NonStop Volume Level Encryption Guide HP Part Number: 580587-004 Published: August 2012 Edition: J06.09 and subsequent J-series RVUs, and H06.
© Copyright 2012 Hewlett-Packard Development Company, L.P. Legal Notice Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Contents About This Document.....................................................................................5 Supported Release Version Updates (RVUs)..................................................................................5 Intended Audience....................................................................................................................5 New and Changed Information..................................................................................................
Clearing tape drive encryption ............................................................................................52 Tape drive hardware replacement........................................................................................52 4 Maintenance...........................................................................................53 Security.................................................................................................................................53 License.........
About This Document This document describes how to install and maintain volume level encryption provided by Storage CLIMs and the HP Enterprise Secure Key Manager. Supported Release Version Updates (RVUs) This manual supports J06.09 and all subsequent J-series RVUs, and H06.20 and all subsequent H-series RVUs, until otherwise indicated in a replacement publication.
• ◦ Added “Moving tape drives” (page 51). ◦ Added “Temporarily turning encryption off” (page 52). Chapter 4: “Maintenance” (page 53) ◦ Updated “License” (page 53) to indicate that the file must be binary. Document Organization This document is organized as follows: Chapter 1: Overview Provides an overview of encryption, supported systems, system requirements, encryption in a system, and encryption licensing.
the list, or horizontally, enclosed in a pair of brackets and separated by vertical lines. For example: FC [ num ] [ -num ] [ text ] K [ X | D ] address | Vertical Line A vertical line separates alternatives in a horizontal list that is enclosed in brackets or braces. For example: INSPECT { OFF | ON | SAVEABEND } Punctuation Parentheses, commas, semicolons, and other symbols not previously described must be typed as shown. For example: error := NEXTFILENAME ( file-name ) ; LISTOPENS SU $process-name.
Publishing History Part Number Product Version Publication Date 580587-002 N.A. November 2010 580587-001 N.A. November 2009 HP Encourages Your Comments HP encourages your comments concerning this document. We are committed to providing documentation that meets your needs. Send any errors found, suggestions for improvement, or compliments to docsfeedback@hp.com. Include the document title, part number, and any comment, error found, or suggestion for improvement you have concerning this document.
1 Overview Encryption Encryption on storage devices protects sensitive customer data from theft and helps our customers comply with regulations like HIPAA and the Payment Card Industry (PCI) Data Security Standard. Volume level encryption provides system integrated volume level encryption for storage devices connected to Integrity NonStop NS Series systems or NonStop Integrity BladeSystems that use a Storage CLIM. Data-at-rest on disks and tape drives is encrypted using IEEE 1619 (disk) and IEEE 1619.
Encryption management The CLIM is managed with a combination of OSM, the CLIMCMD tool, I/O Essentials, and an integrated Lights Out Management (iLO) interface. For details, see the NonStop Cluster I/O Protocols (CIP) Configuration and Management Manual and the NonStop CLuster I/O Module (CLIM) Installation and Configuration Guide. Encrypted disks and drives are managed with the SCF storage subsystem.
only the HP documented applications and interfaces. For information about the CLIM, see the appropriate generation of the HP ProLiant DL385 Server Maintenance and Service Guide. The ESKM is based on HP ProLiant server technology. It generates, stores, and serves keys to CLIMs.
Licensing Encryption is enabled by a license available from HP, which is installed on the NonStop system. Licensing is described in “License” (page 53). Enrolling CLIMs as ESKM clients also requires the availability of sufficient client licenses in the ESKM cluster. ESKM Client Licensing and license installation is described in the Enterprise Secure Key Manager Installation and Replacement Guide, on the CD shipped with the device.
2 Installation Installation overview In order to use Volume Level Encryption, you must install the ESKM and establish ESKM/CLIM connectivity over the enterprise LAN. ESKM/CLIM interactions must be able to be authenticated through certificates and encrypted through SSL, so that the CLIM can securely receive keys from the ESKM. The appropriate security officers must be enabled to control volume encryption from the NonStop system.
• “8. Register the CLIMs” (page 42) • “9. Verify connection between the CLIM and the key managers” (page 43) • “10. Back up the configuration files” (page 43) • “11. Back up the Key Managers” (page 43) Moving an ESKM device and its license to another system Licensing on the NonStop system is done on a per-system basis. However, the license on the ESKM depends on the number of CLIMs.
