EMC Symmetrix Encryption with DPM

Transcription

1 Encryption with DPM RSA Secured Implementation Guide Last Modified: July 2th 2015 Partner Information Product information Partner Name Web Site Product Name Product Description Version & Platform Product Category EMC Data at Rest Encryption with Enterprise Key Manager This is a standalone data encryption solution of a Array. Enginuity Arno version_ Disk/File Encryption

2 Solution Summary Data at Rest Encryption has been qualified for interoperability with the RSA Key Manager Appliance. The Key Manager Appliance is an all-in-one packaging of the RSA Key Manager Server that is intended to simplify the installation and management of the system. It delivers the Key Manager Server in a lowprofile, rack-mountable form that can easily be shipped and installed as a complete platform. The Key Manager Appliance is certified for FIPS level 1. Some modules of symmetrix Array may be FIPS level 2 or 3. Check with the EMC rep for latest status. All of the core components and functionality of the Key Manager Server are present, including the operating system, web server, application server, database, and RSA Access Manager. In addition, all of the third-party software components required to run the Key Manager Server is included with the Key Manager Appliance. The Key Manager Appliance does not include software that is not part of the Key Manager Server, such as the Key Manager Client (which is external) or a load balancer. This is a Highlyavailable and resilient environment for long-term key storage external from arrays. Support for large numbers of keys and clients across geographic and organizational boundaries. Centralized key management and auditing for security compliance objectives. Consolidation and centralization of encryption keys. Separation of encryption key storage from encrypted data. Ability to transport arrays securely by uploading the encryption keys to a server, removing the keys from the array, and restoring the keys at the new location..

3 Encryption is performed by a hardware encryption module on the HBA modules connected to the drives. There is a Key (DEK) for each drive in the array. There is also a single key (KEK) for the array communication. The keys are created by the RKM server and populated with an Alias. The key retrieval is by Alias only. There is an internal Symmerix Health check which will check for keys and certificate status. The solution is meant to be self contained meaning each Symm is responsible for its own encryption. Once data leaves the Symm it is in clear text decrypted. This means features such as SRDF will not affect the solution and will work as they usually did with no changes. This solution will also go through EMC Elab approvals and be on the EMC support website. Table 3. Supported configurations Configuration Single Cluster / Standalone cluster with a single appliance Description Single appliance, standalone configuration running in evaluation mode. Not supported for operational use as it is not a secure deployment. Used for evaluation, development, and demonstration purposes only. Single Cluster / Dual Appliance HA Mode Multiple Cluster / Cluster Group Single cluster with dual appliances (one primary and one secondary) that work together as a pair fronted by an external load balancer. Pairs of Key Manager Appliances at multiple locations organized into a cluster. All of the clusters are part of a Cluster Group. But cannot be used as automatic failover? Product Configuration for Interoperability RSA Key Manager Configuration Deciding whether to use manual or automatic enrollment. Data at Rest Encryption supports both auto enrollment and manual enrollment. With auto enrollment, the RKM Server Administrator creates the profile name and the profile activation code and provides this information to the Customer Engineer before the installation. The client credentials files associated with an identity group are bulk uploaded to the Key Manager Appliance. With manual enrollment, the RKM Server Administrator assigns a unique identity to the client and provides the CA root, credential file, and password to the Customer Engineer

4 For manual and auto enrollment, the identity name must be unique per array and the application name must be unique for each client enrollment (even for the same array). With manual enrollment, the identity name and the application name are added to the Key Manager Appliance by the RKM Server Administrator ahead of time, while with auto enrollment the unique choices for these names are provided to the Customer Engineer instead. DPM 3.x and higher has a new important feature called GKD (Guaranteed Key Delivery). This feature is required for EMC configurations. Planning identity groups and identities As part of the planning process for deploying a Key Manager Appliance, you need to plan identity groups and identities to support Data at Rest Encryption. An identity group is the mechanism that the Key Manager Appliance uses to map an enterprise s security processes and requirements to a set of key domains where a specific key class is valid. An identity group consists of a key class and a set of identities that have access rights to that key class. Identity groups allow the enterprise to isolate systems with different operational and security requirements. For example, an enterprise may be divided into regional data centers, each of which is defined by a separate identity group. Or an enterprise may consist of separate service providers, each of which requires its own identity group. An identity is entity (for example, Data at Rest Encryption) that needs to use a key class to protect sensitive data. An identity binds an application to a public key certificate. An identity can be a member of multiple identity groups. Step Task Owner Description 1 Set up the Data at Rest Encryption environment on the Key Manager Appliance RKM Server Administrator Will supply the information to the EMC customer Engineer for enrollment 1. Obtain the PKI Credentials for the Key Manager Appliance and the Key Manager Client. 2. Define the following key manager objects for the EMC rep to use for enrollment: Identity Group Identity Client App name Key classes (KEK and DEK) Crypto policies (KEK and DEK) Client Application name 3. Define the client enrollment type (Auto Enrollment or Manual Enrollment). For Auto Enrollment, define the profile name and the activation code, and then bulk upload credentials. For Manual Enrollment, provide the credential files and the client credential password to the Customer Engineer.

