Administrator Guide
Not to be confused with the MEK, the Storage Center manages a separate set of keys for providing data-at-rest encryption. These keys
are referred to as authority credentials. The purpose of these keys is to protect the theft of any number of drives. If a secured drive from a
Secure Data folder is removed from the system such that power is removed, the drive will be locked and customer data will be unreadable.
WARNING: Storage Center will not be able to manage a previously-managed drive as an SED if the key has been deleted from
the drive or the key management server.
Authenticating to the drive using the authority credential is the only means of unlocking the drive while preserving customer data, which
can only be obtained by successfully authenticating to the related key management server through a secure channel.
Use the Copy Volumes to Disk Folder operation to copy volumes from a Secure Data folder to another folder. The destination folder can
be either a secure folder or a nonsecure folder.
To protect data at rest, all SEDs in a Secure Data disk folder lock when power is removed (lock on reset enabled). When power is removed
from the drive, the drive cannot be unlocked without an authority credential.
When replicating from a Secure Data volume to a non-Secure Data folder, that volume is no longer secure after it leaves the Secure Data
folder. When replicating a non-Secure Data volume to a Secure Data folder, that volume is not secure until it replicates to the Secure Data
folder and Data Progression runs.
Congure Key Server
Before managing SEDs in a Secure Data folder, congure communication between Storage Center and the key management server.
Prerequisite
The Storage Center must have the Self-Encrypting Drives license.
Steps
1 If you are connected to a Data Collector, select a Storage Center from the drop-down list in the left navigation pane.
2 Click Summary.
The Summary view is displayed.
3 Click (Settings).
The Storage Center Settings dialog box opens.
4 Click the Secure Data tab.
5 In the Hostname eld, type the host name or IP address of the key management server.
6 In the Port eld, type the number of a port with open communication with the key management server.
7 In the Timeout eld, type the amount of time in seconds after which Storage Center should stop attempting to reconnect to the key
management server after a failure.
8 To add alternate key management servers, type the host name or IP address of another key management server in the Alternate
Hostnames area. Then click Add.
NOTE
: Alternate hostnames should be added to the conguration after all drives in the system have initially been managed
and fully secured. To ensure optimized access times during initial Key creation, alternate hostnames should be added only
after the drives in the Storage Center have been initially managed and fully secured.
9 If the key management server requires a user name to validate the Storage Center certicate, type the name in the Username eld.
10 If the key management server requires a password to validate the Storage Center certicate, type the password in the Password eld.
11 Congure the key management server certicates.
a Click Congure Key Management Server Certicates.
The Congure Key Management Server Certicates dialog box opens.
b Click Browse next to the Root CA Certicate. Navigate to the location of the root CA certicate on your computer and select
it.
c Click Browse next to the certicate elds for the controllers Navigate to the location of the controller certicates on your
computer and select them.
Storage Center Maintenance
159