Hp Secure Encryption Users Manual Installation And User Guide

2015-01-05

: Hp Hp-Secure-Encryption-Users-Manual-156151 hp-secure-encryption-users-manual-156151 hp pdf

Open the PDF directly: View PDF .
Page Count: 77

Download
Open PDF In Browser	View PDF

HP Secure Encryption
Installation and User Guide

Abstract
This document includes feature, installation, and configuration information about HP Secure Encryption and is for the person who installs,
administers, and troubleshoots servers and storage systems. HP assumes you are qualified in the servicing of computer equipment and trained in
recognizing hazards in products with hazardous energy levels.

Part Number: 759078-002
August 2014
Edition: 2

© Copyright 2014 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express
warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions contained herein.
Microsoft® is a U.S. registered trademark of Microsoft Corporation.Google™ is a trademark of Google Inc.

Contents
Overview ..................................................................................................................................... 5
About HP Secure Encryption .......................................................................................................................... 5
Benefits ............................................................................................................................................. 6
Encryption features ............................................................................................................................. 6
HP ProLiant servers ............................................................................................................................. 9
Solution components ........................................................................................................................... 9

Planning .................................................................................................................................... 13
Encryption setup guidelines ......................................................................................................................... 13
Recommended security settings at remote sites .............................................................................................. 13
Encrypted backups ..................................................................................................................................... 13
Security domains ........................................................................................................................................ 14
Deployment scenarios ................................................................................................................................. 14
Remote and local key management requirements ................................................................................. 14

Configuration ............................................................................................................................. 15
Local key management mode ...................................................................................................................... 15
Configuring the controller (local mode) ............................................................................................... 15
Remote Key Management Mode .................................................................................................................. 17
Configuring Remote Key Management Mode ...................................................................................... 17
Configuring the controller (remote mode) ............................................................................................ 31

Operations................................................................................................................................. 33
Accessing Encryption Manager ................................................................................................................... 33
Opening Encryption Manager ........................................................................................................... 33
Logging into Encryption Manager ...................................................................................................... 33
Managing passwords ................................................................................................................................. 34
Set or change the Crypto Officer password ........................................................................................ 34
Set or change the password recovery question .................................................................................... 35
Set or change user account password ................................................................................................ 35
Set or change the controller password ................................................................................................ 36
Suspending the controller password ................................................................................................... 37
Resuming the controller password ...................................................................................................... 38
Working with keys ..................................................................................................................................... 39
Changing the Master Encryption Key ................................................................................................. 39
Rekeying the Drive Encryption Keys .................................................................................................... 39
Rescanning keys .............................................................................................................................. 40
Creating a plaintext volume......................................................................................................................... 40
Converting plaintext volumes into encrypted volumes ..................................................................................... 43
Changing key management modes .............................................................................................................. 44
Enabling/disabling plaintext volumes ........................................................................................................... 45
Enabling/disabling the firmware lock ........................................................................................................... 46
Enabling/disabling local key cache ............................................................................................................. 47
Importing drive sets in Local Key Management Mode..................................................................................... 48
Importing drives with different Master Keys ......................................................................................... 48

Maintenance .............................................................................................................................. 50
Controllers ................................................................................................................................................. 50

Contents

Clearing the controller ...................................................................................................................... 50
Replacing an encrypted controller ...................................................................................................... 50
Replacing a server while retaining the controller .................................................................................. 50
Preconfiguring replacement components ............................................................................................. 50
Flashing firmware............................................................................................................................. 51
Drives ....................................................................................................................................................... 51
Replacing a physical drive ................................................................................................................ 51
Validating the number of encrypted drives for license compliance ......................................................... 51
Groups ..................................................................................................................................................... 52
Locating groups associated with a drive ............................................................................................. 52
Displaying log information .......................................................................................................................... 56
Running queries ......................................................................................................................................... 57

Troubleshooting .......................................................................................................................... 61
Common issues .......................................................................................................................................... 61
Lost or forgotten Crypto Officer password ........................................................................................... 61
Lost or forgotten controller password .................................................................................................. 61
Lost or forgotten Master Key .............................................................................................................. 62
Forgotten which Master key goes with which drive .............................................................................. 64
Logical drives remain offline .............................................................................................................. 65
Master key not exporting .................................................................................................................. 65
Testing the connection between HP iLO and the HP ESKM .............................................................................. 66
Potential errors encountered ........................................................................................................................ 67
Clearing the encryption configuration ........................................................................................................... 69

Support and other resources ........................................................................................................ 70
Before you contact HP ................................................................................................................................ 70
HP contact information ................................................................................................................................ 70

Appendix................................................................................................................................... 71
Encryption algorithms ................................................................................................................................. 71

Glossary .................................................................................................................................... 72
Documentation feedback ............................................................................................................. 75
Index ......................................................................................................................................... 76

Contents

Overview
About HP Secure Encryption
HP Secure Encryption is a controller-based, enterprise-class data encryption solution that protects data at rest
on bulk storage hard drives and SSDs attached to a compatible HP Smart Array Controller. The solution is
compatible with the HP Enterprise Secure Key Manager, and can operate with or without the presence of a
key manager in the environment, depending on individual customer settings.
HP Secure Encryption provides encryption for data at rest as an important component for complying with
sensitive data protection requirements including PCI-DSS, HIPAA/HITECH, Sarbanes/Oxley, and state
privacy laws. HP Secure Encryption secures any data deemed sensitive and requiring extra levels of
protection through the application of XTS-AES 256-bit data encryption. Many companies under government
regulations require that sensitive privacy data must be secured and uncompromised using NIST-approved
algorithms and methodologies for key management. As a result, HP has applied for FIPS-140-2 Level 2
validation for controllers supporting encryption. For more information, see the the Cryptographic Module
Validation Program (CMVP) on the National Institute of Standards and Technology website
(http://csrc.nist.gov/groups/STM/cmvp/index.html).
HP Secure Encryption requires the following core components:

•

HP ProLiant Gen8 or later server. For more information, see "HP ProLiant servers (on page 9)."

•

HP Smart Array Controller. For a list of currently supported controllers, see "HP Smart Array Controller
(on page 10)."

•

HP Secure Encryption license, per drive

•

HP Smart Storage Administrator, version 1.60 or later

•

Compatible SAS/SATA hard drive or SSD

•

Compatible storage enclosure

HP Secure Encryption can operate in Remote Key Management Mode, or Remote Mode, through the use of
a separate, clustered, appliance-based server called the HP Enterprise Secure Key Manager 3.1 and later.
The HP ESKM manages all encryption keys throughout the data center. When utilizing the HP ESKM, the
communication path between the HP ESKM and the HP Smart Array Controller is established through the HP
iLO interface. The controller communicates with the HP ESKM as new keys are generated and as old keys are
retired. The HP ESKM acts as a key vault where all keys are managed via a web browser interface. For more
information about the HP ESKM, see "HP Enterprise Secure Key Manager 3.1 and later (on page 11)." For
more information about HP iLO connectivity, see "HP iLO (on page 10)."
The following additional components are required for operating HP Secure Encryption in Remote Mode:

•

Integrated Lights Out (iLO) Advanced or Scale Out Edition license, per ProLiant server

•

HP Enterprise Secure Key Manager 3.1 and later

HP Secure Encryption can also operate without an attached key management solution through Local Key
Management Mode, or Local Mode.

Overview 5

Benefits
Broad encryption coverage

•

Encrypts data on both the attached bulk storage and the cache memory of HP Smart Array Controllers

•

Supports any hard drive or SSD in the Smart Drive portfolio for HP ProLiant Gen8 or later servers or the
Supported Storage Enclosures

High availability and scalability

•

Scales with the amount of data privacy requirements
o

Server counts up to 25,000

Millions of drives

Millions of encryption keys

The HP ESKM supports High Availability Clustering, from 2-8 modes.

Simplified deployment and management

•

HP Smart Storage Administrator configures the cryptographic features of HP Secure Encryption, and
manages the controller and other direct-attached storage devices

Helps users meet compliance regulations

•

The HP ESKM has completed FIPS 140-2 Level-2 validation, certificate #1922

•

HP has applied for FIPS 140-2 Level-2 validation for the HP Smart Array family of controllers

Encryption features
Most HP Secure Encryption features and security settings are available through HP Smart Storage
Administrator. Additional features for Remote Mode deployments are available through HP Enterprise Secure
Key Manager 3.1 and later and Integrated Lights Out (iLO).
Feature

Description

Notes

Automatic key management

Encryption keys are automatically
created, saved, and deleted by HP Smart
Array Controllers without the need for
user intervention or management when
logical drives are created or deleted.
HP Secure Encryption has been designed
to meet NIST-approved standards. HP is
in the process of applying for FIPS 140-2
Level 2 validation for HP Secure
Encryption. The HP ESKM has completed
FIPS 140-2 Level-2 validation, certificate
#1922.
HP Secure Encryption helps enterprises
comply with the data privacy and
protection requirements associated with
the U.S. Health Insurance Portability and
Accountability Act (HIPAA) and the
Sarbanes-Oxley Acts.

