Main interface
Create external security key
Suggest changes
PDFs
To use the Drive Security feature with a key management server, you must create an external key that is shared by the key management server and the secure-capable drives in the storage array.
-
Secure-capable drives must be installed in the array. These drives can be Full Disk Encryption (FDE) drives or Federal Information Processing Standard (FIPS) drives.
If both FDE and FIPS drives are installed in the storage array, they all share the same security key.
-
The Drive Security feature must be enabled. Otherwise, a Cannot Create Security Key dialog box opens during this task. If necessary, contact your storage vendor for instructions on enabling the Drive Security feature.
-
The client and server certificates are available on your local host so the storage array and key management server can authenticate each other. The client certificate validates the controllers, while the server certificate validates the key management server.
In this task, you define the IP address of the key management server and the port number it uses, and then load certificates for external key management.
-
Select .
-
Under Security key management, select Create External Key.
If internal key management is currently configured, a dialog box opens and asks you to confirm that you want to switch to external key management.
The Create External Security Key dialog box opens.
-
Under Connect to Key Server, enter information in the following fields:
-
Key management server address — Enter the fully qualified domain name or the IP address (IPv4 or IPv6) of the server used for key management.
-
Key management port number — Enter the port number used for the Key Management Interoperability Protocol (KMIP) communications. The most common port number used for key management server communications is 5696.
-
Select client certificate — Click the first Browse button to select the certificate file for the storage array's controllers.
-
Select key management server's server certificate — Click the second Browse button to select the certificate file for the key management server.
-
-
Click Next.
-
Under Create/Backup Key, enter information in the following field:
-
Define a pass phrase/Re-enter pass phrase — Enter and confirm a pass phrase. The value can have between 8 and 32 characters, and must include each of the following:
-
An uppercase letter (one or more). Keep in mind that the pass phrase is case sensitive.
-
A number (one or more).
-
A non-alphanumeric character, such as !, *, @ (one or more).
-
Be sure to record your entries for later use. If you need to move a secure-enabled drive from the storage array, you must know the pass phrase to unlock drive data.
-
-
Click Finish.
The system connects to the key management server with the credentials you entered. A copy of the security key is then stored on your local system.
The path for the downloaded file might depend on the default download location of your browser.
-
Record your pass phrase and the location of the downloaded key file, and then click Close.
The page displays the following message with additional links for external key management:
Current key management method: External -
Test the connection between the storage array and the key management server by selecting Test Communication.
Test results display in the dialog box.
When external key management is enabled, you can create secure-enabled volume groups or pools, or you can enable security on existing volume groups and pools.
|
|
Whenever power to the drives is turned off and then on again, all the secure-enabled drives change to a Security Locked state. In this state, the data is inaccessible until the controller applies the correct security key during drive initialization. If someone physically removes a locked drive and installs it in another system, the Security Locked state prevents unauthorized access to its data. |
-
You should validate the security key to make sure the key file is not corrupted.