Manualshelf

Nonstop Volume Level Encryption Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series
12345678910
1 Overview
Encryption
Encryption on storage devices protects sensitive customer data from theft and helps our customers
comply with regulations like HIPAA and the Payment Card Industry (PCI) Data Security Standard.
Volume level encryption provides system integrated volume level encryption for storage devices
connected to Integrity NonStop NS Series systems or NonStop Integrity BladeSystems that use a
Storage CLIM. Data-at-rest on disks and tape drives is encrypted using IEEE 1619 (disk) and IEEE
1619.1 (tape) industry standard algorithms. Encryption uses keys generated and stored by the HP
Enterprise Secure Key Manager (ESKM).
The encryption module of the volume level encryption product achieved FIPS 140-2 Level 1
certification by the United States National Institute of Standards and Technology (NIST) in September
of 2011. This means that the encryption module customers use with this product has been tested
by an independent lab and found to meet all the requirements of FIPS 140-2 for a software product.
Encryption principles
Keys generated by the key manager protect storage data. Keys are as valuable an asset as the
data they protect, and they must be protected for the life of the data. If a key is lost or destroyed,
the data is effectively lost because it cannot be accessed. Follow these practices:
Keys and system security should be managed by customer security officers, not system
administrators
Keys should be protected by ESKM disk mirroring, backups, and distribution over multiple
nodes so that they can be recovered in case of catastrophic failure
CAUTION: There are no system back doors for recovering data if passwords or keys are lost. If
keys are destroyed or lost, the data is lost. HP recommends that all ESKM backup and redundancy
mechanisms should be fully used, and that alternate security officers should be trained and enrolled
to manage the ESKM cluster and to perform recovery operations if needed.
For more details about encryption, see Appendix A: “Encryption background” (page 58).
Encryption techniques
Volume level encryption provides data-at-rest encryption for entire disk or tape volumes, instead
of files or columns. The system processes and transmits data in clear (unencrypted) text. Volume
level encryption does not secure data while it is in transit to or from storage media. Customers
must still configure their environment and applications in such a way as to control data access to
sensitive information when data is in use on the NonStop system.
Data comes from ServerNet in the clear and is placed in CLIM memory. It is encrypted and then
transferred to the disk using the SAS or Fibre Channel HBA.
Volume level encryption uses symmetric block encryption, also called block cipher, which uses a
single key for encryption and decryption.
This product uses these algorithms:
Disks: CBC-AES (key size 256) or XTS-AES (key size 256)
CBC-AES must be used for FIPS 140-2 mode
XTS-AES follows the IEEE 1619 spec
Tapes: GCM-AES (key size 256)
Encryption 9