HPE StoreOnce 6500 User Manual page 200

IMPORTANT: Data in Flight Encryption is not supported for IPv6 subnets. In the StoreOnce
Management Console, you will not see the Encryption Links section if an IPv6 subnet is selected. In
the StoreOnce CLI, a configuration command will fail if you attempt to configure Data in Flight
Encryption on an IPv6 subnet.
Data in Flight Encryption can be configured in two ways:
• Using the net [add/delete] encryption commands in the StoreOnce CLI. See the StoreOnce
System CLI Reference Guide for more information.
• Using the StoreOnce GUI. See To add encryption to a subnet on page 213 and Encryption
guidelines on page 214.
Key managers
The StoreOnce System can use either a local key manager or an external key manager to manage keys
for Data at Rest and Data in Flight Encryption. The local key manager is used unless the system has
been configured to use an external key manager. Two external key manager products are supported:
Hewlett Packard Enterprise Enterprise Secure Key Manager and SafeNet KeySecure. At any point in
time, the StoreOnce System can be configured to use only the local key manager or the external key
manager. Both key manager types cannot be used at the same time.
When using the local key manager, the local key store contains the encryption keys used either for Data
at Rest Encryption or Data in Flight Encryption. Each time a new encrypted VTL library, NAS share or
StoreOnce Catalyst store is created or deleted, the key store is updated. The key store is also updated
when a data in flight encryption link is created or deleted. Users are advised to back up the local key
store, using the StoreOnce CLI commands, and save it securely off site in case the original key store is
corrupted. However, only the latest version of the key store must be kept after each creation or deletion of
an encrypted VTL library, NAS shares, StoreOnce Catalyst store or data in flight encryption link.
When using an external key manager, the local key store contains only the credentials required to
authenticate with the external key manager. Users are advised to back up the local key store after the
StoreOnce System has been successfully configured to use the external key manager. All the encryption
keys used either for Data in Flight Encryption or Data at Rest Encryption are stored and managed by the
external key manager.
Refer to Enrolling a StoreOnce appliance with an external key manager on page 201 for instructions
on how to configure the StoreOnce appliance with an external key manager.
Secure Erase
Secure Erase can be enabled for all store types. This feature allows secure erasure of data that was
backed up as part of a regular backup job. For example, you may have unintentionally backed up
confidential data and need to be sure that it has been securely erased. The Secure Erase feature can
only be enabled after the VTL library, NAS share, or StoreOnce Catalyst store has been created (edit the
share, store, or library to enable Secure Erase). Once Secure Erase is enabled, all data written to disk will
be securely erased upon data deletion.
The Secure Erase operation involves overwriting the data to be deleted with a sequence of 0, 1 or
Pseudo random data depending on the number of overwrite passes. Secure Erase can be configured to
overwrite the data to be deleted with either one, three, five, or seven passes. The amount of time required
to complete the Secure Erase increases with the number of overwrite passes. It is not advisable to leave
Secure Erase turned on permanently as this will have a negative impact on the performance of the
system due to increased disk I/O.
When Secure Erase is enabled for a VTL library, NAS share, or StoreOnce Catalyst store, any data
deletion operation is performed securely. Work with the backup application to trigger the Secure Erase,
for example by forcing the format of a VTL cartridge. The backup application sends the request to delete
the data and the deletion is carried out as part of the Housekeeping function. Secure Erase can also be
200 Access and Device Configuration