—

Compliance

For more information, see
"Encryption Algorithms (on page
71)."

Overview 6

Feature

Description

Notes

Controller key cache

HP Smart Array Controllers can optionally
store all keys required at boot time inside
the controller, enabling the server to
survive a variety of network outages.
Protects the server in the event of theft by
applying a secondary password upon
boot to lock down the controller.

Remote Mode only

Controller password

Dynamic Encryption

Encryption keys

Firmware lock

Enables smooth transitions between local
and remote modes, the conversion of
plaintext data to encrypted data, and
rekey services for both data and key
wraps.
Data is protected using a series of keys
that provide layered protection at the
volume and drive levels. The solution
utilizes XTS-AES 256-bit encryption.
Prevents controller firmware from being
updated unintentionally or by
unauthorized personnel.

For more information, see "Set or
change the controller password (on
page 36)."
—

—

For more information, see
"Enabling/disabling the firmware
lock (on page 46)."

Hardware-based encryption

Utilizes the HP Smart Array Controller
For more information about Smart
hardware to accelerate all cryptographic Array controllers, see the HP website
algorithms when securing data and keys. (http://www.hp.com/products/sma
rtarray).

HP Enterprise Secure Key
Manager 3.1 and later

The HP ESKM or later unifies and
automates an organization’s encryption
controls by securely creating, protecting,
serving, controlling, and auditing access
to encryption keys.
Individual Drive Encryption Keys are
visible by serial number identification on
the HP ESKM to enable unique tracking
and management from a central location.
The HP ESKM supports query by serial
number, server name, bay number, PCI
slot, and date.
HP Smart Storage Administrator
v1.60.xx.0 and later provides the
configuration and management of the
cryptographic features of HP Secure
Encryption associated with HP Smart
Array Controllers.

HP ESKM key search

HP Smart Storage
Administrator

Remote Mode only. For more
information, see "HP Enterprise
Secure Key Manager 3.1 and later
(on page 11)."
Remote Mode only. For more
information, see "Running queries
(on page 57)."

For more information, see "HP Smart
Storage Administrator (on page 9)."

Overview 7

Feature

Description

HP iLO Management is a comprehensive
set of embedded management features
supporting the complete lifecycle of the
server, from initial deployment, through
ongoing management, to service alerting
and remote support. HP iLO is provided
on all HP ProLiant Gen8 and later servers.
HP iLO 4 Advanced or Scale Out editions
v1.40 or later connect and auto-register
with the HP ESKM. HP iLO provides key
exchange support between the HP Smart
Array Controller and the HP ESKM to
enable pre-boot support for OS disk
encryption. Audit support is provided for
all key management transactions.
Provides ability to instantly,
Instant volume erase
cryptographically erase logical volumes
without having to delete the volume first
Supports
the rekeying of all keys utilized
Key rotation support
by the controller to enable a robust key
rotation strategy
Local Key Management Mode Focused on single server deployments
where there is one Master Encryption Key
per controller that is managed by the user.
In Local Mode, all volumes still have their
own unique key for data encryption.
As
a security feature, data volumes
One-way encryption
cannot be converted back to plaintext
after the volume is encrypted. Restoration
of data is required to revert back to
plaintext.
Supports
the ability to preconfigure all
Pre-deployment support
cryptographic security settings while in a
server, then store the powered-off
controller for later use while retaining the
settings securely.
Designed for enterprise-wide
Remote Key Management
deployments with the HP Smart Array
Mode
Controller. It requires the HP Enterprise
Secure Key Manager 3.1 and later to
manage all keys related to encryption
deployments. All keys are managed
automatically between the HP Smart
Array Controller, HP iLO and the HP
ESKM.
The
feature clears all secrets, keys, and
Security reset function
passwords from the controller, and places
the controller's encryption configuration
in a factory new state.
HP Secure Encryption supports two roles
Two encryption roles
for managing encryption services: a
Crypto Officer role and a User role.
Integrated Lights Out (iLO)

Notes
Remote Mode only. For more
information, see "HP iLO (on page
10)."

—

For more information, see "Local Key
Management Mode (on page 15)."

—

For more information, see "Remote
Key Management Mode (on page
17)."

For more information, see "Clearing
the encryption configuration (on
page 69)."
—

Overview 8

Feature

Description

Notes

Volume level encryption

Provides flexibility in allowing the user to —
selectively encrypt at the volume or logical
drive level regardless of RAID level.

HP ProLiant servers
The following HP ProLiant server components are compatible with HP Secure Encryption:
Component

Gen8 Model

Gen9 Model

Blades

•
•
•
•

BL420c
BL460c
BL465c
BL660c

BL460c

•
•

ML350e V2
ML350p

ML350

Rack

•
•
•
•
•
•
•

DL320e Gen8 v2
DL360e/p
DL380e/p
DL385p
DL560
DL580
Apollo 6000

•
•
•
•

•
•
•

SL270s
SL210t
SL4540*

SL4540*

Other

WS460c

DL360
DL380
DL160
DL180

—

*External storage

For more information about HP ProLiant servers, see the HP website
(http://www.hp.com/go/proliantgen8/docs).

Solution components
HP Smart Storage Administrator
HP SSA is a configuration and management tool for HP Smart Array controllers. Starting with HP ProLiant
Gen8 servers, HP SSA replaces ACU with an enhanced GUI and additional configuration features.
HP SSA exists in three interface formats: the HP SSA GUI, the HP SSA CLI, and HP SSA Scripting. Although
all formats provide support for configuration tasks, some of the advanced tasks are available in only one
format.
Some HP SSA features include the following:

•

Supports online array capacity expansion, logical drive extension, assignment of online spares, and
RAID or stripe size migration

•

Suggests the optimal configuration for an unconfigured system

•

Provides diagnostic and SmartSSD Wear Gauge functionality on the Diagnostics tab

•

For supported controllers, provides access to additional features.

Overview 9

For more information about HP SSA, see the HP website (http://www.hp.com/go/hpssa).

Minimum requirements
For minimum operating system requirements to run any HP SSA format, see the HP website
(http://www.hp.com/go/ossupport).
Minimum video requirements to run the HP SSA GUI include a minimum monitor resolution of 1024x768 and
16-bit color. The GUI supports the following browsers:

•

Mozilla Firefox 9.0 or later

•

Microsoft Internet Explorer 8.0 or later

•

Google Chrome

For a list of supported controllers, see HP Smart Array RAID Controllers on the HP website
(http://www.hp.com/go/smartarray).

HP Smart Array Controller
HP Secure Encryption is supported on HP Smart Array PX3X and PX4X controllers, and HP Smart HBAs
operating in RAID mode.
For more information about controllers supporting HP Secure Encryption, see the HP website
(http://www.hp.com/go/smartarray).
For more information about HP Smart Array controllers, see the appropriate Smart Array controller user
guide on the HP website (http://www.hp.com/go/smartstorage/docs).

HP SmartCache
HP SmartCache can be used in conjunction with HP Secure Encryption. HP SmartCache enables solid state
drives to be used as caching devices for hard drive media. Data can be accessed from the solid state drive
instead of hard drives. Data stored on the HP SmartCache drive utilizes the same encryption methods and
keys as the originating volume where the data is permanently stored, extending protection to the HP
SmartCache drives.
HP SmartCache provides the following features:

•

Accelerates application performance

•

Provides lower latency for transactions in applications

•

Supports all operating systems, without the need for changes

HP SmartCache requires an HP SmartCache license. For more information, or to obtain a license, see the
SmartCache website (http://www.hp.com/go/smartcache).

HP iLO
HP iLO Management is a set of embedded management features that support the complete life cycle of the
server, from initial deployment, to ongoing management, to service alerting and remote support.
The HP iLO subsystem is a standard component of HP ProLiant servers that simplifies initial server setup,
server health monitoring, power and thermal optimization, remote server administration, and key exchanges
between the HP ESKM and the HP Smart Array Controller. The HP iLO subsystem includes an intelligent
microprocessor, secure memory, and a dedicated network interface. This design makes HP iLO independent
of the host server and its operating system. This system provides client credentials, registration to the key
Overview 10

management database, key management, encryption activation, and audit support for the devices within the
platform.
For the full implementation of HP Secure Encryption with the HP ESKM, HP iLO Advanced or HP iLO Scale
Out editions are required to connect and auto-register with the HP ESKM. HP iLO provides key exchange
support between the HP Smart Array Controller and the HP ESKM to enable pre-boot support for OS disk
encryption. Audit support is provided for all for key management transactions.
For more information about HP iLO, see the HP website (http://www.hp.com/go/ilo).

