HP XP7 DKA Encryption User Guide Abstract This guide describes and provides instructions for DKA Encryption (EDKA), a feature of Remote Web Console (RWC) for the HP XP7 Storage system. You configure DKA Encryption within RWC for HP XP7 Storage.
© Copyright 2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 DKA Encryption Overview...........................................................................6 DKA Encryption benefits............................................................................................................6 DKA Encryption support specifications.........................................................................................6 When are data encryption license keys needed............................................................................
Workflow for restoring data encryption license keys....................................................................23 Blocking LDEVs using a file.................................................................................................24 Blocking LDEVs on the key management server......................................................................24 Restoring keys from a file....................................................................................................
Confirm window in the Delete Keys wizard............................................................................57 Delete Backup Keys on Server window......................................................................................57 View Backup Keys on Server window........................................................................................58 Edit Encryption wizard.............................................................................................................
1 DKA Encryption Overview To guarantee the security of the data, use the DKA Encryption (EDKA) feature to store encrypted data in an LDEV and encrypt them. The DKA Encryption feature provides redundant backup and restore capabilities to ensure data availability. DKA Encryption benefits Encrypting data can prevent information loss or leaks if a disk drive is physically removed from the system. Failure, loss, or theft are the most common reasons for information loss.
Item Specification Free: The unused key before allocating the encryption license key. DEK: The encryption license key. The key for the encryption of the stored data. CEK: The certificate encryption key. The key for the encryption of the certificate and the key for the encryption of DEK per HDD. KEK: Key Encryption Key. The key for the encryption of the CEK. Backup/Restore functionality Redundant (P-VOL and S-VOL) backup/restore copies.
• Updating CEK keys. • Updating KEK keys. For more information about backing up secondary data encryption license keys, see “Workflow for backing up secondary data encryption license keys” (page 18). CAUTION: You must add storing secondary backup encryption license keys securely as part of your corporate security policy. If the primary backup key becomes unavailable and no secondary backup key exists, the system cannot decrypt encrypted data.
Change data encryption license key workflow You must migrate data to encrypt data with a different data encryption license key on the HP XP7 Storage system. For more information about migration practices with encryption, see “Migration practices with encryption” (page 9). Use 1. 2. 3. 4. 5. the following process to change encryption license keys: A new parity group is created. Encryption is enabled with a new data encryption license key. The LDEVs in the encrypted parity group are formatted.
Software application Interoperability notes S-VOL, and journal volumes do not match, the journal data in the P-VOL is not encrypted, and the security of the data cannot be guaranteed. Thin Provisioning, Smart Tiers, Thin Provisioning Z, and Smart Tiers Z When enabling encryption for data written to a data pool with a V-VOL, use a data pool that consists of encrypted volumes. Note: If encryption is set, encryption formatting for pool volumes and V-VOLs is also required.
2 DKA Encryption Installation This chapter discusses how to install the EDKA feature. DKA Encryption installation workflow Use the following workflow to install the EDKA feature: 1. Ensure your system meets the system requirements. For more information about the system requirements, see “System requirements” (page 11). 2. 3. Ensure your product suite interoperates the way you want it to with the EDKA feature. Enable the EDKA feature.
Disabling the DKA Encryption feature You can disable the EDKA feature in Remote Web Console. CAUTION: 1. 2. 3. 12 Perform Step 1 and 2 before you delete the software license key. Disable data encryption at the parity-group level. For more information about disabling data encryption, see “Disabling data encryption at the parity-group level” (page 22). Initialize the connection settings to the key management server.
3 Key Management Server Connections You can use an optional key management server with HP XP7 Storage systems. This chapter provides information on how to set up the key management server. Key management server requirements If you are using a key management server, it must meet the following requirements: • Protocol: Key Management Interoperability Protocol 1.0 (KMIP1.0) • Software: SafeNet KeySecure k460 6.4.1 or Thales keyAuthority 4.0.
Preparing the client certificate workflow Use the following process to prepare the client certificate, which includes setting the client certificate expiration date and password: 1. Download and install openssl.exe from http://www.openssl.org/ to the C:\openssl folder. 2. Create the key file. You can create the following types of key files: • Private key file. For more information about creating a private key file, see “Creating a private SSL key file” (page 14). • Public key file.
