Nonstop Volume Level Encryption Guide
only the HP documented applications and interfaces. For information about the CLIM, see the
appropriate generation of the HP ProLiant DL385 Server Maintenance and Service Guide.
The ESKM is based on HP ProLiant server technology. It generates, stores, and serves keys to CLIMs.
It automatically replicates keys across clusters, can perform backup and restore of the key database,
and provides a local Certificate Authority (CA) used to create client certificates for strong TLS
authentication of CLIMs to the key manager.
Key managers are installed in pairs or larger clusters for high availability. The key manager device
may be installed anywhere (in the same or in another datacenter) but must be network-accessible
to Storage CLIMs. The encryption Storage CLIM connects to key managers using its second LAN
port (eth1).
Encryption in a system
Communication between a NonStop system and Storage CLIMs is done with a combination of
ServerNet and the maintenance LAN. Users enter SCF commands to enable or disable encryption
on a particular device and to set up encryption parameters. The second Ethernet port (eth1) on the
CLIM is connected directly to the Enterprise LAN so that Storage CLIMs can communicate with the
key manager.
Figure 1: System Connections shows how system components are connected in a system.
Figure 1 System Connections
1
NonStop processors
2
System console
3
ServerNet
4
CLIMs
5
Maintenance LAN
6
Key managers
7
Enterprise LAN
Encryption in a system 11