HP manual Overview, About HP Secure Encryption

Page 5

Overview

About HP Secure Encryption

HP Secure Encryption is a controller-based, enterprise-class data encryption solution that protects data at rest on bulk storage hard drives and SSDs attached to a compatible HP Smart Array Controller. The solution is compatible with the HP Enterprise Secure Key Manager, and can operate with or without the presence of a key manager in the environment, depending on individual customer settings.

HP Secure Encryption provides encryption for data at rest as an important component for complying with sensitive data protection requirements including PCI-DSS, HIPAA/HITECH, Sarbanes/Oxley, and state privacy laws. HP Secure Encryption secures any data deemed sensitive and requiring extra levels of protection through the application of XTS-AES 256-bit data encryption. Many companies under government regulations require that sensitive privacy data must be secured and uncompromised using NIST-approved algorithms and methodologies for key management. As a result, HP has applied for FIPS-140-2 Level 2 validation for controllers supporting encryption. For more information, see the the Cryptographic Module Validation Program (CMVP) on the National Institute of Standards and Technology website (http://csrc.nist.gov/groups/STM/cmvp/index.html).

HP Secure Encryption requires the following core components:

HP ProLiant Gen8 or later server. For more information, see "HP ProLiant servers (on page 9)."

HP Smart Array Controller. For a list of currently supported controllers, see "HP Smart Array Controller (on page 10)."

HP Secure Encryption license, per drive

HP Smart Storage Administrator, version 1.60 or later

Compatible SAS/SATA hard drive or SSD

Compatible storage enclosure

HP Secure Encryption can operate in Remote Key Management Mode, or Remote Mode, through the use of a separate, clustered, appliance-based server called the HP Enterprise Secure Key Manager 3.1 and later. The HP ESKM manages all encryption keys throughout the data center. When utilizing the HP ESKM, the communication path between the HP ESKM and the HP Smart Array Controller is established through the HP iLO interface. The controller communicates with the HP ESKM as new keys are generated and as old keys are retired. The HP ESKM acts as a key vault where all keys are managed via a web browser interface. For more information about the HP ESKM, see "HP Enterprise Secure Key Manager 3.1 and later (on page 11)." For more information about HP iLO connectivity, see "HP iLO (on page 10)."

The following additional components are required for operating HP Secure Encryption in Remote Mode:

Integrated Lights Out (iLO) Advanced or Scale Out Edition license, per ProLiant server

HP Enterprise Secure Key Manager 3.1 and later

HP Secure Encryption can also operate without an attached key management solution through Local Key Management Mode, or Local Mode.

Overview 5

Page 4 Page 6
Image 5
Page 4 Page 6
Contents HP Secure Encryption Installation and User Guide Page Contents Support and other resources About HP Secure Encryption OverviewBenefits Encryption featuresFeature Description Eskm HP ProLiant servers Solution componentsHP Smart Storage Administrator HP SmartCache HP Smart Array ControllerHP iLO Minimum requirementsHP Eskm and key management HP Enterprise Secure Key Manager 3.1 and laterLicensing Recommended security settings at remote sites Encryption setup guidelinesEncrypted backups PlanningRemote and local key management requirements Security domainsDeployment scenarios Configuring the controller local mode ConfigurationLocal key management mode Configuration Configuring Remote Key Management Mode Remote Key Management ModeAdding a user Configuring the HP EskmLogging in to the HP Eskm Configuration Adding a group Assigning a user to a group Configuration Configuration Creating a Master Key Running a key query Placing a key in a groupConfiguration Assigning a key to a group Configuring HP iLO Connecting HP iLO to HP Eskm Configuration Configuring the controller remote mode Configuration Operations Accessing Encryption ManagerOpening Encryption Manager Logging into Encryption ManagerSet or change the Crypto Officer password Managing passwordsSet or change user account password Set or change the password recovery questionSet or change the controller password Suspending the controller password Resuming the controller password Rekeying the Drive Encryption Keys Working with keysChanging the Master Encryption Key Rescanning keys Creating a plaintext volumeOperations Operations Converting plaintext volumes into encrypted volumes Changing key management modes Enabling/disabling plaintext volumes Enabling/disabling the firmware lock Enabling/disabling local key cache Importing drives with different Master Keys Importing drive sets in Local Key Management ModeOperations Controllers MaintenanceFlashing firmware DrivesReplacing a physical drive Encryption ManagerQuery by drive serial number GroupsLocating groups associated with a drive Maintenance Query by previous server name Maintenance Displaying log information Running queries Maintenance Maintenance Maintenance Common issues TroubleshootingLost or forgotten Crypto Officer password Lost or forgotten controller passwordRemote mode Local modeLocating the key using the HP Eskm Lost or forgotten Master KeyLocating the key using iLO Forgotten which Master key goes with which drive Master key not exporting Logical drives remain offlineTesting the connection between HP iLO and the HP Eskm Potential errors encountered Error Description Action Clearing the encryption configuration HP contact information Support and other resourcesBefore you contact HP Encryption algorithms AppendixGlossary Local Master Encryption Key ILOMaster Encryption Key PlaintextRemote Key Manager Volume encryption keyDocumentation feedback Eskm IndexIndex
Top Page Image Contents