4. 5. Complete the following information: • Country Name (two-letter code) • Email Address • (Optional) Challenge password • (Optional) Common name - To obtain a signed and trusted certificate, ensure that the server name is the same as the host name of the storage device.
1. 2. On the menu bar, click Settings > Environmental Setting > View Key Management Server Properties. In the View Key Management Server Properties window, click Setup Key Management Server. If you have not set the connection to the key management server, a message is displayed. Click OK. 3. 16 In the Setup Key Management Server window, upload the certificates.
4 Managing data encryption license keys This chapter provides information on how to manage data encryption license keys. Managing the keys includes ensuring availability of keys and accessibility to the encrypted or decrypted data. Manage data encryption license keys using the EDKA feature in the HP XP7 Storage system. You must have the Security Administrator (View & Modify) role to manage data encryption license keys.
Workflow for backing up secondary data encryption license keys The HP XP7 Storage system automatically creates a primary backup of the data encryption license key. Back up a secondary data encryption license key. You must have the Security Administrator (View & Modify) role to back up secondary data encryption license keys. In addition, it is recommended that you back up each key after you perform any of the following operations: • Creating encryption license keys.
8. Click Save. The data encryption license key is backed up as a file on the RWC computer. For more information, see “Encryption Keys window” (page 35) and “Backup Keys to File wizard” (page 46). Backing up keys to a key management server Back up data encryption license keys to a key management server. The data encryption license keys that you back up to a key management server are managed with the client certificate. There are a limited number of keys you can back up on the key management server.
Editing the password policy You can set the minimum number of characters required for passwords. 1. From the Settings menu, select Security > Encryption Key > Edit Password Policy (Backup Encryption Keys). 2. In the Edit Password Policy (Backup Encryption Keys) window, set the minimum number of characters. 3. Click Finish. 4. In the Confirm window, complete the following and then click Apply: • Confirm the settings. • For Task Name, type the task name.
NOTE: If you do not select a specific parity group, data encryption is enabled on all of the parity groups in the list. 4. In the Edit Encryption window of the Edit Encryption wizard, complete the following and then click Add: • For Available Groups, select the parity group for which you want to enable data encryption. • For Encryption, select Enable to enable data encryption or select Disable to disable data encryption at the parity-group level. • For Format Type, select the format type.
Blocking LDEVs at the parity-group level Block the LDEVs at the parity-group level so that you can disable data encryption and format LDEVs. Blocked LDEVs in the parity group have a status of “Blocked”. NOTE: 1. 2. 3. You cannot write to a blocked LDEV. From the RWC main window, click Explorer > Storage System > volume (resource). On the LDEVs tab, complete one of the following and then click Block LDEVs: • For Parity Group, select the parity group to which the LDEV is associated.
Encryption formatting at the parity-group level The LDEV formatting operation writes zero data to the entire area of all drives in the parity group, or overwrites an LDEV. This process is also referred to as encryption formatting. Unblocking LDEVs at the parity-group level Unblock LDEVs at the parity-group level to protect the data after you format an LDEV at the parity-group level. Unblocked LDEVs in the parity group have a status of “Unblocked”. 1.
1. Block the LDEVs associated to the encrypted parity group. Do one of the following: • Block the LDEV using a file on the RWC computer. For more information about blocking LDEVs using a file, see “Blocking LDEVs using a file” (page 24). • Block the LDEV on the key management server. For more information about blocking LDEVs on the key management server, see “Blocking LDEVs on the key management server” (page 24). 2. Restore an data encryption license key from a primary or secondary backup copy.
6. In the Restore Keys from File window, complete the following item and then click Finish: • For File Name, shows the name of the selected file. View-only: Yes • 7. For Password, type the password for the data encryption license key that you typed when you backed up the selected data encryption license key. In the Confirm window, complete the following and then click Apply: • Confirm the settings. • For Task Name, type the task name.
Workflow for changing data encryption license keys Encrypt data with a different data encryption license key. Use the following process to change the data encryption license key: 1. Create a new parity group. 2. Enable encryption with the new data encryption license key. For more information about enabling data encryption at the parity-group level, see “Enabling data encryption at the parity group-level” (page 20). 3. Format the LDEVs in the encrypted parity group.
