HP StorageWorks Secure Key Manager Installation and replacement guide (AJ087-96013, November 2008)
Obtaining a static IP address for the SKM
The SKM will only accept static IP addresses. If you want to use both network ports on each appliance, you
will need 2 static IP addresses per appliance. IP addresses are typically provided by your IT department.
Planning step:
Obtain 1 or 2 static IP addresses per SKM appliance. If you install 2 appliances, you
will need at lea
st 2 — and up to 4— static IP addresses. Also obtain the subnet mask and the default
gateway for each IP address.
Identifying the ETLA libraries and number of LTO4 drives to be used for
encryption
Determine what portion of your backups will be encrypted and provision sufficient LTO4 drives to meet
those requirements. If some of the LTO4 tape drives in a library will be used for encryption and others
will not, then the library must be partitioned before the SKM is installed. The HP ETLA libraries may be
configured to contain up to 6 partitions per physical library. Each partition may have a separate key
generation policy that will apply to all LTO4 drives in that partition. For example, if you have 8 LTO4
drives but only want 2 of them to be used for encryption, partition the library so that one partition
contains 2 LTO4 drives and the other partition contains the remaining 6 drives. If a library is not
partitioned, then all LTO4 drives will be used for encryption after the SKM has been configured.
The number of libraries and LTO4 tape drives dedicated to encrypting backup data will depend on
your business needs.
NOTE:
Partitioning the library is not part of the SKM installation. However, if there will be both encrypting and
non-encrypting drives in the same tape library, it is necessary to partition the library. Any partitioning
stepsmustbecompletebeforetheSKMisinstalled.Consulttheusersguideforyourtapelibraryfor
instructions on library partitioning.
Planning steps: Have a list of libraries to be enrolled with the SKM. For each library, have a list of LTO4
drives which will be used for encryption. If there are also LTO4 drives in the libraries which will not be
used for encryption, ensure partitioning is complete before the SKM installation occurs.
Addressing physical installation and security requirements for the SKM
Ensure rack and power requirements are met at each site.
NOTE:
Each node of the SKM cluster requires two (2) power connections to the rack’s power distribution unit.
Due to the size of the secure bezel, the SKM requires 2U of the rack per appliance, 1U for the appliance
and 1U blank below the appliance. HP recommends that a rack blank be installed in the unit directly
below each appliance.
Also, review the physical security implications of having the SKM at a site. The SKM will contain keys to
your data, and is therefore of high value. Physical security must be appropriate to that value.
Planning step: Review the installation site(s) and ensure they have adequate capacity and security to
meet your business requirements, and to meet the equipment power, rack, and cooling requirements.
Designing a backup strategy for keys and audit logs
In addition to the SKM automated key replication, keys and logs can be backed up to and restored from
an external file. HP strongly recommends you backup keys regulary, and periodically test the restore
operation to ensure the processes work in the event they are needed. This planning includes who does
38
SKM pre-installation survey and checklist, for connecting to ETLAs