Encryption Key Management
file:///T|/htdocs/stor-sys/ML6000/en/html/ch04_ekm.htm[9/17/2012 1:49:43 PM]
EKM server. This way, if the primary server is unavailable at the time the library needs encryption information, the
secondary server can handle the request. The Dell PowerVault ML6000 library allows you to configure up to two EKM
servers for redundancy/failover purposes.
Step 4: Configure Encryption Settings and Key Server Addresses
Make sure you complete Steps 1 through 3 above before proceeding.
Note: You cannot edit the encryption system configuration settings when any partition is enabled for library managed
encryption. If this happens, go to Setup > Encryption > Partition Configuration, change all Dell EKM partition
settings from Library Managed to Application Managed. Then make your changes to the system configuration
settings. Finally, go back and change all the Dell EKM partition settings to Library Managed.
1 Unload tape cartridges from all encryption-capable tape drives in the library.
2 From the Web client, select Setup > Encryption > System Configuration.
3 Automatic EKM Path Diagnostics: Enable or disable this feature and set the test interval as desired. You may also
specify the number of consecutive missed test intervals required to generate a RAS ticket. For more information, see
Using Automatic EKM Path Diagnostics).
4 Secure Sockets Layer (SSL): To enable SSL for communication between the library and the EKM key servers, select
the SSL Connection checkbox. This feature is disabled by default. If you enable SSL, you must make sure that the
Primary and Secondary Key Server Port Numbers (see below) match the SSL port numbers set on the EKM key
servers. The default SSL port number is 443.
Note: Keys are always encrypted before being sent from the EKM key server to a tape drive, whether SSL is
enabled or not. Enabling SSL provides additional security.
5 In the Primary Key Server IP Address or Host text box, enter either:
• The IP address of the primary key server (if DNS is not enabled), or
• The host name of the primary key server (if DNS is enabled).
6 Enter the port number for the primary key server into the Primary Key Server Port Number text box. The default
port number is 3801 unless SSL is enabled. If SSL is enabled, the default port number is 443.
Note: If you change the port number setting on the library, you must also change the port number on the key
server to match or EKM will not work properly.
7 If you are using a secondary key server for failover purposes, enter the IP address or host name of the secondary key
server into the Secondary Key Server IP Address or Host text box.
Note: If you do not plan to use a secondary key server, you may type a zero IP address, 0.0.0.0, in the
Secondary Key Server IP Address or Host text box, or you may leave the text box blank.
8 If you configured a secondary key server (previous step), enter the port number for the secondary key server into the
Secondary Key Server Port Number text box. The default port number is 3801 unless SSL is enabled. If SSL is
enabled, the default port number is 443.
Note: If you are using a secondary key server, then the port numbers for both the primary and secondary key
servers must be set to the same value. If they are not, synchronization and failover will not occur.
9 Click Apply.
Step 5: Configure Partition Encryption
Encryption on the Dell PowerVault ML6000 tape library is enabled by partition only. You cannot select individual tape drives for
encryption; you must select an entire partition to be encrypted.
If you enable a partition for library managed encryption, all library managed encryption-supported tape drives in that partition
are enabled for encryption, and all data written to supported media in the partition is encrypted. Any tape drives not
supported by library managed encryption in that partition are not enabled for encryption, and data written to non-supported
media is not encrypted.
Data written to encryption-supported and encryption-capable media in EKM-supported tape drives will be encrypted unless
data was previously written to the media in a non-encrypted format. In order for data to be encrypted, the media must be
To Next Page
Loading...