HP Enterprise Secure Key Manager 3.1 and later
HP Enterprise Secure Key Manager 3.1 and later acts as a secure, reliable repository for keys used by HP
Secure Encryption. In Remote Key Management Mode, HP iLO connects to the HP ESKM using
username/password and digital certificate authentication to securely store and retrieve keys. Each HP iLO
must be registered as an HP ESKM user by an administrator, or Crypto Officer, of the HP ESKM for access
to be granted. If a user is registered and has the necessary permissions, the HP ESKM accepts requests and
provides keys to the client. As standard practice, communication with the HP ESKM is configured for SSL to
ensure the security of the connection and authorized access to keys.
The HP ESKM keys and users can be organized into different groups depending on the policies set by an
administrator. These groups determine whether a particular user can retrieve a particular key, and supports
both key sharing and separation for multi-tenant and hosted service provider environments.
Characteristics

•

Used only in Remote Mode, requiring a network connection

•

Supports high-availability clustering of 2-8 HP ESKM nodes for automatic replication and failover

•

Provides key services to HP iLO clients using username and password, certificate authentication, or both

•

Communicates using SSL encryption to ensure the security of the connection and authorized access to
keys

•

Provides reliable, secure access to business-critical encryption keys

•

Supports audit and compliance requirements, including PCI-DSS and HIPAA/HITECH

•

Provides scalability for multiple data centers, thousands of clients, and millions of keys

•

Uses a FIPS-140-2 Level 2 validated secure appliance which supports the latest NIST cryptographic
guidance

HP ESKM and key management
The HP Smart Array Controller manages keys by separating them into the following categories:

•

Keys stored off-controller on the HP ESKM

•

Keys stored on the drive media

•

Keys stored on the controller

The separation of keys helps ensure the safety of the data residing on the drives, the portability of the drives,
and the ability to manage keys in a centralized manner. The controller uses the HP ESKM to back up a
segment of its keys using an encryption method that protects the keys from exposure in plaintext.

Overview 11

Licensing
HP Secure Encryption licensing is based on the number of physical drives requiring encryption. You will need
one HP Secure Encryption license per drive.
To operate HP Secure Encryption in Local Key Management Mode, you will need the following HP Secure
Encryption license:

•

HP Secure Encryption E-LTU 24x7 Supp Lic D8S85AAE

•

HP Secure Encryption 1 Svr 24x7 Supp Lic D8S84A

Remote Key Management Mode requires the following additional licenses:

•
•

Integrated Lights Out (iLO), Advanced or Scale Out edition
One HP Enterprise Secure Key Manager 3.1 and later Client License per HP ProLiant server

Overview 12

Planning
Encryption setup guidelines
When setting up HP Secure Encryption, consider the information described in the following table.
Configuration

Options

Deciding factors

Encryption mode

•

Choose Local Key Management Mode when:

•

Local Key
Management Mode
Remote Key
Management Mode

•
•
•

Data is stored at a site without network access.
In a small deployment center or lab
Manual key management is available.

Choose Remote Key Management Mode when:

•
•
•

Plaintext volumes

•
•

Allow
Disallow (default)

Using a large number of servers
A network is available between the HP ESKM
and a server.
Automatic key management is preferred,
including backups and redundancy
configurations

Allow future plaintext logical drives when:

•
•

Drive migration might occur to a non-encrypting
controller.
Data is not privacy-sensitive.

For more information, see "Enabling/disabling
plaintext volumes (on page 45)."
Key naming conventions

Master Encryption Keys
are customizable.

Create a specific naming convention when
managing multiple keys and multiple servers.

Recommended security settings at remote sites
For added security, HP recommends the following configuration when operating HP Secure Encryption at
remote sites outside the main data center.

•

Firmware lock enabled ("Enabling/disabling the firmware lock" on page 46)

•

Controller password enabled ("Set or change the controller password" on page 36)

•

Plaintext volumes disabled ("Enabling/disabling plaintext volumes" on page 45)

•

Local Key Cache disabled
Applies to Remote Key Management Mode only

Encrypted backups
At system startup, all encrypted data-at-rest becomes accessible to the host system in unencrypted form via the
controller and the appropriate keys. This method of startup allows the system to boot into an operating system
installed on an encrypted volume. As a result, encrypted backups are not available, and all data appears

Planning

unencrypted when accessed from the host system and placed on tape. Software or hardware utilizing an
independent encryption feature is not impacted by HP Secure Encryption.

Security domains
A security domain is a blueprint for separating out different groups of servers or key management escrows
where access to a set of keys is inhibited by the structure of the various domains. The best mechanisms for
establishing separate security domains are either through the use of separate HP ESKM or via the use of
groups within the HP ESKM. Unique groups provide a software mechanism for each server to partition off
their key sets from one server to another. Groups are created on the HP ESKM and assigned to a server via
the HP iLO Key Manager page. For more information, see "Remote Key Management Mode (on page 17)."

Deployment scenarios
Remote and local key management requirements
Use the table below to determine which encryption mode is right for you.
Mode parameters

Local Key Management Mode

Remote Key Management Mode

Number of servers

<99 (recommended)

100 or more

Support of HP ESKM by customer

Yes

No
Utilize Integrated Lights Out (iLO)
Advanced or Scale Out License in the
infrastructure
No
Requirement to escrow keys

Yes

Poor or no network connectivity to HP Yes
ESKM

Manual tracking of keys

Planning

Configuration
Local key management mode
Local Key Management Mode, or Local Mode, is a solution designed for small to medium-size data centers
using few encrypting controllers. The solution utilizes a paraphrase password, or Master Encryption Key
name, to set the security on the controller and enable encryption. The paraphrase password must be tracked
independently of the controllers, in case the controller needs replacement or drive migration is required
among controllers with different passwords. In local mode, the Master Key name is considered a
cryptographic secret and should be protected as such. Key creation and management is maintained at the
local controller level without the use of a key manager.
Characteristics

•

Requires physical paraphrase password management, such as writing and storing Master Key
information in a notebook or computer file

•

Utilizes one paraphrase password-derived 256-bit key to encrypt a unique, per-volume XTS-AES
256-bit data encryption key

Prerequisites

•

An installed HP Smart Array Controller compatible with HP Secure Encryption

•

A valid HP Secure Encryption license for each drive to be encrypted

•

HP Smart Storage Administrator v1.60.xx.0 and later

•

HP ProLiant Gen8 or later server

Configuring the controller (local mode)
IMPORTANT: HP recommends that you keep a record of the Master Encryption Keys when
encryption is configured in Local Mode. The local Master Encryption Key is not displayed by any
available tool or firmware because it is considered a cryptographic secret by FIPS 140-2. HP
Secure Encryption design follows the NIST architecture requirements and does not allow HP to
assist in the recovery of a lost Master Encryption Key.

To configure the controller to operate in Local Key Management Mode:
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Configuration

Click Perform Initial Setup.

The following screen appears.

Complete the following:
o

Under Create Crypto Officer Password, enter, and re-enter the password in the fields provided.

Under Encryption Mode, select either:

— Enable and Allow Future Plaintext Volumes: Allowing future plaintext volumes still requires

authentication by the Crypto Officer or the User before a plaintext volume can be created.

— Enable and Disallow Future Plaintext Volumes: This option prevents the creation of new plaintext

volumes on the controller. This setting can be changed later by the Crypto Officer. Selecting this
option does not prevent the migration of a set of drives with existing plaintext volumes to the
controller.

Enter the Master Key name in the field provided. The Master Key name must be between 10 and 64
characters.

Configuration

Under Key Management Mode, select Local Key Management Mode.

Click OK.

A warning appears, prompting the user to record the Master Key. Click Yes to continue.

If you have read and agree to the terms of the EULA, select the check box and click Accept.

A summary screen appears indicating the controller has been successfully configured for encryption
use. Click Finish to continue.

The Encryption Manager screen appears with updated Settings, Accounts and Utilities options.
IMPORTANT: HP recommends setting up a password recovery question and answer after initial
configuration. If the Crypto Officer password is lost and a recovery question and answer have not
been set, you will need to erase and reconfigure all HP Secure Encryption settings in order to reset
the Crypto Officer password. For more information, see "Set or change the password recovery
question (on page 35)."