4. 5. 6. To backup encryption keys to the key management server, click Next. To back up encryption keys to the server, see “Backing up keys to a key management server” (page 19). In the Delete Keys window, click Finish. In the Confirm window, complete the following and then click Apply: • Confirm the settings. • For Task Name, type a task name. • (Optional) Select Go to tasks window for status to open the Tasks window. The data encryption license key is deleted from the file on the RWC computer. 7.
3. From the Encryption Keys table, select the key ID for the data encryption license key information you want to output and then complete one of the following: • Click Settings > Security > Encryption Keys > Export. • Click More Actions > Export. Rekeying key encryption keys If you create key encryption keys on the key management server, use this procedure to rekey key encryption keys. Also, after rekeying key encryption license keys, it is recommended that you back up each key. Use 1. 2. 3.
6. Confirm the settings and the task name in the Task Name field. Select Apply in the Confirm window. If you selected the Go to tasks window for status check box, the Task window will appear.
5 Troubleshooting Common problems using EDKA include connection problems, license problems, and administrator permission problems. Managing or changing encryption settings is not possible if you cannot connect, write to, or run the storage system. Encryption events in the audit log The HP XP7 Storage system audit log records events related to the EDKA feature, including data encryption and EDKA processes.
Problem Action • If you backup and restore data encryption license keys with a key management server, the connection to the key management server is available. • If you backup and restore data encryption license keys with a key management server, the number of keys which you can back up on the key management server is not exceeded. Cannot create or delete data encryption license keys. Make sure that: • The DKA Encryption software license is valid and installed.
6 Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
HP websites For additional information, see the following HP websites: • http://www.hp.com • http://www.hp.com/go/storage • http://www.hp.com/service_locator • http://www.hp.com/support/manuals • http://www.hp.com/support/downloads • http://www.hp.
Table 1 Document conventions (continued) Convention Element Monospace text • File and directory names • System output • Code • Commands, their arguments, and argument values Monospace, italic text • Code variables • Command variables Monospace, bold text WARNING! CAUTION: IMPORTANT: NOTE: TIP: 34 Emphasized monospace text Indicates that failure to follow directions could result in bodily harm or death. Indicates that failure to follow directions could result in damage to equipment or data.
A DKA Encryption GUI Reference This chapter includes descriptions of encryption-related RWC windows and dialog boxes for the EDKA feature. For more information about other RWC windows and dialog boxes, see the HP XP7 Remote Web Console User Guide. Encryption Keys window Use the Encryption Keys window to create data encryption license keys. Clicking Encryption Keys in the Administration tree opens this window.
• “Summary” • “Encryption Keys tab” DKA Encryption GUI Reference
Summary Use the Summary to view details about the number of data encryption license keys and to open the View Backup Keys on Server window. Item Description Number of Encryption Keys Shows the number of data encryption license keys: • Data Encryption Key: Number of data encryption keys. • Certificate Encryption Key: Number of certificate encryption keys. • Free: Number of free keys (Number of keys that can be created). The number of key encryption keys are not included.
Item Description Select Export from the list to open the window for outputting table information.
Item Description Key Management Server Select whether to use the key management server: • Enable: (default) key management server is used. • Disable: key management server is not used. Server Setting When you use the key management server, the following items display: • Primary server • Secondary server • Server Configuration test Primary Server Specify the primary server information. • Host Name: Enter the host name of the key management server. Identifier: Enter the host identifier.
Item Description • Retry Interval (sec.): Enter the interval to retry the connection to the key management server. Values: 1 to 60. Default: 1. • Number of Retries: Enter the number of times to retry the connection to the key management server. Values: 1 to 50. Default: 3. • Client Certificate File Name: Select the client certificate file for connecting to the key management server. Click Browse and select the file. • Browse: Select the client certificate file.
Confirm window in the Edit Encryption Environmental Settings wizard Item Description Primary Server Displays the primary server information. • Key Management Server: Shows whether the key management server is used. ◦ Enable: key management server is used. ◦ Disable: key management server is not used. ◦ Not Set: Initialize the connection settings to the key management server. • Host Name: The host name of the key management server. • Port number: The port number of the key management server.
