Key Management - IBM N series Hardware Manual

5.5.6 Key management

This section describes key management.
Overview of Key Management Interoperability Protocol
Key Management Interoperability Protocol (KMIP) is an encryption key interoperability
standard that was created by a consortium of security and storage vendors (OASIS).
Version 1.0 was ratified in September 2010, and participating vendors later released
compatible products. KMIP seems to replace IEEE P1619.3, which was an earlier proposed
standard.
With KMIP-compatible tools, organizations can manage their encryption keys from a single
point of control. This system improves security, simplifies complexity, and achieves regulation
compliance more quickly and easily. It is a huge improvement over the current approach of
the use of many different encryption key management tools for many different business
purposes and IT assets.
Communication with the KMIP server
Self-encryption uses Secure Sockets Layer (SSL) certificates to establish secure
communications with the KMIP server. These certificates must be in Base64-encoded X.509
PEM format, and can be self-signed or signed by a certificate authority (CA).
Supported key managers
Self-encryption with Data ONTAP 8.1 supports IBM Tivoli Key Lifecycle Management
Version 2 server for key management (others follow). Other KMIP-compliant key managers
are evaluated as they are released into the market.
Self-encryption supports up to four key managers simultaneously for high availability of the
authentication key. Figure 5-10 shows authentication key use in self-encryption. It
demonstrates how the Authentication Key (AK) is used to wrap the Data Encryption Key
(DEK) and is backed up to an external key management server.
Figure 5-10 Authentication key use
56
IBM System Storage N series Hardware Guide