Remote Key Management Mode
IMPORTANT: HP Enterprise Secure Key Manager 3.1 and later must already be installed and
configured to operate HP Secure Encryption in Remote Mode. For more information, see
"Configuring the HP ESKM 3.1 ("Configuring the HP ESKM" on page 18)."
In Remote Key Management Mode, keys are imported and exported between the controller and the HP
ESKM, which provides a redundant, secure store with continuous access to the keys. To enable key
exchanges between the HP Smart Array Controller and the HP ESKM, a network connection is required both
during pre-OS boot time and during OS operations. Because the controller does not have direct network
access capabilities, HP iLO provides the necessary network access to facilitate key exchanges between the
controller and the HP ESKM. HP iLO has both network presence and is constantly running on AUX power
regardless of the server state. The keys exchanged between HP iLO, HP ESKM, and the controller are all
secured.
Characteristics

•

High volume key storage

•

Keys are kept in separate storage from servers to protect against physical removal

•

Requires network availability and a remote key management system

Configuring Remote Key Management Mode
IMPORTANT: HP Secure Encryption and other HP encryption client products must be
coordinated for a successful installation and configuration. It is recommended to refer to each
product's user guide to ensure proper installation and encryption protection.
To configure HP Secure Encryption to operate in Remote mode:
1.

Configure the HP ESKM ("Configuring the HP ESKM" on page 18). For more information about
installation, configuration and operation of the HP ESKM, see the HP Enterprise Secure Key Manager
User Guide and the HP Installation and Replacement Guide.

Connect HP iLO to the HP ESKM ("Connecting HP iLO to HP ESKM" on page 29).

Install HP SSA. For more information, see the HP Smart Storage Administrator User Guide.

Configuration

Configure the HP Smart Array Controller ("Configuring the controller (remote mode)" on page 31,
"Configuring the controller (local mode)" on page 15).

Configuring the HP ESKM
1.

Create initial user accounts ("Adding a user" on page 18).
a. Create a temporary user account for deployment.
b. Create a user account to host Master Encryption Keys.

Create a group ("Adding a group" on page 20).

Assign the user account for hosting Master Encryption Keys to the group created in step 3 ("Assigning
a user to a group" on page 21).

Create a Master Encryption Key to be used by the controller ("Creating a Master Key" on page 24).Be
sure to set the owner of the key to the user account created to host the Master Encryption Key created
in Step 2b.

Place the Master Encryption Key in the group created in step 3 ("Placing a key in a group" on page 25).

Logging in to the HP ESKM
1.

Open a new browser window and enter the IPv4 address and web administration port number using
https. The port is user-configurable. The default port is 9443.
Example: https://11.12.13.14:9443

Adding a user
IMPORTANT: Passwords must contain at least five different characters. Passwords cannot:
• Contain only whitespace
• Resemble a phone number, dictionary word or reversed dictionary word
• Be based on the username associated with the password
The deployment user is the first user account created and is typically deleted after initial configuration has
been completed. It is a temporary account set up to allow HP iLO to connect to the HP ESKM and begin using
keys. Subsequent standard user accounts are assigned Master Encryption Keys and are not considered
temporary.
To add a user:
1.

Configuration

Click the Security tab.

Click Local Users & Groups.

Under Local Users, click Add.

Configuration

The following fields appear.

Complete the following fields:
a. Username
b. Password
c.

If this is the deployment user account, select the User Administration Permission and Change
Password Permission check boxes.

d. If this is a standard user account, leave the User Administration Permission and Change Password

Permission check boxes empty.
6.

Click Save.

Adding a group
Groups enable you to organize a set of servers together and restrict access only to a specific set of users.
To add a group:
1.

Click on the Security tab.

Configuration

Click Local Users & Groups.

Under Local Groups, click Add.

Enter the group name in the Group entry field.

Click Save.

Assigning a user to a group
1.

Configuration

Click on the Security tab.

Click Local Users & Groups.

Under Local Groups, select the group name and click Properties.

Configuration

A new window appears, listing the group properties.

Click Add.

Enter the Username in the field provided.

Click Save.

Configuration

Creating a Master Key
The steps below outline how to create a key in the HP ESKM. The HP ESKM does not differentiate between
key types such as Master Encryption Key or Drive Encryption Key. If creating a Master Encryption Key, HP
recommends applying a specific Master Encryption Key naming convention to distinguish the Master Key
from all other keys created in the HP ESKM.
To create a key:
1.

Click the Security tab.

From the left side panel, expand the Keys menu, and then click Create Keys.

The following screen appears.

Configuration

Under the section Create Key, complete the following:
o

Key Name: Enter the preferred key name.
The name must consist only of US-ASCII letters, numbers, or the underscore or hyphen characters,
and must be between 8 and 64 characters. The minimum character length is required by the Smart
Array controller, not by the ESKM.

Owner Username: Enter the name of the user account to be paired with the key. If creating the
Master Encryption Key, do not assign keys to the deployment user account.

Algorithm: Select AES-256.

Select the Exportable checkbox. Leave the remaining fields as the default values.

Click Create. You will receive a notification that the key was created successfully.

Placing a key in a group
A key must be assigned a group in order to enable access by HP iLO. To place a key in a group, do the
following:
1.

Run a key query and locate the key created ("Running a key query" on page 25).

Assign the key to a group ("Assigning a key to a group" on page 27).

Running a key query
1.

Click the Security tab.

Configuration

From the left side panel, expand the Keys menu and click Query Keys.

Configuration

The following screen appears.

Under Create Query, complete the following:
a. Query Name: Enter a query name here. Your query will be saved for future use.
b. Choose Keys Where drop down menu: select Owner, or Key Name. Two additional Choose Keys

Where fields appear.

Complete the following fields:
a. Field 1: Leave as default.
b. Field 2: Leave as default.
c.

Field 3: Enter the user account name associated with the Master Key, or the Master Key name,
depending on your selection for Choose Keys Where.

Click Save and Run Query. A results screen appears, displaying the Master Key name.

Assigning a key to a group
1.

Run a key query for the preferred key ("Running a key query" on page 25).

Configuration

Select the key, and then click Properties.

A new Key and Policy Configuration screen appears. Click the Permissions tab.

Under Group Permissions, complete the following:
a. In the Group field, enter the Group name created previously.
b. Under Export, select Always.

Click Save. The screen will refresh and list the group permissions.

Configuring HP iLO
Integrated Lights Out (iLO) manages key exchanges between the HP ESKM and the Smart Array controller.
HP iLO initially uses user credentials with administrative privileges created on the HP ESKM to automatically
register and create a private, unique, MAC address-based username account for all key exchanges. The
administrative account is termed the deployment user account. All HP iLO accounts can be viewed in the HP
ESKM under Users And Groups and take the form iLO-MAC Address. The HP iLO-specific account is placed
in the group indicated in the group field on the HP iLO Key Manager page. If the group does not exist, HP
iLO creates one and places the account in that group along with all future keys generated.
Prerequisites

Configuration

•

The HP ESKM must be configured with a deployment user. For more information, see "Configuring the
HP ESKM (on page 18)."

•

HP iLO must be installed and operating properly with the appropriate iLO-supporting license. For more
information, see the HP website (http://www.hp.com/go/ilo).

Connecting HP iLO to HP ESKM
If you intend to use a second HP ESKM for a redundant key repository, complete the fields under Secondary
Key Server and select the Enable Enterprise Secure Key Manager Redundancy checkbox. HP strongly
recommends a redundant pair of HP ESKM devices in a cluster configuration.
To connect HP iLO to the HP ESKM:
1.

From the left side panel, expand the Administration menu and select Key Manager.

Configuration

The Enterprise Secure Key Manager configuration page appears.

Under Key Manager Servers, complete the following:
a. Primary Key Server:

— Enter the primary IP address of the HP ESKM in the Address field.
— Enter the primary port number of the HP ESKM in the Port field. This port number should match
the value on the HP ESKM, located on the Device tab under KMS Server Settings. SSL should be
enabled on the HP ESKM as well.

b. Optional: Secondary Key Server:

— Enter the secondary IP address of the HP ESKM in the Address field.
— Enter the secondary port number of the HP ESKM in the Port field.
c.
5.

Optional: Select the Require Redundancy checkbox.

Click Apply. A confirmation message appears.

Configuration

Under Key Manager Configuration, enter the group name created previously in the HP ESKM in the
Group field.

Under ESKM Administrator Account, complete the following fields using the deployment username and
password created earlier on the HP ESKM.
a. Login Name: Enter the deployment account username.
b. Password: Enter the deployment account password.

Click Update ESKM. A confirmation screen appears indicating the configuration was saved and
connected successfully.

Configuring the controller (remote mode)
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Click Perform Initial Setup.

A new screen appears.

Configuration

Complete the following:
o

Under Create Crypto Officer Password, enter and re-enter the password in the fields provided.

Under Encryption Mode, select one of the following:

— Enable and Allow Future Plaintext Volumes: Allowing future plaintext volumes still requires

authentication by the Crypto Officer or the User if attempting to create a plaintext logical drive.

