Performing the initial configuration of the encryption environmental settings

Encryption License Key User Guide

Version
9.8.7
Audience
anonymous
Part Number
MK-98RD9017-17
Before you can start enabling encryption on parity groups, you must perform the initial configuration of the encryption environmental settings using the Edit Encryption Environmental Settings window. The encryption environmental settings and options include the following:
  • Enabling use of a key management server (KMS)
  • Enabling use of a secondary KMS in addition to the primary KMS
  • Enabling and scheduling regular backups of the encryption keys to the KMS
  • Generating encryption keys on the KMS
  • Protecting the key encryption key (KEK) on the KMS
  • Deleting local/internal encryption keys when the storage system is powered off
  • Disabling generation of encryption keys on the storage system
CAUTION:
If the configuration of the encryption environmental settings fails, or if you set Key Management Server to Enabled by mistake, take the actions referenced in Resolving errors during configuration of the encryption environmental settings.
CAUTION:
Make sure you select the correct encryption environmental settings for your operational environment. After you perform the initial configuration of the encryption environmental settings, you will not be able change certain settings. For details about determining the correct encryption environmental settings for your operational environment, see Determining the encryption environmental settings for your system.
  • You must have the Security Administrator (View & Modify) role.
  • If you are enabling regular encryption key backups on a KMS, you must have the user name and password of the regular backup user.
  • If you will use a KMS:
    • The KMS must already be configured. For instructions, see Configuring the key management server.
    • You must have the network connection information (for example, IP address or host name, port number) for the KMS.
    • (VSP E series) If you want to connect to the KMS using the host name instead of the IP address, the DNS server must be configured on the OS network settings of the SVP.
    • You must have the names and directory locations of the client and root certificates on the KMS.
  1. On the Explorer pane, select Administration, and then select Encryption Keys.
  2. Verify that the current time is displayed in Last Updated on the upper right corner of the Encryption Keys window. If the current time is not displayed, go to step 3. If the current time is displayed, go to step 5.
    If you configure the encryption environmental settings when Last Updated does not display the current time, the hardware might be blocked. Therefore, make sure to apply the current time in Last Updated.
  3. Click File > Refresh All to reread the configuration information.
  4. Open the Encryption Keys window again, and then verify that Last Updated displays the current time. If the current time is not displayed, go back to step 3.
  5. Select Tasks from the Storage Systems tree.
    The task for configuring the encryption environmental settings is displayed as Edit Encryption Environmental Settings in Type on the Tasks window.

    If Status of Edit Encryption Environmental Settings is In Progress or Waiting, the task is running. In this case, wait for the task to complete.

    Note: Running multiple simultaneous tasks for configuring the encryption environmental settings might block the hardware. Wait for the completion of the preceding task to prevent the tasks from being run simultaneously.
  6. Open the Encryption Keys window again.
  7. On the Encryption Keys pane, click Edit Encryption Environmental Settings.
  8. Select the desired option for Key Management Server.
    • If you are using a KMS, select Enable for Key Management Server, and go to the next step.
    • If you are not using a KMS, select Disable for Key Management Server, click Finish, and go to the last step.
  9. Expand Server Settings, and enter the network connection information for the primary KMS under Primary Server.
  10. If you will use a secondary KMS, select Enable for Secondary Server, and enter the network connection information for the secondary KMS under Secondary Server.
    If you want to protect the key encryption key (KEK) at the KMS, you must enable the secondary server. If you want to disable encryption key generation on the storage system, you must enable the secondary server.
  11. If you selected Enable for Key Management Server, verify that the communication to the KMS is established. Click Check next to Server Configuration Test, and then verify that the connection test completed normally.
    If you click Finish without running the connection test, a warning message (10122-205199) might be displayed depending on the SVP firmware version.
  12. If you want regular encryption key backups to be performed automatically:
    1. Select Enable Encryption Key Regular Backup to Key Management Server.
    2. Under Regular Backup Time, select the desired daily backup times.
    3. Under Regular Backup User, enter the user name and password of the designated regular backup user.
    CAUTION:
    If you enable regular encryption key backups, observe the following requirements and restrictions:
    • The Encryption License Key software license must be valid and enabled. If the Encryption License Key software license expires or is disabled or removed, regular backups are not performed.
    • The user account for the regular backup user must not be deleted or edited. If the user account of the regular backup user is deleted or edited, including changing the password or roles, a regular encryption key backup might fail. For this reason, every time the user account of the regular backup user is edited, make sure to respecify the user name and password of the regular backup user in the Edit Encryption Environmental Settings window.
    • If you change the time zone settings from a maintenance PC or on the SVP, you must restart the services of all storage systems in the Storage Device List window. If you do not restart the services, regular backups will not performed as scheduled.
  13. If you want to generate the encryption keys on the KMS, select Generate Encryption Keys on Key Management Server.
    Note: If you select Generate Encryption Keys on Key Management Server, this task will take a while to complete. Do not cancel this task while the settings are being configured.
  14. If you want to store the KEK on the KMS, select Protect the Key Encryption Key on the Key Management Server, read the warning, and then select I Agree.
    CAUTION:
    If you enable this option, the storage system will get the encryption keys backed up on the KMS when the storage system is powered on. Therefore, you must confirm that the SVP is properly connected to the KMS before powering on the storage system.
  15. If you store the encryption keys in the KMS, and you want the encryption keys in the storage system to be deleted when the storage system is powered off, select Delete Internal Encryption Keys at PS OFF, read the warning, and then click I Agree.
    CAUTION:
    If you enable this option, the storage system will get the encryption keys backed up on the KMS when it is powered on. Therefore, you must confirm that the SVP is properly connected to the KMS before powering on the storage system.
  16. If you want to generate encryption keys on the KMS without creating encryption keys in the storage system, select Disable Local Key Generation, read the warning, and select I Agree.
    CAUTION:
    If you enable this option, you will not be able to change this setting later.
  17. When you are finished configuring the encryption environmental settings, click Finish.
  18. In the confirmation window:
    1. Verify the selected settings.
    2. In Task Name, enter the desired task name or accept the default task name.
    3. If you want the Tasks window to open after you click Apply, select Go to tasks window for status.
    4. Click Apply.
Important: If the KMS is unavailable after you complete this task, the network connection settings might be incorrect. Contact the server administrator or the network administrator.
  • Save a backup copy of the client certificate.
  • Back up the connection settings to the KMS by downloading the Key Management Server configuration file. For instructions, see the System Administrator Guide. The backup copy can be used to restore the Key Management Server configuration file if necessary.