As an alternative, use the CLI command uemcli -u<username> -p<password>
-download encryption -type backupKeys to backup the keystore file to a
location that is external to the system where the keystore can be kept safe and
secret. See the
Unisphere Command Line Interface User Guide
for detailed information
about this CLI command.
Data at Rest Encryption audit logging
The D@RE feature provides a separate auditing function that supports logging of the
following keystore operations:
l
Feature activation
l
Key creation
l
Key destroy
l
Keystore backup
l
Disk encryption completed
l
SLIC addition
The audit log for keystore operations is stored in the private space on the system. To
download either the entire audit log and checksum information or the information for a
specific year and month, select Settings > Management > Encryption and, under
Manage Encryption > Audit Log, select Download Audit Log & Chksum. To
download a newly generated checksum file for the audit log file that was retrieved at
an earlier time, select Settings > Management > Encryption and, under Manage
Encryption > Audit Log, select Download Chksum. The filename that you supply
must match exactly to the auditlog file that was retrieved previously.
As an alternative, use the uemcli -u<username> -p<password> -download
encryption -type auditLog -entries <all or YYYY-MM> CLI command
to download the entire audit log and checksum information or a partial audit log,
respectively. See the
Unisphere Command Line Interface User Guide
for detailed
information about this CLI command.
Hot spare operations
When a system is already configured with DEKs for all the disk drives in the system
that are in provisioned pools, drives that are not currently in a provisioned pool are
considered unbound drives. Removal of unbound drives or unbound drives that
become faulted have no affect on the keystore and therefore do not require a backup
of the keystore file. Likewise, replacement of an unbound drive has no affect on the
keystore and therefore does not require a backup of the keystore file.
Disk drives that are not bound will be overwritten with default data to remove pre-
existing data.
When a system is already configured with DEKs for all the drives in the system that
are in provisioned pools, those drives are considered bound drives. If a bound drive is
removed or the drive becomes faulted, and after a period of five minutes a permanent
hot spare replaces the removed or faulted drive, a DEK is generated for the hot spare,
Data Security Settings
54 EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide
To Next Page
Loading...
Need help?
General