5 Planning a PKI credentials strategy EMC recommends that you consult with your RSA representative to determine the PKI platform best suited to your environment. A public key infrastructure (PKI) supports the implementation and operation of a certificate-based public key cryptographic system. The main function of a PKI is to distribute credentials accurately and reliably to users and applications that need them. The Key Manager Appliance does not provide a facility for generating or requesting PKI credentials. You must have some method of generating or obtaining certificates, either by using self-signed certificates, implementing an internal PKI, or contracting with an external PKI provider. Note: If FIPS is enabled you must have FIPS compliant certificate RSA Key Manager Configuration Steps To log into the appliance or DPM server Software use <host name>/kms. The user is kmsadmin and your Master Password. Configure GKA for clustered enviorments If multiple arrays are connected to a Key Manager Appliance, cluster, or cluster group, each array must have a unique identity and Client App name. All of the identities in the same identity group can access and operate with the same set of keys, but since each array has an independent set of keys, it is not necessary to group multiple arrays into the same identity group. Each array can be placed in either the same identity group or key class, or in different identity groups and key classes depending on the customer preference (even if you plan to setup replication, e.g., using Recover Point, between the two arrays). It may be best to confine each identity to its own identity group for security and management purposes. The name of the identity group can be assigned by the RKM Server Administrator, but EMC recommends that the name include the array serial number. 1. Create Identity group EMC recommendation: EMC_Symm_< serial number>

6 2. Create Identity (skip this step if using auto Enrollment) manually create Identity and upload Identity p12 certificate with.cer extension and enter password EMC recommendation: EMC_Symm_< serial number> for the Identity name

7 3. Create KEK crypto Policies in crypto policy tab Policy Name: EMC Recommends EMC_Symm_KEK_policy_< serial number> Cipher Algorithm: required value of AES Key size: required value of 256 Mode: required value of ECB Duration: required value of Infinite

8 4. Create DEK Crypto Policy Policy Name: EMC Recommends EMC_Symm_DEK_policy_< serial number> Cipher Algorithm: required value of AES Key size: required value of 512 Mode: required value of XTS Duration: required value of Infinite 5. Create DEK Key class Name: EMC recommends EMC_Symm_DEK_class_< serial number> Identity Group: Select the user-defined name of the identity group that contains the array. Key Duration: Cipher Algorithm Select the previously defined DEK crypto policy. 1. Hit Next

9 Policy: Select the previously defined DEK crypto policy. 6. Hit the Next Button until you get to the review screen. There are no attributes to add. 7. Review and click Finish

10 Resulting Key Classes 8. Create KEK key class using the above procedure with the KEK name and KEK crypto policy

11 Using Auto Enrollment Profile settings. 9. Go To Settings tab and Create a Profile and save Profile Name: recommended EMC_Policy_< serial number> Activation Code: Use either Automatic or Manual whichever is preferred. Activity code and Count: Can be user defined Identity Group: Use previously created identity Group

12 10. Upload PKCS12 certificates with.p12 extensions with the browse button and enter password Use standard practices for obtaining certificates either from the customer or other means. Also refer to the EMC Data at Rest Encryption with Enterprise Key Manager Deployment guide. If multiple arrays are connected to a Key Manager Appliance, cluster, or cluster group, each array must have a unique identity and Client App name. However, each array may be placed in either the same identity group or in different identity groups. All of the identities in the same identity group can access and operate with the same set of keys, but since each array has an independent set of keys, it is not necessary to group multiple arrays into the same identity group. It is best practice to confine each identity to its own identity group for security and management purposes. The name of the identity group can be assigned by the RKM Server Administrator, but EMC recommends that the name include the array serial number.

13 11. Go to settings tab to Setup GKD to the second local DPM server in the same data center. 12. Click change GKD configuration check the box and fill in the apropiate information using port 443.

