Manualshelf

Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - Release 4.x (OL-18091-01, February 2009)

ManualsBrandsHP ManualsStorageCisco MDS 9140 Multilayer Fabric Switch Chassis
111112113114115116117118119120
CHAPTER
Send documentation comments to mdsfeedback-doc@cisco.com
6-1
Cisco MDS 9000 Family Storage Media Encryption Configuration Guide
OL-18091-01, Cisco MDS NX-OS Release 4.x
6
Cisco SME Key Management
This chapter contains information about Cisco Storage Media Encryption comprehensive key
management. It includes the following topics:
Key Hierarchy, page 6-1
Cisco Key Management Center, page 6-2
Master Key Security Modes, page 6-3
Key Management Settings, page 6-4
High Availability Key Management Center, page 6-5
Key Management Operations, page 6-7
Migrating a KMC Server, page 6-48
Key Hierarchy
Cisco SME includes a comprehensive and secure system for protecting encrypted data using a hierarchy
of security keys. The highest level key is the master key, which is generated when a cluster is created.
Every cluster has a unique master key. Using key wrapping, the master key encrypts the tape volume
group keys, which in turn encrypts the tape volume keys.
For recovery purposes, the master key can be stored in a password-protected file, or in one or more smart
cards. When a cluster state is Archived (the key database has been archived) and you want to recover the
keys, you will need the master key file or the smart cards. The master key cannot be improperly extracted
by either tampering with the MSM-18/4 module or by tampering with a smart card.
Keys are essential to safeguarding your encrypted data and should not be compromised. Keys should be
stored in the Cisco Key Management Center. See the
“Cisco Key Management Center” section on
page 6-2 for information about the Cisco Key Management Center. In addition, unique tape keys can be
stored directly on the tape cartridge. The keys are identified across the system by a globally unique
identifier (GUID).
The Cisco SME key management system includes the following types of keys:
Master key
Tape volume group keys
Tape volume keys
Every backup tape has an associated tape volume key, tape volume group key, and a master key.