Installation steps 1. Install Storage CLIMs If the system does not have Storage CLIMs, follow the procedures in the NonStop CLuster I/O Module (CLIM) Installation and Configuration Guide to install, connect, and configure them. The CLIM should be in the STARTED state. 2. Install the license Obtain the encryption license file by emailing License.Manager@hp.com. Install the file in $SYSTEM.ZLICENSE.NSVLE and change the filecode to 407. For details about the license, see “License” (page 53). 3.
5. Configure eth1 (enterprise LAN) The service provider uses CLIMCMD to configure eth1 (the enterprise LAN) on the CLIM: climconfig interface -add eth1 climconfig ip -add eth1 -ipaddress 16.107.132.108 -netmask 255.255.252.0 climconfig route -add eth1 -default -gateway 16.107.132.1 ifstart eth1 IP addresses and route options are customer-dependent. See the NonStop Cluster I/O Protocols (CIP) Configuration and Management Manual for details. 6.
a. If you did not do so during the ESKM installation, create local CA NSVLECA (the name used in this example) and use it to sign the server certificate: 1) Log onto the Secure Key Manager GUI as admin. Login name is case sensitive. 2) On the Security tab, select Local CAs. 3) Enter information to create a local certificate authority: 4) Click Create. You can use the local CA to sign both server and client certificates. You must download this CA to the NonStop system.
a. b. For 1. 2. 3. 4. Create the cluster Download the cluster key all other ESKM nodes, perform these tasks: Start the appliance Configure the appliance Add additional ESKM appliances to the cluster Create and install the ESKM Server Certificate For one node, create the NSSuser (NonStop setup user) login with “User Administration Permission” and “Change Password Permission” selected. For all nodes, back up the configuration. See the Enterprise Secure Key Manager Users Guide for details. 7.
d. e. Click Create Certificate Request. In the Certificate List, select the radio button for NSVLESERVERCERTIFICATE certificate and click its name to open it: f.
Click Back to leave this screen. B. Sign the server certificate request NSVLEServerCertificate with the local CA NSVLECA Perform this step for each Key Manager. a. On the Security tab, select Local CAs. b.
c. Paste the certificate request into the Certificate Request box. For Certificate Purpose, select Server : d. Click Sign Request.
e.
f. g. h. On the Security tab, select Certificates. In the Certificate list, select the radio button for NSVLESERVERCERTIFICATE and click its name to open it. Select Install Certificate : Paste the signed certificate into the Certificate Response box and click Save to save the server certificate.
C. Set FIPS compliant mode For details about FIPS compliance and the ESKM, see the Enterprise Secure Key Manager Users Guide. a. On the Security tab, select High Security. b.
D. Set KMS server settings For details about the KMS server, see the Enterprise Secure Key Manager Users Guide. a. On the Device tab, select KMS Server. b. Select NSVLESERVERCERTIFICATE from the Server Certificate drop down list: c. Make sure all other KMS server settings are set as follows: Port lists the correct port on which the KMS Server is listening for client requests. The default port is 9000; however, you can use any available port.
d. Click Save. E. Set KMS server authentication settings a. b. On the Device tab, select KMS Server.
c. Click Save. F. Create the NSSuser local user, if you have not created one, and set security NOTE: • The NSSuser is a temporary user which you should delete, for security reasons, as soon as the enrollment process is completed. • As long as the NSSuser local user exists, it will consume a client license. Until you delete it, you may receive warnings that the number of licences has been exceeded. During the installation and enrollment process you may ignore these warnings.
c. Add the NSSuser name, and password, and select all permissions. The user name must be NSSuser This password will only be used in the “Register CLIMs with Key Managers” guided procedure in “8. Register the CLIMs” (page 42). d. Click Save. G. Create client certificate request for the NSSuser local user The certificate request for the NSSuser cannot be created using the key manager.
Create signed NSSuser client certificate with a PC If you have a PC that has OpenSSL installed, with access to a NonStop TACL session and the Key Manager’s Web Browser interface, you can use it to create the NSSuser private key, NSSuser signed certificate, and NSSuser passphrase files for NonStop. These examples that follow were created using this version of OpenSSL: c:\>openssl version OpenSSL 0.9.8j 07 Jan 2009 c:\> a.
e. Use the cat command to display the client certificate request: C:\zencrypt>cat client.
i. Click Sign Request.
j. k. Click Download at the bottom of the NSSuser signed client certificate. When the system asks if you want to open or save the signed.cer file, select Save. Save the NSSuser signed client certificate in the C:\zencrypt directory on your PC and name the saved file client.signed. When the download completes, click the Close button. NOTE: Windows appends “.cer” to the end of the specified filename so the actual signed certificate is saved on the PC as “client.signed.cer”. l.
