HP StorageWorks Secure Key Manager pre-installation survey and checklists (AJ087-96009, May 2008)

ManualsBrandsHP ManualsStorageEncryption and Key Management

Also, review the physical security implications of having the SKM at a site. The SKM will contain keys to

your data, and is therefore of high value. Physical security must be appropriate to that value.

Planning step: Review the installation site(s) and ensure they have adequate capacity and security to

meet your business requirements, and to meet the equipment power, rack, and cooling requirements.

Designing a backup strategy for keys and audit logs

In addition to the SKM automated key replication, keys and logs can be backed up to and restored from

an external ﬁle. HP strongly recommends you backup keys regulary, and periodically test the restore

operation to ensure the processes work in the event they are needed. This planning includes who does

the backup, how often, how often the restore-test is performed, and where the backup ﬁles are stored.

Institute a m

ethod of logging these operations and versioning the backups.

Planning ste

p: Identify the server used to store backups. Have a backup schedule and a plan for testing

the backups.

Determining the appropriate key generation policies

Key generation policies allow the SO to centrally control and audit how encryption is performed. These

policies provide a crisp, unambiguous deﬁnition of when encryption is and is not performed. This

supports the SO’s broader ability to provide speciﬁc, auditable security policies for the data center.

Each partition in the library may have a different key generation policy, depending on the business

needs. If the library is not partitioned, then all LTO4 drives in the library have the same policy.

The HP SKM and ETLA libraries support the following key generation policies:

• Key per tape (KT) — Each LTO4 tape in the partition (or library) is encrypted with a different key.

All data written on the tape is encrypted with the same key, even if data is appended to the

media later. HP recommends using the Key per Tape policy.

• Key per partition, or key per library (KP) — All LTO4 tapes in the partition (or library) use one key.

The key remains in effect until you change it.

• No encryption (NE) — All LTO4 drives the in partition (or library, if the library is not partitioned)

read and write without any encryption. These drives are not conﬁgured to read encrypted data

from other partitions, either.

Planning step: For each library being enrolled with the SKM, list the desired key generation policy for

each partition. If the library is not partitioned, list the key generation policy for the entire library.

Meeting minimum ETLA hardware and ﬁrmware requirements

To be co

mpatible with the SKM, an ETLA must meet the following requirements:

• ESL libraries must be at version 6.22 or greater.

• EML libraries must be at version 1222 or greater.

• Inter

face controller (IFC) ﬁrmware must be at version 5.9.3d or greater.

• LTO4 drives on ESL libraries must be at version H36W or greater.

• LTO4 drives on EML libraries must be at version H36S or greater.

• Inte

rface Manager (IM) ﬁrmware must be at version I231 or greater.

• Command View TL software must be at version 2.3.01 or greater.

Planning step: For each ETLA connected to the SKM, ensure that these requirements are met prior to

beginning SKM installation. If necessary, upgrade the ﬁrmware.

Conﬁguring accounts for each ETLA library

Each ETLA library selected for encryption requires a client account on the SKM. These accounts provide a

unique username and password for the library, so the library can be authenticated when it logs in. The

usernamecanbeanyvalue,butmustbeuniqueforeachETLAlibrary.

pre-installation survey and checklists