HP Secure Encryption manual Configuring Remote Key Management Mode

Page 17

o Under Key Management Mode, select Local Key Management Mode.

4.Click OK.

5.A warning appears, prompting the user to record the Master Key. Click Yes to continue.

6.If you have read and agree to the terms of the EULA, select the check box and click Accept.

7.A summary screen appears indicating the controller has been successfully configured for encryption use. Click Finish to continue.

8.The Encryption Manager screen appears with updated Settings, Accounts and Utilities options.

IMPORTANT: HP recommends setting up a password recovery question and answer after initial configuration. If the Crypto Officer password is lost and a recovery question and answer have not been set, you will need to erase and reconfigure all HP Secure Encryption settings in order to reset the Crypto Officer password. For more information, see "Set or change the password recovery question (on page 35)."

Remote Key Management Mode

IMPORTANT: HP Enterprise Secure Key Manager 3.1 and later must already be installed and configured to operate HP Secure Encryption in Remote Mode. For more information, see "Configuring the HP ESKM 3.1 ("Configuring the HP ESKM" on page 18)."

In Remote Key Management Mode, keys are imported and exported between the controller and the HP ESKM, which provides a redundant, secure store with continuous access to the keys. To enable key exchanges between the HP Smart Array Controller and the HP ESKM, a network connection is required both during pre-OS boot time and during OS operations. Because the controller does not have direct network access capabilities, HP iLO provides the necessary network access to facilitate key exchanges between the controller and the HP ESKM. HP iLO has both network presence and is constantly running on AUX power regardless of the server state. The keys exchanged between HP iLO, HP ESKM, and the controller are all secured.

Characteristics

High volume key storage

Keys are kept in separate storage from servers to protect against physical removal

Requires network availability and a remote key management system

Configuring Remote Key Management Mode

IMPORTANT: HP Secure Encryption and other HP encryption client products must be coordinated for a successful installation and configuration. It is recommended to refer to each product's user guide to ensure proper installation and encryption protection.

To configure HP Secure Encryption to operate in Remote mode:

1.Configure the HP ESKM ("Configuring the HP ESKM" on page 18). For more information about installation, configuration and operation of the HP ESKM, see the HP Enterprise Secure Key Manager User Guide and the HP Installation and Replacement Guide.

2.Connect HP iLO to the HP ESKM ("Connecting HP iLO to HP ESKM" on page 29).

3.Install HP SSA. For more information, see the HP Smart Storage Administrator User Guide.

Configuration 17

Image 17
Contents HP Secure Encryption Installation and User Guide Page Contents Support and other resources About HP Secure Encryption OverviewBenefits Encryption featuresFeature Description Eskm HP ProLiant servers Solution componentsHP Smart Storage Administrator HP SmartCache HP Smart Array ControllerHP iLO Minimum requirementsHP Eskm and key management HP Enterprise Secure Key Manager 3.1 and laterLicensing Recommended security settings at remote sites Encryption setup guidelinesEncrypted backups PlanningRemote and local key management requirements Security domainsDeployment scenarios Configuring the controller local mode ConfigurationLocal key management mode Configuration Configuring Remote Key Management Mode Remote Key Management ModeAdding a user Configuring the HP EskmLogging in to the HP Eskm Configuration Adding a group Assigning a user to a group Configuration Configuration Creating a Master Key Running a key query Placing a key in a groupConfiguration Assigning a key to a group Configuring HP iLO Connecting HP iLO to HP Eskm Configuration Configuring the controller remote mode Configuration Operations Accessing Encryption ManagerOpening Encryption Manager Logging into Encryption ManagerSet or change the Crypto Officer password Managing passwordsSet or change user account password Set or change the password recovery questionSet or change the controller password Suspending the controller password Resuming the controller password Rekeying the Drive Encryption Keys Working with keysChanging the Master Encryption Key Rescanning keys Creating a plaintext volumeOperations Operations Converting plaintext volumes into encrypted volumes Changing key management modes Enabling/disabling plaintext volumes Enabling/disabling the firmware lock Enabling/disabling local key cache Importing drives with different Master Keys Importing drive sets in Local Key Management ModeOperations Controllers MaintenanceFlashing firmware DrivesReplacing a physical drive Encryption ManagerQuery by drive serial number GroupsLocating groups associated with a drive Maintenance Query by previous server name Maintenance Displaying log information Running queries Maintenance Maintenance Maintenance Common issues TroubleshootingLost or forgotten Crypto Officer password Lost or forgotten controller passwordRemote mode Local modeLocating the key using the HP Eskm Lost or forgotten Master KeyLocating the key using iLO Forgotten which Master key goes with which drive Master key not exporting Logical drives remain offlineTesting the connection between HP iLO and the HP Eskm Potential errors encountered Error Description Action Clearing the encryption configuration HP contact information Support and other resourcesBefore you contact HP Encryption algorithms AppendixGlossary Local Master Encryption Key ILOMaster Encryption Key PlaintextRemote Key Manager Volume encryption keyDocumentation feedback Eskm IndexIndex