Encryption and Key Management

Managing Encryption

This tab shows the status and options relating to Self-Encrypting Drives (SEDs) and the Key Manager used for individual dataset encryption. Note that SED management requires a valid TCG license. For the Drives you can view which drives are SED capable. The boot pool is typically not SED capable or enabled.

SED Pool Status Meanings

  • Not encrypted

  • FIPS AES-256 encrypted

  • FIPS AES-256 encrypted (data only) – Cache drives aren’t SED

  • FIPS AES-256 encrypted (partial) – Some data drives aren’t SED

  • FIPS AES-256 encrypted (partial enrolled) – Some drives have not been enrolled but are SED Capable

ek encryption tab

Drive Encryption Related Buttons

Verify Keys – Checks that the node has access to all the appropriate data drive unlock keys through the configured key manager.

Rekey – Changes the data drive unlock key for the data drives by requesting a new key from the key manager and applying it to the SED drive.

Export SED Keys – Exports SED keys to a password protected file that will be saved to the machine running BrickStor SP Manager. This feature must be enabled in the secured service configuration.

Unenroll – Unenroll takes the drive out of the FIPS compliant configuration, sets the drive not to auto lock when power is removed and sets the data drive lock key back to a known default. This feature must be enabled in the secured service configuration. This can be used if you want to transfer the disk to another system without having to share the key. However, the drive will not be protected in transit. It is also a safe way to change from one key manager to another and not have to worry about managing keys through the transition.

Config Advanced – This is only for modifying how often the secured service is performing low level functions.

Key Manager Buttons

Export All Encryption Keys – Exports SED and dataset keys to a password protected file that will be saved to the machine running the BrickStor SP Manager interface.

Import Encryption Keys – Imports keys from a password protected file created by BrickStor SP Manager.

Encryption Best Practices

For Users with the Local Key Manager

  1. Regularly export the keys from the local key manager and save them in a safe controlled location off the BrickStor. In an HA cluster export and import the keys from both nodes to the other node and then export the keys from one node for backup. This should be done any time new encrypted datasets are created.

  2. Import dataset keys to remote systems that are replication targets for fast recovery

  3. Do not enable automatic key rotation

  4. Enable key import and key export

  5. Do not enable crypto-erase unless this is something you will need to do as part of regular operations

  6. Do not enable unenroll drives so that nobody except an admin who modifies the config first can allow that operation

  7. Periodically review the drive status report and the dataset encryption report

  8. Manually perform a rekey based on organizational polices for encryption key rotation

  9. Test recovery of files on the replication target to verify access to data during a non-critical time

For Users with an External Key Manager

  1. Verify your external key manager has appropriate backups and COOP plans.

  2. Enable automatic key rotation

  3. Determine if you want to enable key export based on your security posture and if you need them for COOP planning

  4. Do not enable crypto-erase unless this is something you will need to do as part of regular operations

  5. Verify replication targets can access appropriate dataset encryption keys on the key manager or export them and import them to the replication targets key manager.

  6. Do not enable unenroll drives so that nobody except an admin who modifies the config first can allow that operation

  7. Periodically review the drive status report and the dataset encryption report

  8. Test recovery of files on the replication target to verify access to data during a non-critical time