryption keyDocumentation feedback Eskm IndexIndex
Top Page Image Contents