Item Description • Number of Retries: The number of times to retry the connection to the key management server. • Client Certificate File Name: The client certificate file for connecting to the key management server. • Password: The password for the client certificate is displayed as ****** (six asterisks). • Root Certificate File Name: The root certificate file for connecting to the key management server. Secondary Server When the secondary server exists, displays items same as the primary server.
Item Description Number of Encryption Keys Specifies the number of encryption keys (1-4,096). 4,096 is the maximum number of encryption keys. This window shows the value that subtracted the number of created DEK and Free keys from 4,096. Confirm window in the Create Keys wizard The following is the Confirm window in the Create Keys wizard. Item Description Number of Encryption Keys Displays the number of encryption keys.
This wizard includes the following windows: • Edit Password Policy (Backup Encryption Keys) window • Confirm window Edit Password Policy (Backup Encryption Keys) window Item Description Numeric Characters (0-9) The minimum number of numeric characters that should be used for this password. Values: 0 to 255 Default: 0 Uppercase Characters (A-Z) The minimum number of alphabetical upper case characters that should be used for this password.
Item Description Default: 0 Symbols The minimum number of symbols that should be used for this password. Values: 0 to 255 Default: 0 Total The minimum number of characters for this password. Values: 6 to 255 Default: 6 Confirm window in the Edit Password Policy (Backup Encryption Keys) wizard Use the Confirm window in the Edit Password Policy (Backup Encryption Keys) wizard to confirm the changes to the password policy.
Item Description Numeric Characters (0-9) Displays the minimum number of numeric characters that should be used for this password. Uppercase Characters (A-Z) Displays the minimum number of alphabetical upper case characters that should be used for this password. Lowercase Characters (a-z) Displays the minimum number of alphabetical lower case characters that should be used for this password. Symbols Displays the minimum number of symbols that should be used for this password.
Backup Keys to File window When the password policy is edited in the Edit Password Policy (Backup Encryption Keys) window, you will see the following figure. When the password policy is not edited in the Edit Password Policy (Backup Encryption Keys) window, you will see the following figure.
Item Description Password The password for the backup data encryption license key. Character limits: 6 to 255 Valid characters: • Numbers (0 to 9) • Upper case (A-Z) • Lower case (a-z) • Symbols: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ Re-enter Password 48 DKA Encryption GUI Reference Type the password again for confirmation.
Confirm window in the Backup Keys to File wizard When you click Apply in the Confirm window, a confirmation message will appear. After you click OK, a window for saving the file for encryption keys will appear. Enter the backup file name with the extension of “.ekf” and save the file. Backup Keys to Server wizard Use the Backup Keys to Server wizard to backup data encryption license keys on the key management server.
Backup Keys to Server window Item Description Description Optionally, enter a description for the backup data encryption license key.
Confirm window in the Backup Keys to Server wizard Item Description Description Shows the description for the backup data encryption license key. Restore Keys from file wizard Use the Restore Keys wizard to restore data encryption license keys from a file you backed up on the RWC computer.
Restore Keys from File window 52 Item Description File Name File name of the selected backup file. Browse Select the backup file (.ekf). The name of the selected file is shown for File Name. Password The password that you typed when you created the backup data encryption license key.
Confirm window in the Restore Keys wizard Item Description Item Item of the data encryption license key to restore. Value Value of the data encryption license key to restore. Restore Keys from Server wizard Use the Restore Keys from Server wizard to restore data encryption license keys from the key management server.
Restore Keys from Server window 54 Item Description UUID Shows the UUID of the data encryption license key that you backed up on the key management server. Backup Date Shows the time you backed up the data encryption license key on the key management server. Description Shows the description you typed when you backed up the data encryption license key on the key management server.
Confirm window in the Restore Keys from Server wizard Item Description UUID Shows the UUID of the data encryption license key you backed up on the key management server. Backup Date Shows the time when you backed up the data encryption license key on the key management server. Description Shows the description you typed when you backed up the data encryption license key on the key management server.
Delete Keys window 56 Item Description Key ID IDs of data encryption license keys.
