Edit Encryption Environmental Settings window

Encryption License Key User Guide

Version
9.8.7
Audience
anonymous
Part Number
MK-98RD9017-17

After the encryption environmental settings have been initialized during installation, the settings in the Edit Encryption Environmental Settings window can be changed only under the following conditions:

  • When the key management server is not in use.
  • When local key generation is disabled.
  • When the key encryption key for the key management server is stored on the storage system.
  • When you need to change the regular backup schedule or the regular backup user.



Item

Description

Key Management Server

Select whether to use a key management server. By default, no option is selected.

  • Enable: Key management server is used.
  • Disable: Key management server is not used.

Caution: If you select Enable, enter the key management server information, click Check for Server Configuration Test, and then verify that the connection test is complete normally.

Server Settings

When Enable is selected for Key Management Server, the following items are displayed:

  • Primary server
  • Secondary server
  • Server Configuration Test

Primary Server

Specify the network connection information for the primary key management server.

  • Host Name: Select the method used to identify the host, Identifier, IPv4, or IPv6, and then enter the information:
    • If you selected Identifier, enter the identifier for the host.
    • If you selected IPv4, enter the IPv4 address of the host.
    • If you selected IPv6, enter the IPv6 address of the host.
  • Port Number: Enter the port number of the key management server (range = 1 to 65535, default = 5696).
  • Timeout (sec.): Enter the time (in seconds) until the connection attempt to the key management server times out (range = 1 to 999, default = 60).
  • Retry Interval (sec.): Enter the interval to retry the connection to the key management server (range = 1 to 60, default = 1).
  • Number of Retries: Enter the number of times to retry the connection to the key management server (range = 1 to 50, default = 3).
  • Client Certificate File Name: Enter the client certificate file for connecting to the key management server by clicking Browse and selecting the file. The form of the client certificate is PKCS#12. For details about the client certificate file, contact the server administrator or the network administrator.
    • Password: Enter the password for the client certificate.

      Number of characters: 0 to 128

      Valid characters: numbers (0 to 9), upper case letters (A-Z), lower case letters (a-z), symbols: ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

  • Root Certificate File Name: Enter the root certificate file for connecting to the key management server by clicking Browse and selecting the file. The form of the root certificate is X.509. For details about the root certificate file, contact the server administrator or the network administrator.

Secondary Server

If you are using a secondary key management server, select Enable and then specify the network connection information for the secondary server: Host Name, Port Number, Timeout (sec.), Retry Interval (sec.), Number of Retries, Client Certificate File Name, Root Certificate File Name.

Note: You must enable the Secondary Server if you want to select any of these settings: Protect the Key Encryption Key at the Key Management Server, Delete Internal Encryption Keys at PS OFF, or Disable local key generation.

Server Configuration Test

Select Check to start a network connection test for the key management server based on the specified settings.

Result: Displays the result of the network connection test for the key management server.

Caution: If you select Enable for Key Management Server, make sure to run the network connection test to the key management server.

Enable Encryption Key Regular Backup to Key Management Server

Select this option to enable regular encryption key backup operations on the key management server. This item cannot be selected if Disable is selected for Key Management Server.

  • Regular Backup Time: Select the time, or times, for the regular backup operations. Check Select All to schedule hourly backups.
  • Regular Backup User Name: Enter the user name of the regular backup user.
  • Password: Enter the password of the regular backup user.

Caution: If the user account of the regular backup user is deleted, you must enter a new regular backup user on this window. If not, regular backups will not be performed. If the user account of the regular backup user is edited (for example, changing the password or roles), you must re-enter the user name and password of the regular backup user on this window. If not, regular backups will not be performed.

Generate Encryption Keys on Key Management Server

Select this option if you want to create encryption keys on the key management server.

Note: If you want to select Protect the Key Encryption Key at the Key Management Server, Delete Internal Encryption Keys at PS OFF, or Disable local key generation, you must select Generate Encryption Keys on Key Management Server.

Protect the Key Encryption Key at the Key Management Server

Select this option if you want to save the key encryption keys on the key management servers.

Note: To enable this option, you must read the Warning and confirm the content of the warning by selecting I agree.

Delete Internal Encryption Keys at PS OFF

Select this option if you want to save the encryption keys in the key management server and delete the encryption keys in the storage system when the storage system is powered off. This option can be selected only when Enable is selected for Secondary Server and when the Protect the Key Encryption Key at the Key Management Server option is enabled.

Note: To enable this option, you must read the Warning and confirm the content of the warning by selecting I agree.

Disable local key generation

Select this option if you want to create encryption keys only on the key management server and not on the storage system. This option can be selected only when Enable is selected for Secondary Server and when the Protect the Key Encryption Key at the Key Management Server option is enabled.

Note: To enable this option, you must read the Warning and confirm the content of the warning by selecting I agree.

Caution: If you enable this option and apply the setting to the storage system, you will not be able to undo this action or restore the settings.

Initialize Encryption Environmental Settings

Initializes the encryption environmental settings on the storage system.