Before you can start enabling encryption on parity groups, you must perform the initial configuration of the encryption environmental settings using the Edit Encryption Environmental Settings window. The encryption environmental settings and options include the following:
- Enabling use of a key management server (KMS)
- Enabling use of a secondary KMS in addition to the primary KMS
- Enabling and scheduling regular backups of the encryption keys to the KMS
- Generating encryption keys on the KMS
- Protecting the key encryption key (KEK) on the KMS
- Deleting local/internal encryption keys when the storage system is powered off
- Disabling generation of encryption keys on the storage system
CAUTION:
If the configuration of the encryption environmental settings fails, or if you set Key Management Server to Enabled by mistake, take the actions referenced in Resolving errors during configuration of the encryption environmental settings.
CAUTION:
Make sure you select the correct encryption environmental settings for your operational environment. After you perform the initial configuration of the encryption environmental settings, you will not be able change certain settings. For details about determining the correct encryption environmental settings for your operational environment, see
Determining the encryption environmental settings for your system.
- You must have the Security Administrator (View & Modify) role.
- If you are enabling regular encryption key backups on a KMS, you must have the user name and password of the regular backup user.
- If you will use a KMS:
- The KMS must already be configured. For instructions, see Configuring the key management server.
- You must have the network connection information (for example, IP address or host name, port number) for the KMS.
- (VSP E series) If you want to connect to the KMS using the host name instead of the IP address, the DNS server must be configured on the OS network settings of the SVP.
- You must have the names and directory locations of the client and root certificates on the KMS.
Important: If the KMS is unavailable after you complete this task, the network connection settings might be incorrect. Contact the server administrator or the network administrator.
- Save a backup copy of the client certificate.
- Back up the connection settings to the KMS by downloading the Key Management Server configuration file. For instructions, see the System Administrator Guide. The backup copy can be used to restore the Key Management Server configuration file if necessary.