— Enable and Disallow Future Plaintext Volumes: This option prevents the creation of new plaintext

Enter the name of the Master Key that was created on the ESKM in the field provided. The Master
Key name must be between 8 and 64 characters.

Under Key Management Mode, select Remote Key Management Mode.

Click OK.

A EULA screen appears. If you have read and agree to the terms of the EULA, select the check box and
click Accept.

A summary screen appears indicating the controller has been successfully configured for encryption
use. Click Finish to continue.

The Encryption Manager home screen appears with updated Settings, Accounts, and Utilities options.
IMPORTANT: HP recommends setting up a password recovery question and answer after initial
configuration. If the Crypto Officer password is lost and a recovery question and answer have not
been set, you will need to erase and reconfigure all HP Secure Encryption settings in order to reset
the Crypto Officer password. For more information, see "Set or change the password recovery
question (on page 35)."

Configuration

Operations
Accessing Encryption Manager
Opening Encryption Manager
1.

Start HP SSA. For more information, see the HP Smart Storage Administrator User Guide.

Select an HP Secure Encryption-compatible controller.

Click Configure.

Under Tools, click Encryption Manager.

Logging into Encryption Manager
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Operations

Click Encryption Login.

A new window appears. Select an account to log in with and enter the password in the field provided.

Click OK to continue.

Managing passwords
NOTE: Valid passwords must be 8 to 16 US-ASCII characters long and contain the following:
•
•
•
•

At
At
At
At

least
least
least
least

one
one
one
one

lowercase letter
uppercase letter
number
non-alphanumeric character, such as # or $

Set or change the Crypto Officer password
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Under Accounts, locate Crypto Officer Password. Click Set/Change Crypto Officer Password.

Operations

A new window appears. Enter in the new password in the New Password fields.

Click OK.

Set or change the password recovery question
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Under Accounts, locate Crypto Officer Password Recovery Parameters. Click Set/Change Password
Recovery Question.

A new window appears.

Complete the following fields:
a. Password Recovery Question: Enter a question to which only you know the answer.
b. Password Recovery Answer: Enter the answer to the question entered above.

Click OK.

Set or change user account password
Operations

IMPORTANT: If this is the first time setting the User password, you must be logged in as the
Crypto Officer.
The User account is disabled by default until the Crypto Officer sets the User account password for the first
time.
To set or change the User account password:
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Under Accounts, locate User Password. Click Set/Change User Password.

A new window appears. Enter and re-enter the new password in the New Password fields.

Click OK.

Set or change the controller password
A controller password enables all encrypted volumes on the controller to be offline at startup until the
controller password is entered.
The "Set/Change Password" action enables the controller password feature and sets the initial password.
After a password is set, re-executing this action replaces the existing controller password with a new one.
This procedure can only be performed by the Crypto Officer. The controller password cannot be changed
while the controller password feature is suspended or while the controller is locked. However, the controller
password can be removed by the Crypto Officer and later reset.
To set or change the controller password:
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Operations

Under Settings, locate Controller Password. Click Set/Change Controller Password.

A new window appears. Enter and re-enter the new password in the New Password fields.

Click OK.

Suspending the controller password
The controller does not prompt for a password at system startup if the controller password is suspended. If
suspended, the controller password feature can be resumed without requiring a password reset.
To suspend the controller password:
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Operations

Under Settings, locate Controller Password. Click Suspend Controller Password.

A new window appears, asking if you want to suspend the controller password. Click Yes to continue.

Resuming the controller password
Resuming a suspended controller password re-enables password prompts at system startup.
To resume the controller password:
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Under Settings, locate Controller Password. Click Resume Controller Password.

A new window appears, asking if you want to resume the controller password. Click Yes to continue.

Operations

Working with keys
Changing the Master Encryption Key
IMPORTANT: HP recommends that you keep a record of the Master Encryption Keys when
encryption is configured in Local Mode. The local Master Encryption Key is not displayed by any
available tool or firmware because it is considered a cryptographic secret by FIPS 140-2. HP
Secure Encryption design follows the NIST architecture requirements and does not allow HP to
assist in the recovery of a lost Master Encryption Key.

To change the Master Encryption Key:
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Under Settings, locate Master Key. Click Change Master Key.

A new window appears. Enter the new Master Key in the field provided. The Master Key name must be
between 8 and 64 characters.

Click OK.

Rekeying the Drive Encryption Keys
This procedure creates a new set of Drive Keys used for encrypting the volume keys on the controller. This task
is available to all roles in the system.
To rekey the Drive Keys:
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Operations

Under Settings, locate Encrypted Physical Drive Count. Click Drive Key Rekey.

A prompt appears, indicating new Drive Encryption Keys will be created for all physical drives. Click
OK to continue.

Rescanning keys
In Remote Mode, this procedure signals the controller to retrieve all encryption keys from the HP ESKM. This
procedure resolves potentially locked volumes that could have been locked as a result of failure to initially
retrieve the associated keys.
To rescan keys:
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Under Utilities, click Rescan Encryption Keys.

A new window appears, indicating HP iLO will retrieve keys from the HP ESKM. Click OK to continue.

Creating a plaintext volume
IMPORTANT: The controller only allows the creation of new plaintext volumes if it has been
configured to do so by the Crypto Officer. Refer to the Encryption Manager screen to determine
if plaintext volume creation is enabled on the controller.
To create a plaintext volume:
1.

Start HP SSA. For more information, see the HP Smart Storage Administrator User Guide.

Operations

Under Controller Devices, click on Unassigned Drives.

Select drives.

Operations

Click Create Array. A new window appears.

Complete the following fields:
a. Create Plaintext Volume: Select Yes.
b. My Account: Select the account to log in with.
c.

Password: Enter the account password.

Complete remaining fields as necessary.

Click Create Logical Drive.

Operations

Array Details, Logical Drives, Physical Drives and Device Path specifications appear. Click Finish to
complete.

Converting plaintext volumes into encrypted volumes
NOTE: The controller must read and rewrite the entire volume in order to complete the
conversion process. Conversion may take some time to complete, especially if there is competing
drive activity from the host system.
To convert plaintext volumes into encrypted volumes:
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Under Controller Devices, click Arrays.

Select the plaintext volume.

Operations

Under Actions, click Convert Plaintext Data to Encrypted Data.

A new window appears.

Select one of the following:
a. To preserve existing data, select Yes.
b. To discard existing data, select No. If selected, a warning prompt appears after clicking OK,

confirming your selection. Click OK to continue past the warning.
7.

Click OK. A new window appears, listing the Logical Drive Details, Logical Drive Acceleration Method,
and Device Path details.

Click Finish.

Changing key management modes
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Operations

Under Settings, locate Key Management Mode. Click Change.

A new window appears with the key management mode selected. Enter the Master Key in the field
provided. The Master Key name must be between 10 and 64 characters.

Click OK.

A warning appears, prompting the user to record the Master Key. Click Yes to continue.

Enabling/disabling plaintext volumes
IMPORTANT: Plaintext volumes are unencrypted. The option of allowing or disabling the
creation of plaintext volumes depends on the following:
• The type of data to be stored on the plaintext volume
• The level of security you want or need in the system
HP recommends that you do not enable this option for systems requiring high security or
containing highly sensitive data.
To change plaintext volumes permissions after initial configuration:
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Operations

Under Settings, locate Allow New Plaintext Volumes.

Do one of the following:
a. If encryption is disabled, click Allow Plaintext Volumes.
b. If encryption is enabled, click Disallow Plaintext Volumes.

A prompt appears, asking you to confirm the change. Click Yes to continue.

Enabling/disabling the firmware lock
The firmware lock prevents the updating of firmware on the controller and is disabled by default. For security
purposes, HP recommends enabling the firmware lock function.
To change the firmware lock setting:
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Under Settings, locate Firmware Locked for Update.

Do one of the following:
a. If unlocked, click Lock Firmware.
b. If locked, click Unlock Firmware.

Operations

A prompt appears, asking you to confirm the change. Click Yes to proceed.

Enabling/disabling local key cache
1.

Open HP Encryption Manager ("Opening Encryption Manager" on page 33).

Under Settings, locate Local Key Cache Enabled. Click Set/Change Local Key Cache.

Do one of the following:

To disable, select No.

To enable, select Yes. If you select Yes, two new fields appear.

Complete the following fields:
IMPORTANT: HP recommends using the default settings, which will disable checking for the
presence of the HP ESKM prior to booting. Only change these values if there is a concern that an
unintended individual might remove the server from the environment. After repeated failures to
locate the HP ESKM, the local key cache is deleted prior to boot if the number of access attempts
is set to any value other than zero. All volumes remain locked until the HP ESKM is reached and
retrieves the required keys.

Operations

Number of Access Attempts Before Deleting Local Key Cache

Retry Interval in Minutes

Click OK.

