The drive replacement script destroys the keys associated with the removed drive,
quickly making all data on that drive unreadable.
l
Secure array retirement.
Simply delete all copies of keys on the array, and all remaining data is unreadable.
D@RE is compatible with all array features and all supported drive types or volume
emulations. Encryption is a powerful tool for enforcing your security policies. D@RE
delivers encryption without degrading performance or disrupting your existing
applications and infrastructure.
Enabling D@RE
D@RE is a licensed feature, and is pre-configured and installed at the factory. The
process to upgrade an existing array to use D@RE is disruptive and requires re-
installing the array, and may involve a full data back up and restore. Before you
upgrade, you must plan how to manage any data already on the array. EMC
Professional Services offers services to help you upgrade to D@RE.
D@RE components
Embedded D@RE (Figure 1 on page 41) uses the following components, all of which
reside on the primary Management Module Control Station (MMCS):
l
RSA Embedded Data Protection Manager (eDPM)— Embedded key management
platform, which provides onboard encryption key management functions, such as
secure key generation, storage, distribution, and audit.
l
RSA BSAFE
®
cryptographic libraries— Provides security functionality for RSA
eDPM Server (embedded key management) and the EMC KTP client (external key
management).
l
Common Security Toolkit (CST) Lockbox— Hardware- and software-specific
encrypted repository that securely stores passwords and other sensitive key
manager configuration information. The lockbox binds to a specific MMCS.
External D@RE (Figure 2 on page 41) uses the same components as embedded, and
adds the following:
l
EMC Key Trust Platform (KTP)— Also known as the KMIP Client, this component
resides on the MMCS and communicates via the OASIS Key Management
Interoperability Protocol (KMIP) with external key managers to manage encryption
keys.
l
External Key Manager— Provides centralized encryption key management
capabilities such as secure key generation, storage, distribution, audit, and
enabling Federal Information Processing Standard (FIPS) 140-2 level 3 validation
with High Security Module (HSM).
l
Cluster/Replication Group— Multiple external key managers sharing configuration
settings and encryption keys. Configuration and key lifecycle changes made to one
node are replicated to all members within the same cluster or replication group.
VMAX3 with HYPERMAX OS
40 Product Guide VMAX 100K, VMAX 200K, VMAX 400K with HYPERMAX OS
To Next Page
Loading...
