Spectra T50e - Page 300

To Next Page

To Previous Page

Chapter 10—Encryption and Key Management BlueScale Key Management

August 2017 User Guide—Spectra T50e Library

297

Bestpracticesdictatethatyoumakecopiesofthekeyimmediately

followingthekey’screation.Toensuresecurity,makesurethatyoutrack

eachcopyofanencryptionkey.

 Decideonthenumberofcopiestomakeofeachkeyandkeeparecord

ofeachcopy’slocation.Considerstoringmultiplecopiesofkeys,that

youthentrackcarefully,storingthecopiesinseparateplacesandaway

fromthedataencryptedusingthosekeys.

 Establishakeyrotationplanthatspecifieshowoftentocreateanduse

newkeys.Therotationplanmaybeasimpleschedulesuchaschanging

keysonceeverysixmonths,anddestroyingthekeysonlyafterthelast

setofdataencryptedusingthatkeyisoverwrittenordestroyed.

BlueScaleEncryptionStandardEditionstoresonekeyonthelibraryat

atime;youmustdeletethekeycurrentlyonthelibrarybeforeyoucan

createorimportanotherkey.ProfessionalEditionpermitsmultiple

keysperlibrary,withonekeyperencryption‐enabledpartition.

 Establishaprocedurefortrackingmonikers.Makesureyoutrackthe

informationrequiredtoaccessandidentifykeys,alongwiththe

locationofstoreddatathatuseseachencryptionkey.Makesurethis

informationisnotstoredwiththeencrypteddata.Keepitonasystem

orinanarchivethatisnotavailableonanetwork.Foradditional

security,encryptthisinformationaswell.

 Beforeyoudeleteakeyfromthelibrary,makesure thatatleastone

copywasexportedandstoredsecurely.Itisimportanttomakesure

thatatleastonecopyofeachkeyissecureandreadable(thatis,

uncorrupted),toensureyoucanrestoreyourdata.

Keepingacopyofanexportedkeyisessential;afterakeyisdeleted

fromthelibrary,itisnotrecoverable.Oncethekeyisgone,thedatais

inaccessible;forlegalandpracticalpurposesthedataistypically

consideredtobedeleted.

Process Testing and Exception Handling

 Rundrillstoconfirmthatyourdataisbeingencryptedproperly,that

keysarestoredproperly,andthatyoucanrecoveryourdata.Makesure

thatthesedrillsareincludedwithyouroverallorganizationalsecurity

strategy.

Caution

As a matter of best practice, Spectra Logic recommends exporting encryption keys

to a USB device instead of using email.

Although emailing encryption keys is supported by the library, using email

presents security issues, including the following:

 Copies of encryption keys may be left on the email servers used for sending and

receiving email and are thus subject to compromise.

 The difficulty in verifying where all the copies of emailed encryption keys may

be located can make security audits more challenging.

Main Page

Spectra T50e - Page 300

Table of Contents

Other manuals for Spectra T50e

Related product manuals