150 Opening data connection for nssukey (16.92.141.110,62452d). 226 Binary Transfer complete. ftp: 1261 bytes sent in 0.00Seconds 1261.00Kbytes/sec. ftp> put client.signed.der nssucert,0 200 PORT command successful. 150 Opening data connection for nssucert (16.89.93.70,63991d). 226 Binary Transfer complete. ftp: 933 bytes sent in 0.00Seconds 466.50Kbytes/sec. ftp> ftp> quit 221 Goodbye. p.
Create signed NSSuser client certificate with CLIMCMD a. Log on to a TACL prompt as SUPER.SUPER on the system where you are creating the NSSuser files. Use the VOLUME command to create the $SYSTEM.ZENCRYPTsubvolume: $SYSTEM STARTUP 2> VOLUME $SYSTEM.ZENCRYPT $SYSTEM ZENCRYPT 3> $SYSTEM ZENCRYPT 3> fileinfo * No files match \OSM8.$SYSTEM.ZENCRYPT.* $SYSTEM ZENCRYPT 4> b. Use the CLIMCMD mkdir command to create a temporary directory on the CLIM. You can use any CLIM on the system.
Enter pass phrase for /tmp/zencrypt/client.key:passphrase writing RSA key Termination Info: 0 $SYSTEM ZENCRYPT 7> e. Use the CLIMCMD OpenSSL command to convert the PEM formatted NSSuser private key into a DER formatted private key. You will be asked to enter the passphrase that you used to create the private key. Enter this command, all on one line:: $SYSTEM ZENCRYPT 7> climcmd c100231 openssl pkcs8 -topk8 -in /tmp/zencrypt/client.key.pem -outform DER -out /tmp/zencrypt/client.key.
i. 36 Installation Select Client as Certificate Purpose. Paste the copied certificate request into the box.
j. Click Sign Request.
k. l. Select and copy the NSSuser client signed certificate text from -----BEGIN CERTIFICATE----through -----END CERTIFICATE-----. Go back to the TACL prompt and use TEDIT to create a file on the NonStop system called SIGNCERT: $SYSTEM ZENCRYPT 9> tedit SIGNCERT $SYSTEM.ZENCRYPT.SIGNCERT doesn't exist. OK to create? Respond Y or N: y m. Paste the NSSuser signed client certificate into the SIGNCERT edit file. Save and close the file. The NSSuser signed client certificate is now on the NonStop system.
Y1 Location................ Group 100 , Module 3 , Slot 3 , Port 1 SvNet ID 1................. 0x000E08C6 X2 Location................ Group 100 , Module 2 , Slot 3 , Port 2 Y2 Location................ Group 100 , Module 3 , Slot 3 , Port 2 SvNet ID 2................. 0x000E09C6 Maintenance Interface IP... 192.168.38.31 Total Errors = 0 Total Warnings = 0 p. Use SFTP to transfer the SIGNCERT file to the Maintenance Interface IP Address of the CLIM.
sftp> sftp> quit s. Verify that the NonStop temporary subvolume contains the DER formatted NSSuser signed certificate, the DER formatted NSSuser private key, the NSSuser passphrase file, and the signed certificate file: $SYSTEM ZENCRYPT 18> fileinfo * $SYSTEM.ZENCRYPT NSSUCERT NSSUKEY NSSUPASS SIGNCERT t.
d. Select Edit for the Trusted Certificate Authority List: e. Find the desired local CA on the “Available CAs” list and the imported CAs (if any) and add it to the “Trusted CAs” list, using the Add button: f. Click Save.
I. Verify connection between the NonStop system and the Key Manager Use ping to verify that the NonStop system and key managers can communicate: \JUNO1.$SYSTEM.STARTUP 1> ping 16.107.200.122 PING 16.107.200.122: 56 data bytes 64 bytes from 16.107.200.122: icmp_seq=0. time=20. 64 bytes from 16.107.200.122: icmp_seq=1. time=10. 64 bytes from 16.107.200.122: icmp_seq=2. time=10. 64 bytes from 16.107.200.122: icmp_seq=3. time=10. ms ms ms ms ----16.107.200.
