Managing Encryption Keys
■
Interoperability - OKM provides the interoperability needed to support a diverse range
of storage devices attached to mainframe or open systems under a single storage key
management service.
■
High availability - With active N-node clustering, dynamic load balancing, and automated
failover, OKM provides high availability, whether the appliances are sited together or
distributed around the world.
■
High capacity - OKM manages large numbers of storage devices and even more storage
keys. A single clustered appliance can provide key management services for thousands of
storage devices and millions of storage keys.
■
Flexible Key Configuration - Per OKM cluster, keys can be generated automatically or
created individually for a LOCAL or OKM keystore. Security administrators are responsible
for providing the key names which, when combined with the keystore, associate a given
wrapping key with a project or share.
Note - If the appliance is clustered, do not use the "one time passphrase" setting when creating
the OKM server agent otherwise registration on the other cluster node will fail and keys will not
be available on failover.
Maintaining Keys
Shares and projects that use OKM keys that are in a deactivated state remain accessible. To
prevent an OKM key from being used, the OKM administrator must explicitly delete the key.
To ensure encrypted shares and projects are accessible, back up your appliance configurations
and LOCAL keystore key values. If a key(s) becomes unavailable, any shares or projects that
use that key become inaccessible. If a project key is unavailable, new shares cannot be created
in that project.
Keys can become unavailable in the following ways:
■
Keys are deleted
■
Rollback to a release that does not support encryption
■
Rollback to a release where the keys are not configured
■
Factory reset
■
OKM server is not available
Understanding Encryption Key Values
The following table shows the BUI and CLI encryption key values and descriptions. It also
indicates if the encryption type works with deduplication.
Data Encryption 583
To Next Page
Loading...
Need help?
General