Importing drive sets in Local Key Management Mode
When the Master Encryption Key on an imported drive set is different from the Master Encryption Key on the
receiving HP Smart Array Controller, the importing volumes remain offline until user intervention is taken. HP
SSA can be used to supply the Master Key name for the importing drives.
In Remote Key Management Mode, drives automatically import when the associated key is present on the HP
ESKM. If keys are unable to be retrieved but are confirmed to be on the HP ESKM, it is possible they are
assigned to a different group.

Importing drives with different Master Keys
Migrating drives to a non-encrypted controller results in the logical volumes associated with those drives
remaining offline until encryption is enabled with the proper Master Encryption Key settings and mode for
that volume.
If non-encrypted drives are migrated to an encrypting controller, the controller automatically brings the
logical volumes associated with those physical drives online and makes them available for use.
To import drives with a different Master Key into a controller when using Local Key Management Mode:
1.

Power down the server. For more information, see the documentation that ships with the server.

Attach drives. For more information, see the documentation that ships with the drives.

Power up the server. For more information, see the documentation that ships with the server.

Start HP SSA. For more information, see the HP Smart Storage Administrator User Guide.

Under Array Controller(s), click the controller assigned to the new drives. Red alert message indicators
will appear next to it.

Under Actions, click Configure.

From the side menu, click Encryption Manager.

Under Utilities, click Import Foreign Local Key.

Operations

10.

A new screen appears. Enter the new Master Encryption Key name assigned to the drives being
imported in the Master Key field.

11.

Click OK.

The drives will be incorporated, unlocked, and assigned the Master Encryption Key of the receiving
controller.

Operations

Maintenance
Controllers
Clearing the controller
To clear all logical drives and arrays on controllers:
1.

Start HP SSA. For more information, see the HP Smart Storage Administrator User Guide.

Select the controller to be cleared.

Under Actions, click Clear Configuration.

A new window appears, confirming your request to clear the controller's configuration. To continue,
click Clear.

A new window appears, displaying controller settings and configuration. To continue, click Finish.

Replacing an encrypted controller
If some or all of the drives managed by the controller being replaced are encrypted, you must re-configure the
replacement controller with the same settings and key management mode you used for the controller you are
replacing. For more information, see the documentation that ships with the controller.
In Local Key Management Mode, you must provide the correct Master Key name that matches the one used
for the attached drives.
In Remote Key Management Mode, any valid Master key name will work, since the Master key names are
part of the drive configuration information stored on each drive.

Replacing a server while retaining the controller
If you retain the same controller and physical disks, then there are no encryption-related tasks to complete.
If Remote Key Management Mode is in use, the previous HP iLO configuration for key management must be
applied to the new server.
For more information on configuring HP iLO, see "Configuring HP iLO (on page 28)."
For more information on locating the group name, see "Locating groups associated with a drive (on page
52)."

Preconfiguring replacement components
It is possible to configure replacement controllers ahead of time for encryption. After installing the HP Smart
Array Controller, enable encryption on the controller. For more information, see "Configuration (on page
15)."
After the server is powered down, the controller can be physically removed and set aside for later use.

Maintenance

Flashing firmware
If the firmware lock function is enabled, the firmware lock on the controller must be unlocked before
attempting to flash the controller. To disable the firmware lock function, see "Enabling/disabling the
firmware lock (on page 46)."

Drives
Replacing a physical drive
No HP Secure Encryption-related steps are associated with this procedure. To replace a drive, see the server
maintenance and service guide.

Validating the number of encrypted drives for license compliance
Encryption Manager
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Locate Encrypted Physical Drive Count, under Settings. The number to the right of this setting indicates
the number of encrypted physical drives.

Repeat for every controller with HP Secure Encryption enabled.

HP ESKM
Because all Drive Encryption Key names begin the same character sequence, run a query with the Choose
Key Name field filtered by Key Name and containing "HP_HDD" and "HP_SSD". For more information, see
"Running queries (on page 57)."

Maintenance

Groups
Locating groups associated with a drive
Use one of the following methods to locate the group name associated with a drive.

•

Query by drive serial number (on page 52)

•

Query by previous server name (on page 54)

Query by drive serial number
1.

Click the Security tab.

Under Keys, click Query Keys.

Maintenance

The Key Policy and Configuration screen appears.

If you want to save this query, enter a name in the Query Name field.

Under Choose Keys Where, do the following:
a. Field 1: Select Key Name from the drop down menu.
b. Field 2: Select Contains from the drop down menu.
c.

Field 3: Enter the serial number of one of the drives in the server.

If you assigned a name to this query, click Save and Run Query. Otherwise, click Run Query without
Saving.

Click on the key. A new screen appears, listing the Key Properties.

Click Permissions to view the group name.

Maintenance

Query by previous server name
1.

Click the Security tab.

Under Keys, click Query Keys.

Maintenance

The Key Policy and Configuration screen appears.

If you want to save this query, enter a name in the Query Name field.

Under Choose Keys Where, do the following:
a. Field 1: Select Custom: Server_Name from the drop down menu.
b. Field 2: Select Equals from the drop down menu.
c.

Field 3: Enter the previous server name associated with the drive.

If you assigned a name to this query, click Save and Run Query. Otherwise, click Run Query without
Saving.

Click on the key. A new screen appears, listing the Key Properties.

Maintenance

Click the Permissions tab to view the group name.

Displaying log information
The event log displays events for all controllers in the system and does not differentiate between events
produced by different controllers.
When operating HP Secure Encryption in Remote Mode, you can access the HP ESKM events log for
information on key retrieval and exchange, including the following:

•

Connection status

•

Master Key retrieval

•

Drive Key retrieval

•

Drive Key save requests

•

Drive Key deletion

To view the event log:
1.

Maintenance

From the left side panel, expand the Administration menu.

Click Key Manager. The Enterprise Secure Key Manager Events appears at the bottom of the screen.

Navigating away from the page and returning or clicking Test ESKM Connections refreshes the list of events.

Running queries
To run a query:
1.

Click the Security tab.

Maintenance

From the left side panel, expand the Keys menu and click Query Keys.

Maintenance

A new screen appears.

Under Create Query, complete the following:
a. If you want to save the query for future use, fill in the following fields:

— Query Name
— Description
b. In the Choose Keys Where field, structure queries that combine any or all of the following criteria:

— Key Name
— Owner
— Group Name
— Algorithm
— Creation Date
— Latest Key Version Date
— Any Key Version Date
— Versioned Key
— Not Versioned Key
— Exportable
— Not Exportable
— Deletable
— Not Deletable
— Access Time
— Controller identification criteria
— Custom criteria
c.

Structure the report by displaying the following columns:

— Key Name
— Owner
Maintenance

— Exportable
— Deletable
— Algorithm
— Creation Date
— Versioned Key
— Custom attributes
d. When you have finished structuring the query, click one of the following buttons:

— Save and Run Query
— Save Query
— Run Query without saving
The report appears with the selected criteria.

Maintenance

Troubleshooting
Common issues
Lost or forgotten Crypto Officer password
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Under Accounts, locate Crypto Officer Password. Click Recover Crypto Officer Password.

A new window appears.

Do the following:
a. Answer the security question in the Password Recovery Answer field.
b. Enter and then re-enter a new password in the New Password fields.

Click OK.

Lost or forgotten controller password
The controller password is used to protect data in the event of a storage system theft. Once enabled, the
controller will not unlock encrypted volumes until the correct controller password has been provided. If the
controller password is lost or forgotten, the controller will remain locked and all encrypted volumes will be
offline and inaccessible.

Troubleshooting

If the OS logical drive is encrypted, offline HP SSA will be required to perform the steps below. For more
information, see the HP Smart Storage Administrator User Guide.
To clear the controller password:
1.

Open Encryption Manager ("Opening Encryption Manager" on page 33).

Under Settings, locate Controller Password. Click Remove Controller Password.

A window appears, asking you to confirm that you want to remove the controller password. Click Yes.

Volumes appear online and are available.

Lost or forgotten Master Key
IMPORTANT: HP strongly recommends storing a backup of the Master Encryption Key in a
secure location. In some instances it is possible that a missing key will render your data
inaccessible. If operating HP Secure Encryption in Remote Key Management Mode, HP strongly
recommends that you back up the ESKM regularly.

Local mode
If operating HP Secure Encryption in Local Mode, securing the Master Encryption Key value is critical to
accessing the encrypted logical drive data. If the controller requires replacement or if the physical drives are
moved to another controller, a matching Master Key is required to gain access to the data. Master Keys are
not recoverable if lost. If the Master Key is lost or forgotten, you must perform a data restore operation from
the backup media to regain access to the data.

