User's Manual
Planning 13
Planning
Encryption setup guidelines
When setting up HP Secure Encryption, consider the information described in the following table.
Configuration Options Deciding factors
Encryption mode
•
Local Key
Management Mode
•
Remote Key
Management Mode
Choose Local Key Management Mode when:
•
Data is stored at a site without network access.
•
In a small deployment center or lab
•
Manual key management is available.
Choose Remote Key Management Mode when:
•
Using a large number of servers
•
A network is available between the HP ESKM
and a server.
•
Automatic key management is preferred,
including backups and redundancy
configurations
Plaintext volumes
•
Allow
•
Disallow (default)
Allow future plaintext logical drives when:
•
Drive migration might occur to a non-encrypting
controller.
•
Data is not privacy-sensitive.
For more information, see "Enabling/disabling
plaintext volumes (on page 45)."
Key naming conventions
Master Encryption Keys
are customizable.
Create a specific naming convention when
managing multiple keys and multiple servers.
Recommended security settings at remote sites
For added security, HP recommends the following configuration when operating HP Secure Encryption at
remote sites outside the main data center.
• Firmware lock enabled ("Enabling/disabling the firmware lock" on page 46)
• Controller password enabled ("Set or change the controller password" on page 36)
• Plaintext volumes disabled ("Enabling/disabling plaintext volumes" on page 45)
• Local Key Cache disabled
Applies to Remote Key Management Mode only
Encrypted backups
At system startup, all encrypted data-at-rest becomes accessible to the host system in unencrypted form via the
controller and the appropriate keys. This method of startup allows the system to boot into an operating system
installed on an encrypted volume. As a result, encrypted backups are not available, and all data appears