Planning for encryption involves purchasing
a licensed function and then activating and enabling the function
on the system.
To
encrypt data that is stored on drives, the control enclosure on which
they are connected must contain an active license and be configured
to use encryption. When
encryption is activated and enabled on the system, valid encryption
keys must be present on the system when the system unlocks the drives
or the user generates a new key. The encryption key must be stored on USB flash
drives that contain a copy of the key that was generated when encryption
was enabled. Without these keys, user data on the drives
cannot be accessed.
Before you activate and enable
encryption, you must determine the method of accessing key information
during times when the system requires an encryption key to be present.
The system requires an encryption key to be present during the following
operations:
- System power-on
- System restart
- User initiated rekey operations
Several factors must be considered
when you plan for encryption.
- Physical security of the system
- Need and benefit of manually accessing encryption keys when the
system requires
- Availability of key data
- Encryption license is purchased, activated, and enabled on the
system
Two options are available for accessing key information on USB
flash drives:
- USB flash drives are inserted in the system at all times
- If you want the system to
restart automatically, a USB flash drive must be left inserted in
all the canisters on the system. This way all canisters have access
to the encryption key when they power on. This method
requires that the physical environment where the system is located
is secure. If the location is secure, it prevents an unauthorized
person from making copies of the encryption keys, stealing the system,
or accessing data that is stored on the system.
- USB flash drives are never inserted into the system except
as required
- For the most secure operation, do not keep
the USB flash drives inserted into the canisters on the system. However,
this method requires that you manually insert the USB flash drives
that contain copies of the encryption key in the canisters during
operations that the system requires an encryption key to be present.
USB flash drives that contain the keys must be stored securely to
prevent theft or loss. During operations that the system requires
an encryption key to be present, the USB flash drives must be inserted
manually into each canister so data can be accessed. After the system completed unlocking the drives,
the USB flash drives must be removed and stored securely to prevent
theft or loss.