NOTE: • The NSSuser is a temporary user which you should delete, for security reasons, as soon as the enrollment process is completed. • As long as the NSSuser local user exists, it will consume a client license. Until you delete it, you may receive warnings that the number of licences has been exceeded. During the installation and enrollment process you may ignore these warnings. They are a reminder that this user should be deleted when enrollment has been completed.
3 Encrypting data on storage devices This section describes how to encrypt data on disk drive and tape devices. Only the security officer can enable or disable encryption. Encrypting data on disk drives These procedures describe how to encrypt data on disk drives. Each disk has a unique encryption key, which means that primary and mirror disks of a mirrored volume will have different encryption keys. The CLIM performs the disk data encryption and decryption.
Figure 2 Fault tolerant configuration 1 2 3 NonStop processors CLIMs Disks When you issue an SCF ALTER DISK, $disk-name-M NEWENCRYPTKEY command, SCF brings down the -MB path.
1 2 3 NonStop processors CLIMs Disks The CLIM on the -M path reads the data, re-encrypts it with the new key and writes it back to the disk. The -MB path is automatically brought up at the completion of the key rotation on the -M path. NOTE: It can take up to 15 minutes for the -MB path to be automatically brought up.
KeyName.......... N5000C50005B0551F_1_20090827093551 N5000C50005B0551F_2_20090827093551 KeyAlgorithm..... XTS-AES KeySize.......... 256 ChangeStatus..... In progress at %H005BEF00 of %H11176B27 (2%) EncryptRate...... 50 EncryptPriority.. 4 Backup path KeyName.......... N5000C50005B0551F_1_20090827093551 N5000C50005B0551F_2_20090827093551 KeyAlgorithm..... XTS-AES KeySize.......... 256 ChangeStatus..... In progress on other CLIM Mirror path Not Encrypted ChangeStatus.....
1. 2. 3. STOP the path performing the key rotation. INITIALIZE the disk that was performing the key rotation with NEWENCRYPTKEY. START the disk to revive it. Encrypting disk data with REVIVE key rotation This section describes how to encrypt data on mirrored disks by initializing and reviving the disk. Overview To encrypt a mirrored disk volume, use SCF DISK INITIALIZE and START commands, as shown in Figure 4: 1. Stop the mirror disk. 2. Set the mirror disk to be encrypted using the INITIALIZE command.
Preparation for REVIVE key rotation Before performing INIT and REVIVE, prepare the disks: • Use FCHECK to check the disk volume for errors: FCHECK -SCAN -VOL volume-name See FCHECK --HELP for help. REVIVE key rotation procedure To encrypt a mirrored disk volume, follow these procedures. For details about SCF commands, see the SCF Reference Manual for the Storage Subsystem. 1. Use the SCF STOP DISK command to stop both paths to the mirror disk: STOP disk-name-M STOP disk-name-MB 2.
ChangeStatus..... No change in progress Mirror path KeyName.......... KeyAlgorithm..... KeySize.......... KeyAccess........ ChangeStatus..... N50000C500078BFDF7_20090827162017 CBC-AES 256 OK No change in progress Mirror backup path KeyName.......... KeyAlgorithm..... KeySize.......... KeyAccess........ ChangeStatus..... N50000C500078BFDF7_20090827162017 CBC-AES 256 OK No change in progress The XTS-AES KeyAlgorithm uses two KeyNames.
it to the drive. The CLIM does not perform the encryption or decryption of tape data. Tape encryption always uses the GCM-AES algorithm with key size 256. Tape encryption keys may be generated per drive (KEYPERDRIVE) or per tape media (KEYPERTAPE). KEYPERDRIVE means that all tapes that are written by the tape drive will use the same encryption key. KEYPERTAPE means that each tape that is written by the tape drive will use a unique encryption key.
Temporarily turning encryption off If you need to create an unencrypted tape you can turn encryption off, create the tape, and re-enable encryption. When encryption is re-enabled, the same key will be used. Clearing tape drive encryption To clear tape drive encryption, follow these procedures: 1. Use the SCF STOP TAPE command to stop the drive. 2. Issue the ALTER TAPE, KEYGENPOLICY NOENCRYPTION command. The next tapes written will write data in non-encrypted form. 3.