14 EMC Configuration Refer to the EMC Data at Rest Encryption with Enterprise Key Manager Deployment Guide. At this point an EMC customer service rep needs to be involved. SymmWin, which is in the control panel is used for configuration. Prerequisites The Data at Rest Encryption environment must be configured on the Key Manager Appliance. You must have obtained the Data at Rest Encryption Key Manager Appliance configuration information from the RKM Server Administrator. For manual enrollment, the CA server.pem certificate and client p12 credential files must be available on the service processor. The array must be running Enginuity version 5875 Q SR or higher. All engines must have encryption capable Back End I/O Modules (PN B). Data at Rest Encryption must be enabled in the array configuration settings before you start the installation procedure. Note: The installation scripts will fail if any of the prerequisites are unsatisfied You will need the following information as outlined earlier. Identity group Identity (for manual enrollment) Key class Crypto policy Client Application ID Enrollment type (auto or manual) Activation Code (for auto enrollment)

15 The installation script prompts you to select either Enterprise Key Server or Embedded Key Server. Select Enterprise Key Server. We will not go through all the steps since this is where the EMC customer service rep will be doing the work. Note: Once a array has been configured to use the external Enterprise Key Server, switching to the Embedded Key Server is not supported. Upgrade erkm to RKM with key migration This section describes the key management events that occur during the non-disruptive upgrade of a array from using the Embedded Key Server to using the Key Manager Appliance. During the upgrade, the Key Manager Client is reconfigured to connect to the Key Manager Appliance. The keys are then migrated to the Key Manager Appliance and securely deleted from the local key store Note: Once a array has been configured to use the external Enterprise Key Server, switching back to the Embedded Key Server is not supported.

16 To upgrade the array, run the following script from SymmWin: Procedures > Procedure Wizard > System Initialization Tools > Upgrade erkm to RKM with key migration The script verifies that Data at Rest Encryption is enabled and running in the embedded mode. The script requests the following information, as previously provided by the RKM Server Key Manager Appliance IP address or host name Key Manager Appliance port number (default is 443) Enrollment type (Auto Enrollment or Manual Enrollment) Application name Identity name Note: If the migration for some reason fails, a script will need to be run to delete all keys and metadata. Contact Product Support for this script. Ensure the key classes are deleted on all nodes before restarting.

17 Revisions and Certification Checklist for Third-Party Applications Date Tested: 7/2/2015 Product Operating System Tested Version Key Manager Server Appliance DPM Key Manager Client Windows Embedded RKM-Client June-2010 based on standard 2.7.x Enginuity Enginuity version encryption capable Back End I/O Modules PN B Date Tested: 5/10/2013 Product Operating System Tested Version Key Manager Server Appliance DPM Key Manager Client Windows Embedded RKM-Client June-2010 based on standard 2.7.x Enginuity Enginuity version encryption capable Back End I/O Modules PN B Date Tested: 4/1/2012 Product Operating System Tested Version Key Manager Server Appliance DPM Key Manager Client Windows Embedded RKM-Client June-2010 based on standard 2.7.x Enginuity Enginuity version encryption capable Back End I/O Modules PN B Date Tested: 12/15/2011 Product Operating System Tested Version Key Manager Server Appliance DPM Key Manager Client Windows Embedded RKM-Client June-2010 based on standard

18 2.7.x Enginuity Enginuity version encryption capable Back End I/O Modules PN B Date Tested: 6/6/2011 Product Operating System Tested Version Key Manager Server Appliance rkm-2.7sp1 Key Manager Client Win Lin.x Embedded RKM-Client June-2010 based on standard 2.7.x Enginuity Enginuity version 5875 Q SR or higher

19 RSA Key Manager Client Partner Product Functionality Partner product successfully encrypts data utilizing key material from RKM Partner product successfully decrypts data utilizing key material from RKM Partner product will not send any clear text data without the proper key. RSA Key Manager / Partner Product API Functionality Key Create Key Archival Key retrieval by key class Key retrieval by key ID Key retrieval by Alias Encrypt data Decrypt data Result Yes Yes Yes Yes Yes N/A N/A Yes no no FL / PAR = Pass = Fail N/A = Non-Available Function

20 Known Issues There are no known issues at this time. Appendix Document Title Data At Rest Encryption Deployment Guide EMC Elab Navigator EMC Solutions Enabler Array Management CLI Product Guide. EMC Data at Rest Encryption Detailed Review Description Describe how to implement the EMC Symmetric Solution EMC interoperability Matrix The Monitoring Data at Rest Encryption section provides details about administering and monitoring Data at Rest Encryption Describes the features and operations of Data at Rest Encryption with the embedded web server. Location Data at Rest Encryption Guide.doc Under Other/Encryption devices Available on the Solutions Enabler product CD Available on the EMC Powerlink website.