Manualshelf

Nonstop Volume Level Encryption Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series
51525354555657585960
4 Maintenance
Security
Security is enhanced for volume level encryption. All users can perform status commands, but alter
commands are restricted:
Some SCF commands require the user to be a member of the Safeguard
SECURITY-ENCRYPTION-ADMIN group, 65536.
These SCF commands require the user to be on a user on local system.
Safeguard ($ZSMP) must be running at user logon so it can determine whether the user is in
group 65536.
If a user who attempts to perform a command is not in group 65536 or if Safeguard is not running,
SCF returns an error:
4-> alter $xp1006-p, newencryptkey, keyalgo XTS-AES
STORAGE E00125 This command requires a member of the SECURITY-ENCRYPTION-ADMIN group.
License
Obtain the encryption license file by emailing License.Manager@hp.com. FTP the file to the NonStop
system as “BINARY. You must install it in $SYSTEM.ZLICENSE and give it a filecode of 407:
4->FUP INFO $SYSTEM.ZLICENSE.NSVLE
$SYSTEM.ZLICENSE
CODE EOF LAST MODIFED OWNER RWEP PExt SExt
NSVLE 407 124 17FEB2009 18:24 255,255 NUNU 14 28
Once the license file is installed, the system is licensed for encryption. You can use the SCF command
STATUS SUBSYS $ZZSTO to verify that a valid license is present:
8-> status subsys $zzsto
STORAGE - Status SUBSYS $ZZSTO
BulkIO EncryptionLicense LabelTape UPS
OFF VALID ON OFF
During normal operation you do not need to add or remove the license.
ESKM license
The ESKM requires that licenses be installed on that device. For details, see the Enterprise Secure
Key Manager Installation and Replacement Guide on the CD shipped with the device.
SCF commands
For detailed syntax descriptions, see the SCF Reference Manual for the Storage Subsystem.
SCF commands to alter encryption attributes cannot include other attributes on the same line. For
example, this command is not valid:
ALTER DISK,NEWENCRYPTKEY, PRIMARYCPU 2
STATUS SUBSYS $ZZSTO
Use the STATUS SUBSYS $ZZSTO command to display the license status for the storage subsystem.
The status will be shown as VALID or INVALID:
8-> status subsys $zzsto
STORAGE - Status SUBSYS $ZZSTO
BulkIO EncryptionLicense LabelTape UPS
OFF VALID ON OFF
Security 53