HP Secure Encryption manual Configuration, Local key management mode

Page 15

Configuration

Local key management mode

Local Key Management Mode, or Local Mode, is a solution designed for small to medium-size data centers using few encrypting controllers. The solution utilizes a paraphrase password, or Master Encryption Key name, to set the security on the controller and enable encryption. The paraphrase password must be tracked independently of the controllers, in case the controller needs replacement or drive migration is required among controllers with different passwords. In local mode, the Master Key name is considered a cryptographic secret and should be protected as such. Key creation and management is maintained at the local controller level without the use of a key manager.

Characteristics

•Requires physical paraphrase password management, such as writing and storing Master Key information in a notebook or computer file

•Utilizes one paraphrase password-derived 256-bit key to encrypt a unique, per-volume XTS-AES 256-bit data encryption key

Prerequisites

•An installed HP Smart Array Controller compatible with HP Secure Encryption

•A valid HP Secure Encryption license for each drive to be encrypted

•HP Smart Storage Administrator v1.60.xx.0 and later

•HP ProLiant Gen8 or later server

Configuring the controller (local mode)

IMPORTANT: HP recommends that you keep a record of the Master Encryption Keys when encryption is configured in Local Mode. The local Master Encryption Key is not displayed by any available tool or firmware because it is considered a cryptographic secret by FIPS 140-2. HP Secure Encryption design follows the NIST architecture requirements and does not allow HP to assist in the recovery of a lost Master Encryption Key.

To configure the controller to operate in Local Key Management Mode:

1.Open Encryption Manager ("Opening Encryption Manager" on page 33).

Configuration 15

Image 15

Contents HP Secure Encryption Installation and User Guide Page Contents Support and other resources About HP Secure Encryption OverviewBenefits Encryption featuresFeature Description Eskm Solution components HP Smart Storage AdministratorHP ProLiant servers Minimum requirements HP Smart Array ControllerHP SmartCache HP iLOHP Eskm and key management HP Enterprise Secure Key Manager 3.1 and laterLicensing Planning Encryption setup guidelinesRecommended security settings at remote sites Encrypted backupsSecurity domains Deployment scenariosRemote and local key management requirements Configuration Local key management modeConfiguring the controller local mode Configuration Configuring Remote Key Management Mode Remote Key Management ModeConfiguring the HP Eskm Logging in to the HP EskmAdding a user Configuration Adding a group Assigning a user to a group Configuration Configuration Creating a Master Key Running a key query Placing a key in a groupConfiguration Assigning a key to a group Configuring HP iLO Connecting HP iLO to HP Eskm Configuration Configuring the controller remote mode Configuration Logging into Encryption Manager Accessing Encryption ManagerOperations Opening Encryption ManagerSet or change the Crypto Officer password Managing passwordsSet or change user account password Set or change the password recovery questionSet or change the controller password Suspending the controller password Resuming the controller password Working with keys Changing the Master Encryption KeyRekeying the Drive Encryption Keys Rescanning keys Creating a plaintext volumeOperations Operations Converting plaintext volumes into encrypted volumes Changing key management modes Enabling/disabling plaintext volumes Enabling/disabling the firmware lock Enabling/disabling local key cache Importing drives with different Master Keys Importing drive sets in Local Key Management ModeOperations Controllers MaintenanceEncryption Manager DrivesFlashing firmware Replacing a physical driveGroups Locating groups associated with a driveQuery by drive serial number Maintenance Query by previous server name Maintenance Displaying log information Running queries Maintenance Maintenance Maintenance Lost or forgotten controller password TroubleshootingCommon issues Lost or forgotten Crypto Officer passwordLost or forgotten Master Key Local modeRemote mode Locating the key using the HP EskmLocating the key using iLO Forgotten which Master key goes with which drive Master key not exporting Logical drives remain offlineTesting the connection between HP iLO and the HP Eskm Potential errors encountered Error Description Action Clearing the encryption configuration Support and other resources Before you contact HPHP contact information Encryption algorithms AppendixGlossary Plaintext ILOLocal Master Encryption Key Master Encryption KeyRemote Key Manager Volume encryption keyDocumentation feedback Eskm IndexIndex