4 Maintenance Security Security is enhanced for volume level encryption. All users can perform status commands, but alter commands are restricted: • Some SCF commands require the user to be a member of the Safeguard SECURITY-ENCRYPTION-ADMIN group, 65536. • These SCF commands require the user to be on a user on local system. • Safeguard ($ZSMP) must be running at user logon so it can determine whether the user is in group 65536.
STATUS CLIM, ENCRYPTION Use the STATUS CLIM, ENCRYPTION command to list encrypted devices by CLIM. This command is useful to determine which devices on a CLIM are encrypted: 7-> STATUS CLIM $ZZSTO.C100281, ENCYPTION STORAGE — Encryption Status CLIM \JUN01.$ZZSTO.
Change in progress................ 1 Change in progress by this CLIM... 1 STATUS DISK, ENCRYPTION Use the STATUS DISK, ENCRYPTION command to see the encryption status of a disk: 90-> STATUS DISK $SAS112, ENCRYPTION STORAGE — Status DISK \BLDQA2.$SAS112, ENCRYPTION Primary path Not Encrypted ChangeStatus..... No change in progress Backup path Not Encrypted ChangeStatus..... No change in progress Mirror path Not Encrypted ChangeStatus..... No change in progress Mirror backup path Not Encrypted ChangeStatus..
Not present or encryption status unknown Drive MasterKeyName.... KeyAlgorithm..... KeySize.......... KenGenPolicy..... N500110A00102EF9E GCM-AES 256 KeyPerTape Troubleshooting SCF uses the maintenance LAN to communicate with the CLIM. If there are SCF to CLIM connectivity issues, SCF might return errors 120, 121, 122, 123, or 127. Here is the help for error 122: 42-> help storage 122 HELP STORAGE 00122 STORAGE E00122 Can't determine IP address for CLIM. Probable Cause Can't determine IP address for CLIM.
Failure Recovery Key manager failure • CLIM is unable to communicate with the specific key manager. If other key managers in the cluster are still available, volume level encryption will continue to work. • The SCF STATUS KEYMANAGER command will report the failed key manager. • OSM will display an alarm for the failed key manager; however, OSM polls the key managers periodically and failure will not be detected immediately.
A Encryption background Encryption transforms plaintext data into encrypted data using an encryption key. Decryption transforms encrypted data back into the plaintext form using a decryption key. Encrypted data is secure because it cannot be decoded into plaintext form, in a reasonable amount of time, without the decryption key. There are two types of encryption: asymmetric and symmetric. Asymmetric, or public key, encryption This technique uses a private/public key pair.
Glossary of terms used in this manual A AES Advanced Encryption Standard is an encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256. Each AES cipher has a 128-bit block size, with key sizes of 128, 192 and 256 bits, respectively. AES ciphers have been analyzed extensively and are now used worldwide. B Block cipher A symmetric key cipher operating on fixed-length groups of bits, termed blocks, with an unvarying transformation.
K KMS Key Management System (KMS) Server. The KMS server is the firmware component of the ESKM server that manages communications between the ESKM and the clients. N NSSuser NonStop Setup User. The user that performs the “8. Register the CLIMs” (page 42) installation step. NSVLE NonStop Volume Level Encryption. P PCI Payment Card Industry R RSA RSA (which stands for Rivest, Shamir, and Adleman who first publicly described it) is an algorithm for public-key cryptography.
Index A Adding CLIMs, 43, 57 C CLIMs adding to system, 43, 57 installing, 15 CLuster I/O Module see CLIM Configuration, fault tolerant, 44 Configuring eth1, 16 D Decryption, 50 Disk decrypting, 50 encrypting, INIT and REVIVE, 48 encrypting, key rotation, 44 encryption status, 55 E Encrypting disks, 44, 48 tapes, 51 Encryption LTO-3, 51 LTO-4, 51 removing, 50 supported devices, 10 supported systems, 10 system requirements, 10 Encryption priority, altering, 47 Encryption rate, altering, 47 Enterprise Stora
creating, 15 required for SCF, 53 verifying, 15 SECURITY-ENCRYPTION-ADMIN see security encryption group Status disk encryption, 55 license, 53 tape drive, 55 System requirements, 10 T Tape drive encrypting, 51 new encryption key, 51 status, 55 Tapes encrypting, 51 encryption ststatus, 55 KEYGENPOLICY, 51 new encryption key, 51 V Verifying security encryption group, 15 W Write Cache Enable, 10 62 Index