Confirm window in the Delete Keys wizard Item Description Key ID The identifiers for the data encryption license keys. Delete Backup Keys on Server window Use the Delete Backup Keys on Server window to confirm the deletion of a backup key in RWC. This window includes the Selected Backup Keys table.
Item Description UUID Shows the UUID of the data encryption license key you backed up on the key management server. Backup Date Shows the time when you backed up the data encryption license key on the key management server. Description Shows the description you typed when you backed up the data encryption license key on the key management server. View Backup Keys on Server window Use the View Backup Keys on Server window to view a list of the backup data encryption license keys on the server.
Backup Keys table The Backup Keys table is shown on the View Backup Keys on Server window. This table lists the backup data encryption license keys. Item Description UUID Shows the UUID of the backup data encryption license key on the key management server. Backup Date Shows the time you backed up the data encryption license key on the key management server. Description Shows the description you typed when you backed up the data encryption license key on the key management server.
This wizard includes the following windows: • Edit Encryption window • Confirm window Edit Encryption window The Edit Encryption window includes the following items: • Available Parity Groups table For more information about this table, see “Available Parity Groups table”. • Selected Parity Groups table For more information about this table, see “Selected Parity Groups table”.
Item Description Parity Group ID Shows the parity group IDs. RAID Level Shows the RAID level of the parity group. For an interleaved parity group, the interleaved number appears after the RAID level. Example: 1(2D+2D)*2 Capacity Shows the total capacity (unit) of the parity group. Drive Type/RPM Shows the drive types and RPM (rotation per minute) of the LDEV in the parity group. Encryption Shows the encryption setting for the parity group. Enable: Encryption is enabled.
Item Description Parity Group ID Shows parity group IDs. RAID Level Shows the RAID level of the parity group. For an interleaved parity group, the interleaved number appears after the RAID level. Example: 1(2D+2D)*2 Capacity Shows the total capacity (unit) of the parity group. Drive Type/RPM Shows the drive types and RPM (rotation per minute) of the LDEV in the parity group. Encryption Shows the encryption setting for the parity group: • Enable: Encryption is enabled.
Selected Parity Groups table Use the Selected Parity Groups table to view a list of the selected parity groups related to the data encryption license key. Item Description Parity Group ID Shows parity group identifier. RAID Level Shows the RAID level of the parity group. For an interleaved parity group, the interleaved number appears after the RAID level. Example: 1(2D+2D)*2 Capacity Shows the total capacity of the parity group.
Item Description Task Name You can enter up to 32 ASCII characters (letters, numerals, and symbols) in Task Name. Task names are case-sensitive. Retry Key Encryption Key Acquisition window If you acquire the key encryption keys from the external key management server when the storage device starts, retry key encryption key acquisition unless you can acquire them by some reasons.
Retry Key Encryption Key Acquisition window 65
Glossary allocation The ratio of allocated storage capacity versus total capacity as a percentage. Allocated storage refers to those logical devices (LDEVs) that have paths assigned to them. Allocated storage capacity is the sum of the storage of these LDEVs. Total capacity is the sum of the capacity of all LDEVs on the disk array. BC P9000 or XP Business Copy. An HP application that provides volume-level, point-in-time copies in the disk array.
to be associated with 1 to 36 LDEVs. Essentially, LUSE makes it possible for applications to access a single large pool of storage. M-VOL Main volume. MCU Main control unit. OPEN-x A general term describing any of the supported OPEN emulation modes (for example, OPEN-E). There are two types of OPEN-x devices: legacy OPEN-x devices with a fixed size (such as OPEN-3, OPEN-8, OPEN-9, and OPEN-E), and OPEN-V, which has a variable size and is a CVS-based volume.
Index A R AES-256, 6 audit logging, 9, 30 related documentation, 32 requirements, 11 host platforms, 11 license key, 11 microcode, 11 password for encryption key, 48 Remote Web Console, 11 volume types, 11 B blocking volumes, 22, 24 C contacting HP, 32 conventions document, 33 storage capacity values, 33 text symbols, 34 D data encryption operations audit logging of, 9 disabling encryption, 8, 21 enabling encryption, 8, 20, 23 encrypting existing data, 8, 9, 26 troubleshooting, 30 decrypting data, 21
