Appendix C. Frequently Asked Questions - Dell PowerVault ML6000 User Manual
Dell powervault ml6000 encryption key manager user's guide
Hide thumbs
Also See for PowerVault ML6000:
- Maintenance manual (494 pages) ,
- Reference manual (156 pages) ,
- Getting started manual (134 pages)
Table of Contents
Advertisement
Appendix C. Frequently Asked Questions
Can some combination of application-based key management and
library-managed encryption be used?
Must the Encryption Key Manager be installed and running on every system
that might generate a request to encrypt or decrypt a tape?
If I include the "drive.acceptUnknownDrives = True" parameter, should I still
include the "config.drivetable.file.url = FILE:/filename" parameter in the
configuration file?
Is FILE:/filename the correct syntax for the config.drivetable.file.url
property? FILE:///filename appears in the sample file, and FILE:../ in the
description.
Must I use forward or backward slashes when specifying fully-qualified paths
in the KeyManagerConfig.properties file for an instance of Encryption Key
Manager running on Windows?
Does the Encryption Key Manager perform any Certificate Revocation List (CRL)
checking?
What happens when the certificate being used to encrypt the tapes expires? Will
the Encryption Key Manager read previously encrypted tapes?
Will the Encryption Key Manager require that a certificate be renamed on
renewal?
No. When application-managed encryption is used, the encryption is
transparent at the library layers. Likewise, when library-managed encryption is
used, the process is transparent at the other layers. Each method of encryption
management is exclusive of the others. For library-managed encryption, the
applications need not be changed in any way.
With library-managed encryption, the system from which the tape drive write
request originates need NOT be the system on which the Encryption Key
Manager is running. Furthermore, an instance of Encryption Key Manager
need NOT be running on every system from which an encrypting tape drive is
accessed.
config.drivetable.file.url must always be specified. It is where the drive
information will be. If you set drive.acceptUnknownDrives = True you also
should specify the drive.default.alias1 and drive.default.alias2 variables
to the correct certificate alias/key label.
The examples are correct. This is a URL specification and is not what people
normally expect for a directory structure specification
Because KeyManagerConfig.properties is a Java properties file, only forward
slashes are recognized in pathnames, even in Windows. If you use back slashes
in the KeyManagerConfig.properties file, errors will occur.
No, the Encryption Key Manager does not perform any CRL checking
It does not matter to Encryption Key Manager if the certificate has expired. It
will continue to honor these certificates and read previously encrypted tapes.
However the expired certificate must remain in the keystore in order for
previously encrypted tapes to be read or appended.
The Encryption Key Manager is configured by default to honor new key
requests with expired certificates. When the Encryption Key Manager is
configured this way certificate renewal is not required. If this function is
disabled and this private key/certificate pair must still be used for new key
C-1
Advertisement
Table of Contents
