Chapter 4. Configuring The Encryption Key Manager; Using The Gui To Configure The Encryption Key Manager; Configuration Strategies; Automatically Update Tape Drive Table - Dell PowerVault ML6000 User Manual

Chapter 4. Configuring the Encryption Key Manager

Using the GUI to Configure the Encryption Key Manager

Configuration Strategies

Automatically Update Tape Drive Table

|
|
|
The easiest way to create your configuration properties file is to use the Dell
Encryption Key Manager GUI following the procedure in "Using the GUI to Create
a Configuration File, Keystore, and Certificates" on page 3-5. If you have done so,
then you have already created your configuration file and no additional
configuration is required. The following information may be helpful if you wish to
take advantage of additional Encryption Key Manager configuration options.
Some configuration settings in the KeyManagerConfig.properties file provide
shortcuts that may have effects you should know about.
The Encryption Key Manager provides a variable in the configuration file
(drive.acceptUnknownDrives) that, when set to a value of true, automatically
populates the tape drive table when a new tape drive contacts the the Dell
Encryption Key Manager. This eliminates the need to use the adddrive command
for each tape drive or library. In this mode, the 10-digit serial number for each of
these devices need not be entered using the CLI client commands. The new drives
undergo the normal public/private key cryptography exchange to verify the
identity of the tape device. Once this verification is complete, the new device is
able to read existing tapes based on the key IDs stored on them (assuming the
corresponding key information is found in the configured keystore).
Note: The Encryption Key Manager server should be refreshed using the GUI or
the command "refresh" on page 5-13 after drives are added automatically to
ensure that they are stored in the drive table.
For LTO 4 and LTO 5 drives, you can set the default symmetric key pool
(symmetricKeySet) for encryption on newly added devices. In other words, you
can have the Encryption Key Manager fully configure the device with associated
key material when the device makes contact. If you choose not to do this when the
device is added to the drive table, you can do so after the tape drive has been
added to the tape drive table, using the moddrive command.
In addition to relieving the administrator of the need to enter the 10-digit serial
number for each of the tape drives the Encryption Key Manager will service, it
also allows a default environment for large systems configurations.
It should be noted that such convenience comes at the price of reduced security.
Since the devices are added automatically and could be associated with a
certificate alias (able to write a tape with that certificate alias), the added security
check that the administrator would perform when adding the devices manually is
skipped. It is important that you evaluate the advantages and disadvantages of
this option to determine if automatically adding the tape drive information to the
drive table, and implicitly granting that new device access to the certificate
information, is an acceptable security risk.
4-1