HP StorageWorks Secure Key Manager Pre-installation survey and checklists, for connecting to ETLA libraries (AJ087-96012, November 2008)

Table Of Contents

NOTE:

Each node of the SKM cluster requires two (2) power connections to the rack’s power distribution unit.

Due to the size of the secure bezel, the SKM requires 2U of the rack per appliance, 1U for the appliance

and 1U blank below the appliance. HP recommends that a rack blank be installed in the unit directly

below each appliance.

Also, review the physical security implications of having the SKM at a site. The SKM will contain keys to

your data, and is therefore of high value. Physical security must be appropriate to that value.

Planning step: Review the installation site(s) and ensure they have adequate capacity and security to

meet your business requirements, and to meet the equipment power, rack, and cooling requirements.

Designing a backup strategy for keys and audit logs

In addition to the SKM automated key replication, keys and logs can be backed up to and restored from

an external ﬁ le. HP strongly recommends you back up keys regulary, and periodically test the restore

operation to ensure the processes work in the event they are needed. This planning includes who does

the backup, how often, how often the restore-test is performed, and where the backup ﬁles are stored.

Institute a method of logging these operations and versioning the backups.

Planning step: Identify the server used to store backups. Have a backup schedule and a plan for testing

the backups.

Determining the appropriate key generation policies

Key generation policies allow the SO to centrally control and audit how encryption is performed. These

policies provide a crisp, unambiguous deﬁnition of when encryption is and is not performed. This

supports the SO’s broader ability to provide speciﬁc, auditable security policies for the data center.

Each partition in the library may have a different key generation policy, depending on the business

needs. If the library is not partitioned, then all LTO4 drives in the library have the same policy.

The HP SKM and ETLA libraries support the following key generation policies:

• Key per tape (KT) — Each LTO4 tape in the partition (or library) is encrypted with a different key.

All data written on the tape is encrypted with the same key, even if data is appended to the media

later. HP recommends using the KT policy.

• Key per partition, or key per library (KP) — All LTO4 tapes in the partition (or library) use one key.

The key remains in effect until you change it.

• No encryption (NE) — All LTO4 drives in the partition (or library, if the library is not partitioned)

read and write without any encryption. These drives are not conﬁgured to read encrypted data

from other partitions, either.

Planning step: For each library being enrolled with the SKM, list the desired key generation policy for

each partition. If the library is not partitioned, list the key generation policy for the entire library.

Meeting minimum ETLA hardware and ﬁrmware requirements

To be compatible with the SKM, an ETLA must meet minimum hardware and ﬁrmware requirements. See

the HP StorageWorks Secure Key Manager product web page and consult the appropriate Quickspecs.

Planning step: For each ETLA connected to the SKM, ensure that these requirements are met prior to

beginning SKM installation. If necessary, upgrade the ﬁrmware.

Conﬁguring accounts for each ETLA library

Each ETLA library selected for encryption requires a client account on the SKM. These accounts provide a

unique username and password for the library, so the library can be authenticated when it logs in. The

usernamecanbeanyvalue,butmustbeuniqueforeachETLAlibrary.

Pre-installation survey and checklists, for connecting to ETLA libraries