Configuring the key management server

To use a key management server, you must configure the network connection settings and back up the data encryption keys to the key management server.

CautionEncryption keys backed up on the key management server are managed with the client certificate. If the client certificate is lost, and the SVP is replaced due to a failure, you cannot restore the encryption keys that were backed up before the replacement.

When the connection settings are backed up to the key management server, the system does not back up the client certificate. Make sure that you back up a copy of the connection settings to the key management server and save a copy of the client certificate separately. Refer to your corporate security policy for procedures related to backups.

If the key management server is unavailable after you complete this task, the settings may be incorrect. Contact the server or network administrator.

Note
  • If you use a V-VOL, you will need encryption/unencryption formatting for the V-VOL.
  • To connect to the key management server by host name instead of IP address, send the IP address of the DNS server to your service representative and request that the service representative configure the SVP.

Before you begin

You must have the Security Administrator (View & Modify) role. Ensure the client and root certificates are uploaded to the key management server. If the certificates are not uploaded:

Procedure

  1. Display the Device Manager - Storage Navigator main window.

  2. Select Administration in Explorer, and select Encryption Keys.

  3. In the Encryption Keys window, select the Encryption Keys tab.

  4. Click Edit Encryption Environmental Settings.

  5. In the Edit Encryption Environmental Settings window, select Enable on the Key Management Server.

  6. Specify the primary server and the secondary server.

  7. Select Check to test the connection. Error messages appear if the server configuration test fails.

  8. Create an encryption key:

    • To generate an encryption key on the key management server, select Generate Encryption Keys on Key Management Server. To store the encryption key on the key management server, select Protect the Key Encryption Key on the Key Management Server, then I Agree.
      CautionIf you have selected Protect the Key Encryption Key on the Key Management Server in Generate Encryption Keys on Key Management Server, the storage system will try to get encryption keys backed up on the key management server once the storage system is turned on. Therefore, it is recommended that you confirm that the SVP is connected to the key management server properly before turning the storage system on.
    • To generate an encryption key on the key management server without creating an encryption key in the storage system, select Disable Local Key Generation. Confirm the Warning that displays and select I Agree.
      CautionWhen you select the Disable local key generation and I Agree check-boxes in Generate Encryption Keys on Key Management Server and finished the settings, you cannot undo this action.

  9. Click Next.

  10. In the Confirm window, confirm the settings, and enter your task name in Task Name.

    If you want the Task window to open after you click Apply, select Go to tasks window for status.

    Click Apply.

    The connection to the key management server is set up. If the key management server is unavailable after you complete this task, the settings may be incorrect. Contact the server or network administrator.

  11. Save a back up copy of the client certificate.

  12. Back up the connection settings to the key management server.

    For instructions, see the System Administrator Guide.

Parent Topic