Remote mode
Locating the key using the HP ESKM
To locate a lost or forgotten Master Encryption Key using the HP ESKM:
1.

Troubleshooting

Click the Security tab.

From the left side panel, expand the Keys menu and click Keys.

The Key and Policy Configuration page displays a list of all keys. Scroll through the list to locate the
Master Key.

If you remember specific attributes about the Master Key, run a key query ("Running queries" on page
57).

If you cannot locate the Master Key name, it may have been accidentally deleted from the HP ESKM. You
may be able to locate the key by using an HP ESKM backup.

Locating the key using iLO
HP iLO utilizes an event log listing recent key activity. If the lost or forgotten key was recently modified, it
might appear in the event log.
To locate a lost or forgotten Master Encryption Key using HP iLO:
1.

Troubleshooting

From the left side panel, expand the Administration menu.

Click Key Manager. The Enterprise Secure Key Manager Events appears at the bottom of the screen.
Review the event log for the missing key.

Forgotten which Master key goes with which drive
Recovery of the Master Encryption Key name corresponding to a specific set of drives is possible when
operating HP Secure Encryption in Remote Key Management Mode.
To recover the Master Encryption Key name:
1.

Troubleshooting

Run a key query with the following search parameters ("Running queries" on page 57):
a. Choose Keys Where drop down menu: select Custom: Server_Name. Two new fields appear.
b. In the second drop down menu, select Equals.
c.

In the third field, enter the name of the server to be associated with the Master Encryption Key.

d. Under Custom Attributes, select Master_Key.

Logical drives remain offline
If cryptographic information is missing, logical drives remain offline after system start. General causes
include a missing, incorrect, or inaccessible key. Restoring the cryptographic information to match the
attached drives results in the appropriate access to the logical drive.
Possible causes

•

Encryption is not enabled.

•

The matching Master Encryption Key is missing or incorrect.

•

The controller password was enabled but is not entered or is incorrect.

Possible causes (Remote Mode only)

•

Network connectivity issues are occurring between HP iLO and the HP ESKM.

•

HP iLO is not configured properly.

•

The Drive Keys are missing from the HP ESKM.

•

The Drive Encryption Keys and HP iLO groups are mismatched.

To view a diagnostic report, see the HP Smart Storage Administrator User Guide.

Master key not exporting
This issue occurs only in Remote Key Management Mode. The problem appears as either a locked controller
or as locked volumes.
Possible causes

•

A network problem prevents key retrieval from the HP ESKM.

•

Lost or incorrect HP iLO configuration

•

Missing or incorrectly configured Master Encryption Key

Possible Resolutions

•

Troubleshoot the network connection between HP iLO and the HP ESKM. For more information, see
"Testing the connection between HP iLO and the HP ESKM (on page 66)."

•

Ensure the Master Encryption Key exists. For more information, see "Locate the key using the HP ESKM
("Locating the key using the HP ESKM" on page 62)."

•

Ensure the Master Encryption Key is in the correct group. If the Master Key is incorrectly assigned, see
"Placing a key in a group (on page 25)."

Troubleshooting

Testing the connection between HP iLO and the HP
ESKM
HP iLO connects and manages key exchanges between the controller and HP ESKM. If you suspect HP iLO
has lost its connection to the HP ESKM, you can test the connection in HP iLO.
To test the connection between HP iLO and the HP ESKM:
1.

Log into HP iLO using your server's credentials.

From the left side panel, expand the Administration menu and then click Key Manager.

Troubleshooting

The following screen appears.

Under Key Manager Configuration, click Test ESKM Connections:
o

If HP iLO is connected to the HP ESKM, a green checkmark appears indicating the key managers
are accessible.

If the connection has been lost, you will need to re-configure HP iLO to communicate with the HP
ESKM. For more information, see "Connecting HP iLO to HP ESKM (on page 29)."

Potential errors encountered
The following table describes errors that might be encountered when configuring or operating HP Secure
Encryption.

Troubleshooting

Error

Description

Slot X Encryption Failure –
Communication issue prevents
drive keys from being
retrieved. Encrypted logical
drives are offline. System may
not boot.
Slot X Encryption Failure –
Incorrect or missing Master
Key on Remote key manager Master Encryption Key is
incorrect or not retrieved from
HP ESKM. Encrypted logical
drives may be offline. System
may not boot.
Invalid
Drive Encryption Keys
Volume Key decryption failure
on HP ESKM. Encrypted logical
drives may be offline. System
may not boot.
Communication issue prevents
Unable to establish
communication with controller keys from being retrieved.
Dependent encrypted logical
drives are offline. System may
not boot.
Imported encrypted logical
Missing local Master Key
drives are offline; the matching
local Master Encryption Key is
required. System may not boot.
All encrypted local drives are
Controller password failure
offline due to failure to enter
proper controller password.
Remote key manager
communication failure

Action
To troubleshoot, see the Key Manager page in
HP iLO interface.

Correct the problem on the HP ESKM.

Restore the correct version of the Drive
Encryption Key on the HP ESKM.

Reset the controller by rebooting the server.

Use HP Smart Storage Administrator to enter the
local Master Encryption Key.

Reboot the server and enter the proper
controller password, or unlock the controller
using HP Smart Storage Administrator.

Encrypted logical drives are
present but encryption is not yet
enabled. Encrypted logical
drives are offline.
Encryption parameters not set Encryption is enabled for the
controller but the Master
Encryption Key name is not set.
Key
management mode
Controller/logical drive
mismatch
between controller
encryption type mismatch
and drives. Dependent
encrypted drives offline.

Use HP Smart Storage Administrator to enable
encryption.

Unsupported system ROM
detected. Encrypted logical
drives may be offline. System
may not boot.
Encrypted logical drives are
offline. Encryption feature is
not available on this controller.
Unsupported HP iLO firmware
detected. Encrypted drive may
be offline. System may not
boot.

Update the system ROM to a version supporting
encryption.

Controller encryption not
enabled

Encryption failure unsupported system ROM
detected
Encrypted logical drives on
non-encrypting controller
Encryption failure unsupported iLO firmware
detected

Use Encryption Manager to set the Master Key
name for the controller and reboot.
Use Encryption Manager to match key
management modes. For more information, see
"Importing drives with different Master Keys (on
page 48)".

Move drives to a controller with encryption
support or delete the logical drives.
Update HP iLO firmware to a version supporting
encryption.

Troubleshooting

Error

Description

Action

NVRAM failure

Non-volatile storage corrupted.
Critical Security Parameters
erased per policy. Encrypted
drives are offline.
Encryption engine hardware
failure. Encrypted logical
drives are offline until the
problem is corrected.
While logged into the system,
you are unable to create a
plaintext volume.

Use HP Smart Storage Administrator to
reestablish CSPs.

Encryption engine self-test
failure

Unable to create a plaintext
volume

Replace the controller to bring encrypted drives
online.

Verify that Encryption Manager has been set to
allow the creation of future plaintext volumes.

Clearing the encryption configuration
IMPORTANT: Clearing all encryption settings clears all secrets, keys, and passwords from the
controller. HP Secure Encryption will be returned to a factory-new state.
To clear all encryption settings:
1.

Clear the controller ("Clearing the controller" on page 50).
IMPORTANT: Clearing the controller is not necessary if there are no encrypted drives present or
if HP Smart Storage Administrator is operating in an offline mode.

Under Utilities, click Clear Encryption Configuration.

A prompt appears, indicating all encryption settings will be cleared from the controller. To continue,
click Clear.

Troubleshooting

Support and other resources
Before you contact HP
Be sure to have the following information available before you call HP:

•

Active Health System log (HP ProLiant Gen8 or later products)
Download and have available an Active Health System log for 3 days before the failure was detected.
For more information, see the HP iLO 4 User Guide or HP Intelligent Provisioning User Guide on the HP
website (http://www.hp.com/go/ilo/docs).

•

Onboard Administrator SHOW ALL report (for HP BladeSystem products only)
For more information on obtaining the Onboard Administrator SHOW ALL report, see the HP website
(http://www.hp.com/go/OAlog).

•

Technical support registration number (if applicable)

•

Product serial number

•

Product model name and number

•

Product identification number

•

Applicable error messages

•

Add-on boards or hardware

•

Third-party hardware or software

•

Operating system type and revision level

HP contact information
For United States and worldwide contact information, see the Contact HP website
(http://www.hp.com/go/assistance).
In the United States:

•

To contact HP by phone, call 1-800-334-5144. For continuous quality improvement, calls may be
recorded or monitored.

•

If you have purchased a Care Pack (service upgrade), see the Support & Drivers website
(http://www8.hp.com/us/en/support-drivers.html). If the problem cannot be resolved at the website,
call 1-800-633-3600. For more information about Care Packs, see the HP website
(http://pro-aq-sama.houston.hp.com/services/cache/10950-0-0-225-121.html).

