Configuring the encryption environmental settings

Before you can enable encryption on parity groups, you must configure the settings and options for your encryption environment using the Edit Encryption Environment Settings window. The encryption environmental settings and options include the following:

  • Enabling and disabling use of a key management server
  • Enabling and disabling use of a secondary key management server
  • Scheduling regular backups of encryption keys
  • Generating encryption keys on the key management server
  • Storing encryption keys on the key management server
  • Deleting local encryption keys when the storage system is powered off
  • Protecting the key encryption key on the key management server
  • Disabling local generation of encryption keys on the storage system

CautionIf you plan to enable regular encryption key backups on a key management server, observe the following requirements and restrictions:
  • The Encryption License Key software license must be valid and enabled. If the Encryption License Key software license expires or is disabled or removed, regular backups are not performed.
  • You must designate a user for the regular backups (called the regular backup user) and assign the Security Administrator (View & Modify) role to this user. The user name and password of the regular backup user must be entered in the Edit Encryption Environmental Settings window. A regular backup might fail if you delete the regular backup user or edit the user account of the regular backup user, including if you change the password or roles of the regular backup user. For this reason, every time you edit the user account of the regular backup user, make sure to respecify the user name and password of the regular backup user in the Edit Encryption Environmental Settings window.
  • (VSP Gx00 models, VSP Fx00 models) If you change the time zone settings from a maintenance PC or on the SVP, you must restart the services of all storage systems in the Storage Device List window. If you do not restart the services, regular backups will not performed as scheduled.

Before you begin

  • If you will use a key management server, configure the key management server. For instructions, see Configuring the key management server.
  • You must have the Security Administrator (View & Modify) role.

Procedure

  1. On the Explorer pane, select Administration, and then select Encryption Keys.

  2. On the Encryption Keys pane, click Edit Encryption Environmental Settings.

  3. In the Edit Encryption Environmental Settings window, select the desired option for Key Management Server.

    • If you will use a key management server, select Enable for Key Management Server, and go to the next step.
    • If you will not use a key management server, select Disable for Key Management Server, click Finish, and go to the last step.

  4. Expand Server Settings, and enter the information for the primary key management server under Primary Server.

  5. If you will use a secondary key management server, select Enable for Secondary Server, and enter the information for the secondary key management server under Secondary Server.

  6. Test the connection to the primary and secondary key management servers by clicking Check next to Server Configuration Test. If the server configuration test fails, error messages are displayed.

  7. If you want to schedule regular backups of the encryption keys, select Enable Encryption Key Regular Backup to Key Management Server, select the desired daily backup times from Regular Backup Time, and then enter the user name and password of the regular backup user in Regular Backup User.

    The regular backup tasks are recorded in the audit log with the regular backup user name, even if the regular backup user was not logged in.
    CautionIf you enable this option, see the requirements and restrictions for regular backups listed above.

  8. If you want to generate the encryption keys on the key management server, select Generate Encryption Keys on Key Management Server.

  9. If you want to store the key encryption key on the key management server, select Protect the Key Encryption Key on the Key Management Server, read the warning, and then select I Agree.

    CautionIf you select Protect the Key Encryption Key on the Key Management Server and apply this setting to the storage system, when the storage system is powered on it will get the encryption keys backed up on the key management server. You must confirm that the SVP is connected to the key management server properly before powering on the storage system.

  10. If you want to store the encryption keys on the key management server and delete the encryption keys in the storage system when the storage system is powered off, select Delete Internal Encryption Keys at PS OFF, and then select I Agree.

    CautionIf you apply the Delete Internal Encryption Keys at PS OFF setting to the storage system, the storage system will get the encryption keys backed up on the key management server when it is powered on. Therefore, you must confirm that the SVP is properly connected to the key management server before powering on the storage system.

  11. If you want to generate encryption keys on the key management server without creating encryption keys in the storage system, select Disable Local Key Generation, read the warning, and select I Agree.

    CautionIf you select Disable local key generation and apply this setting to the storage system, you will not be able to change this setting later.

  12. Click Finish.

  13. In the Confirm window, confirm the settings, and enter your task name in Task Name.

    If you want the Tasks window to open after you click Apply, select Go to tasks window for status.

  14. click Apply.

    ImportantIf the key management server is unavailable after you complete this task, the settings might be incorrect. Contact the server or network administrator.
Parent Topic