Manualshelf

Nonstop Volume Level Encryption Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series
41424344454647484950
ChangeStatus..... No change in progress
Mirror path
KeyName.......... N50000C500078BFDF7_20090827162017
KeyAlgorithm..... CBC-AES
KeySize.......... 256
KeyAccess........ OK
ChangeStatus..... No change in progress
Mirror backup path
KeyName.......... N50000C500078BFDF7_20090827162017
KeyAlgorithm..... CBC-AES
KeySize.......... 256
KeyAccess........ OK
ChangeStatus..... No change in progress
The XTS-AES KeyAlgorithm uses two KeyNames. If the disk was initialized with the CBC-AES
algorithm, one KeyName is displayed.
Changing encrypted disk keys
To change disk encryption keys, re-encrypt the data on the disk with either the CLIM key rotation
or REVIVE key rotation. The NEWENCRYPTKEY option that is specified in the INITIALIZE or ALTER
command will cause a new key to be generated for that device.
Disk keys should be changed periodically as required by the customer security policy. The customer
security officer should determine the schedule of key change.
Moving disk drives
If you want to move encrypted disk drives between two systems with different ESKM clusters (for
instance, from a test system to a production system), you must export the disk drive's key and move
it to the other cluster. Use the Backup and Restore method to move the key. Keys are not
synchronized with cluster members. You must restore the key on each of the ESKM members within
the cluster, or you can do a “Synchronize Cluster” operation to propagate the key to the other
members of the cluster.
Decrypting a disk
To clear encryption on an encrypted disk, use the CLEARENCRYPTKEY option. This option may be
used with the INITIALIZE disk command (during the REVIVE key rotation) or with the ALTER disk
command (during CLIM key rotation ).
To clear encryption using REVIVE key rotation:
INITIALIZE disk-name-P | -M, CLEARENCRYPTKEY
To clear encryption using CLIM key rotation:
ALTER disk-name-P | -B | -M | -MB, CLEARENCRYPTKEY
Disk hardware replacement
If there is a disk failure and the encrypted disk is replaced with a new disk, the new disk will not
be encrypted. The security officer is expected to INITIALIZE the disk with encryption. Unless that
disk is altered to be encrypted, when it is revived SCF issues a warning that it is unencrypted and
its mirror is encrypted. If the user is logged on as the, security officer, SCF allows the revive operation
to continue; otherwise that action is not allowed. HP recommends that users verify device encryption
status after any hardware replacement or software configuration change of an encrypted device.
Encrypting data on tape drives
These procedures describe how to encrypt data on tape drives. Tape data encryption and decryption
is done by the LTO-4 or LTO-5 tape drive. The CLIM gets the key from the key manager and sends
50 Encrypting data on storage devices