Support and other resources

Appendix
Encryption algorithms
In keeping with the encryption standards outlined in FIPS 140-2
(http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf), controllers utilizing HP
Secure Encryption are designed to meet FIPS-140-2 Level 2 requirements by implementing both physical
security and cryptographic methods in protecting data-at-rest. Specifically, HP Secure Encryption satisfies the
cryptographic requirements established in FIPS 140-2 by using NIST-approved algorithms in protecting both
data and encryption keys. For more information, see the Cryptographic Algorithm Validation Program
website (http://csrc.nist.gov/groups/STM/cavp/standards.html).
Algorithm

Description

XTS-AES 256-bit

The XTS algorithm is used to encrypt data on the drive platter as described in NIST
special publication SP 800-38E.

AES-ECB

The AES algorithm is used to perform symmetric key encryption.

SHA-256

The SHA secure hashing algorithms are described in FIPS 180-4.

HMAC

The HMAC algorithm is described in the FIPS 198-1 standard.

PBKDF2

The PBKDF2 algorithm derives cryptographic keying material from user-provided
passwords. The algorithm is described in NIST special publication SP 800-132.

DRBG

An implementation of the SP800-90A algorithm is used to produce random bit
sequences.

Appendix 71

Glossary
ACU
Array Configuration Utility

Controller key
A key created by the controller and permanently saved to the Remote Key Manager after being wrapped by
the Master Encryption Key. This key is used on a temporary basis to alleviate potential bottlenecks to the
Remote Key Manager during volume creation/change events. Use of a Controller Key is on a temporary
basis only and is ultimately transitioned via a rekey operation to the appropriate Drive Encryption Key.

Controller-secured region
The section of a device where data and Critical Security Parameters can exist in an unencrypted format. This
boundary must be secured against tampering as acquiring this sensitive data may result in unauthorized
access to data.

Critical Security Parameters (CSPs)
An industry standard term referring to security related information such as keys, passwords, and so forth,
whose disclosure would compromise an encrypted system.

Crypto officer
Personnel who have permission to access the full range of encryption functions available on the controller.
This includes turning encryption on and off, resetting keys, importing Master Encryption Keys, and so forth.

Drive array
The group of physical drives containing a logical volume.

Drive encryption key
Key generated by the Smart Array controller for each physical drive that contains at least one encrypted
logical drive. The Drive Encryption Key for each physical drive is used to encrypt (wrap) the Volume
Encryption Keys for all of the logical drives resident on that physical drive.

Drive key caching
In Remote mode, the Drive Encryption Keys are typically stored on the Remote Key Manager. However, it is
possible to enable the controller to cache all of these Drive Encryption Keys necessary to decrypt attached
logical drives within the controller-secured region. This option is available to the user through HP SSA.

Encrypted data
Data that has been encrypted through the use of an encryption key.

Glossary

ESKM
Enterprise Secure Key Manager

FIPS
Federal Information Processing Standard

HIPAA
Health Insurance Portability and Accountability Act

HITECH
Health Information Technology for Economic and Clinical Health

HP SSA
HP Smart Storage Administrator

iLO 4
Integrated Lights-Out 4

Local Master Encryption Key
The equivalent of a Master Encryption Key in Local mode. The Local Master Encryption Key name is stored
in non-volatile memory within the controller-secured region and used to generate a Local Master Encryption
Key for wrapping the Drive Encryption Keys.

Master Encryption Key
A two-part key established on the Remote Key Manager. This key consists of both a name and a value. The
name consists of a maximum of 64 characters and is used to uniquely identify this key to all controllers within
a given Security Domain. The Master Encryption Key value is a 256-bit quantity used by controllers to wrap
Drive Encryption and Controller Keys for secure storage on the controller and import into the Remote Key
Manager.

NIST
National Institute of Standards and Technology

NVRAM
nonvolatile memory

PCI-DSS
Payment Card Industry Data Security Standard

Plaintext
Data in unencrypted form.

Glossary

Remote Key Manager
A server used to store, backup and retrieve keys for a group of controllers in a data center.

Volume encryption key
The key used in conjunction with hardware-based algorithms to perform the encryption of data resident on
logical volumes.

Glossary

Documentation feedback
HP is committed to providing documentation that meets your needs. To help us improve the documentation,
send any errors, suggestions, or comments to Documentation Feedback (mailto:docsfeedback@hp.com).
Include the document title and part number, version number, or the URL when submitting your feedback.

Documentation feedback 75

Index
A

access 33
algorithms, supported 71
Array Configuration Utility (ACU) 9

factory defaults, resetting 69
features, overview 6
features, standard 6
firmware 46, 51
firmware lock 46
firmware update 46

B
backing up data 13
before you contact HP 70
benefits 6

C
common problems 61
components 9
configuration 13, 15, 17, 28
configuration overview 17
configuration, troubleshooting 69
configuring the ESKM 18
connection problems 66
connection status 66
contacting HP 70
controller 10, 11, 15, 31, 36, 37, 38, 50, 61, 65
controller configuration 15, 31, 50
controller, replacing 50
crypto officer 34, 61
customer self repair (CSR) 70

D
deployment scenarios 14
drive 48, 51, 64
drives, encrypted 51
drives, removing 51

E
encryption 5, 6, 13, 43, 71
error messages 67
errors 61, 67
ESKM 11, 14, 17, 18, 20, 21, 24, 25, 48, 51, 52,
57, 62, 64, 65, 66
ESKM, configuring 18, 29

G
groups 14, 20, 21, 25, 48, 52
groups, adding 20
groups, managing 21, 27, 52
GUI tasks 33
GUI, accessing 33
GUI, logging on 33

H
HP
HP
HP
HP

contact information 70
Smart Storage Administrator (HP SSA) 9, 33
SSA (HP Smart Storage Administrator) 9, 33
website 70

I
iLO (Integrated Lights-Out) 10, 17, 28, 29, 56, 63,
66
iLO, event log 56, 63
implementation 13
importing drives 48

K
key manager 11, 18, 52, 57, 62, 65
keys 24, 25, 27, 39, 62, 63
keys, creating 24, 39
keys, deleting 39
keys, managing 39, 40, 56, 62, 64, 65

L
license 12, 51
license, iLO 12
Local Key Management Mode 15, 62

Index 76

log information, displaying 56
logging in 18, 33
logical drive 65
logical drive, troubleshooting 65

T
technical support 70
telephone numbers 70
troubleshooting 61

maintenance 50
Master key 24, 25, 27, 39, 48, 62, 64, 65
minimum requirements 10

user account, adding 18
user account, modifying 21, 34, 35

operations 33
overview 5

volume 40, 43, 45

website, HP 70

password recovery, administrator 35, 61
password, changing 34, 35, 36
passwords 34, 35, 36, 37, 38, 61
phone numbers 70
plaintext volume 40, 43, 45
preconfiguring replacement components 50
preparation procedures 33
product overview 5, 6

Q
queries, executing 25, 52, 54, 57, 62, 64

R
Remote Key Management Mode 15, 17, 31, 62
replacement components, preconfiguring 50
replacing the controller 50

S
Secure Encryption 5, 6
security domain 14
security settings 13
server, replacing 50
settings 13
settings, password 13
setup 13
Smart Array 11
Smart Array options 11
SmartCache 10
support and other resources 70
supported servers 9, 61

Index 77

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : Yes
Page Count                      : 77
Page Mode                       : UseOutlines
Page Layout                     : SinglePage
XMP Toolkit                     : XMP toolkit 2.9.1-13, framework 1.6
About                           : uuid:eed7ecaf-e96f-4bdc-b3d2-8a160587efd2
Producer                        : Adobe PDF Library 9.0
Keywords                        : 759078-002
Source Modified                 : D:20140801163953
Company                         : AuthorIT Software Corporation Ltd.
Comments                        : Copyright © 1996-2002 AuthorIT Software Corporation Ltd., all rights reserved.
Modify Date                     : 2014:08:01 22:52:58+05:30
Create Date                     : 2014:08:01 22:10:02+05:30
Metadata Date                   : 2014:08:01 22:52:58+05:30
Creator Tool                    : Acrobat PDFMaker 9.0 for Word
Document ID                     : uuid:bf0f09d9-ec11-4689-8451-58a5b4290470
Instance ID                     : uuid:0b468961-2bfd-4f01-a8e6-0a44d3fcea13
Subject                         : 10
Format                          : application/pdf
Title                           : HP Secure Encryption Installation and User Guide
Creator                         : Hewlett-Packard Company
Author                          : Hewlett-Packard Company

EXIF Metadata provided by EXIF.tools

Hp Secure Encryption Users Manual Installation And User Guide

Navigation menu

Versions of this User Manual:

Views

Navigation