Manualshelf

HP XP7 DKA Encryption User Guide (TK901-96001)

ManualsBrandsHP ManualsComputer AccessoriesHP XP P9500 Storage DKC Module-1 Controller Upgrade Base Rack
12345678910
Updating CEK keys.
Updating KEK keys.
For more information about backing up secondary data encryption license keys, see “Workflow
for backing up secondary data encryption license keys” (page 18).
CAUTION: You must add storing secondary backup encryption license keys securely as part of
your corporate security policy.
If the primary backup key becomes unavailable and no secondary backup key exists, the system
cannot decrypt encrypted data.
KMIP key management server support
Using the HP XP7 Storage system, you can create backup and restore data encryption license keys
on a key management server that supports Key Management Interoperability Protocol (KMIP).
There are a limited number of keys you can back up on the key management server. Therefore, it
is recommended that you delete unnecessary keys when possible.
For more information about backing up data encryption license keys to a key management server,
see “Backing up keys to a key management server” (page 19).
Data encryption workflow
The DKA Encryption feature provides data encryption at the parity-group level to protect the data
on LDEVs. Use the following process to set up for and enable data encryption:
1. A secondary data encryption license key is backed up.
2. Data encryption is enabled at the parity-group level.
3. The logical devices (LDEVs) in the parity group are formatted.
4. If V-VOLs are used, the V-VOLs are also formatted.
For more information about enabling data encryption, see “Enabling data encryption at the parity
group-level” (page 20).
Data encryption on existing data workflow
Use the following process to encrypt existing data:
1. A new parity group is created. Your service representative creates parity groups using the
SVP.
2. Data encryption is enabled on the parity group.
3. The LDEVs in the encrypted parity group are formatted.
4. The existing data is migrated to the new LDEVs in the encrypted parity group.
For more information about moving unencrypted data to an encrypted environment, see “Workflow
for moving unencrypted data to an encrypted environment” (page 23).
Disable encrypted data workflow
Use the following process to disable encryption:
1. Data in the parity group is backed up.
2. Data encryption is disabled at the parity-group level.
3. The LDEVs in the parity group are formatted.
4. The LDEVs are unblocked.
For more information about disabling encryption, see “Workflow for disabling data encryption at
the parity-group level” (page 21).
8 DKA Encryption Overview