Configuring the key management server

If you plan to use a key management server, you must establish and verify the network connection to the key management server. In addition, you can also configure the following important options for your encryption environment:

  • Using a secondary key management server in addition to the primary key management server
  • Generating encryption keys on the key management server
  • Protecting the key encryption key (KEK) on the key management server
  • Enabling regular backups of the data encryption keys on the key management server
  • Disabling generation of encryption keys on the storage system

Note If you plan to connect to the key management server using the host name instead of the IP address, provide the IP address of the DNS server to your service representative, and ask your service representative to configure the SVP.
CautionEncryption keys backed up on the key management server are managed with the client certificate. If the client certificate is lost and the SVP is replaced due to a failure, the encryption keys that were backed up before the SVP replacement cannot be restored.

In addition, when the connection settings are backed up to the key management server, the storage system does not back up the client certificate. Make sure that you back up a copy of the connection settings to the key management server and save a copy of the client certificate separately. Refer to your corporate security policy for procedures related to backups.

To protect the key encryption key at the key management server, the key management server must be configured using two clustered servers. For this reason, you must enable the secondary server.

Before you begin

  • You must have the Security Administrator (View & Modify) role.
  • You must have the names and directory locations of the client and root certificates on the key management servers.
  • If you are enabling regular encryption key backups, you must have the user name and password of the regular backup user. The regular backup user must have the Security Administrator (View & Modify) role.

Procedure

  1. In the Explorer pane, select Administration, and then select Encryption Keys.

  2. On the Encryption Keys pane, click Edit Encryption Environmental Settings.

  3. For Key Management Server, select Enable.

  4. In Primary Server, enter the network connection information for the key management server, and then click Browse to select the client and root certificates on the server.

  5. If you will use a secondary key management server, select Enable for Secondary Server, and enter the network connection information and select the client and root certificates for the secondary server.

    NoteIf you want to disable key generation on the storage system, you must enable the secondary server.

  6. For Server Configuration Test, click Check to test the network connection. If the server configuration test fails, error messages appear. Resolve the errors before continuing.

  7. If you want regular encryption key backups to be performed automatically:

    1. Select Enable Encryption Key Regular Backup to Key Management Server.

    2. Under Regular Backup Time, select the desired daily backup times.

    3. Under Regular Backup User, enter the user name and password of the designated regular backup user.

  8. If you want to generate encryption keys on the key management server, select Generate Encryption Keys on Key Management Server.

    To store the key encryption key on the key management server, select Protect the Key Encryption Key on the Key Management Server, read the warning, and then click I Agree.
    CautionIf you apply the Protect the Key Encryption Key on the Key Management Server setting to the storage system, the storage system will get the encryption keys backed up on the key management server when the storage system is powered on. Therefore, you must confirm that the SVP is properly connected to the key management server before powering on the storage system.

  9. If you store the encryption keys in the key management server, and you want to delete the encryption keys in the storage system when the storage system is turned off, select Delete Internal Encryption Keys at PS OFF, read the warning, and then click I Agree.

    CautionIf you select Delete Internal Encryption Keys at PS OFF, the storage system will try to get the encryption keys backed up on the key management server when the storage system is turned on. Therefore, you must confirm that the SVP is properly connected to the key management server before turning the storage system on.

  10. To generate encryption keys on the key management server without creating encryption keys in the storage system, select Disable Local Key Generation, read the warning, and click I Agree.

    CautionIf you select Disable Local Key Generation and apply the setting to the storage system, you cannot undo this action.

  11. When you are finished configuring the encryption environmental settings, click Finish.

  12. In the Confirm window, confirm the settings, and enter your task name in Task Name.

    If you want the Tasks window to open after you click Apply, select Go to tasks window for status.

  13. Click Apply.

Results

ImportantIf the key management server is unavailable after you complete this task, the settings might be incorrect. Contact the server or network administrator.

Next steps

  1. Save a backup copy of the client certificate.
  2. Back up the connection settings to the key management server by downloading the Key Management Server configuration file. For instructions, see the Hitachi Device Manager - Storage Navigator User Guide. The backup copy can be used to restore the Key Management Server configuration file if necessary.

Related Tasks
Related References
Parent Topic