HP StorageWorks Secure Key Manager Installation and replacement guide (AJ087-96013, November 2008)
the backup, how often, how often the restore-test is performed, and where the backup files are stored.
Institute a method of logging these operations and versioning the backups.
Planning step: Identify the server used to store backups. Have a backup schedule and a plan for testing
the backups.
Determining the appropriate key generation policies
Key generation policies allow the SO to centrally control and audit how encryption is performed. These
policies provide a crisp, unambiguous definition of when encryption is and is not performed. This
supports the SO’s broader ability to provide specific, auditable security policies for the data center.
Each partition in the library may have a different key generation policy, depending on the business
needs. If the library is not partitioned, then all LTO4 drives in the library have the same policy.
The HP SKM and
ETLA libraries support the following key generation policies:
• Key per tape (KT) — Each LTO4 tape in the partition (or library) is encrypted with a different key.
All data written on the tape is encrypted with the same key, even if data is appended to the
media later
. HP recommends using the Key per Tape policy.
• Key per partition, or key per library (KP) — All LTO4 tapes in the partition (or library) use one key.
The key remains in effect until you change it.
• No encrypt
ion (NE) — All LTO4 drives the in partition (or library, if the library is not partitioned)
read and write without any encryption. These drives are not configured to read encrypted data
from other partitions, either.
Planning step: For each library being enrolled with the SKM, list the desired key generation policy for
each partition. If the library is not partitioned, list the key generation policy for the entire library.
Meeting minimum ETLA hardware and firmware requirements
To be compatible with the SKM, an ETLA must meet minimum hardware and firmware requirements. See
the HP StorageWorks Secure Key Manager product web page and consult the appropriate Quickspecs.
Planning step: For each ETLA connected to the SKM, ensure that these requirements are met prior to
beginning SKM installation. If necessary, upgrade the firmware.
Configuring accounts for each ETLA library
Each ETLA library selected for encryption requires a client account on the SKM. These accounts provide a
unique username and password for the library, so the library can be authenticated when it logs in. The
usernamecanbeanyvalue,butmustbeuniqueforeachETLAlibrary.
Planni
ng step: For each ETLA library, define a client account username and password. Passwords must
not be a dictionary word, must be 8 characters, must contain both alpha and numeric characters, and
must begin with a letter. Passwords are case-sensitive and can include special characters.
Enrolling the ETLA libraries with the SKM
Each of the ETLA libraries selected for encryption must be configured to use the SKM. This step consists of
installing digital certificates and configuring the library with the IP addresses of the SKM appliances.
The SKM installation will only include enrollment for the specific libraries in the installation scope of work.
The SKM installation does not include configuring the ETLA libraries for backups, connecting them to the
SAN, partitioning them, or updating their firmware to support confi guring the library for backups.
Planning step: Ensure the ETLA libraries to be enrolled with the SKM have the latest firmware updates,
are partitioned (if necessary), and are operational for your backup requirements.
Secure Key Manager
39