Kmip key management server support, Data encryption workflow, Data encryption on existing data workflow – HP XP7 Storage User Manual

Page 8: Disable encrypted data workflow

Advertising

•

Updating CEK keys.

•

Updating KEK keys.

For more information about backing up secondary data encryption license keys, see

“Workflow

for backing up secondary data encryption license keys” (page 18)

CAUTION:

You must add storing secondary backup encryption license keys securely as part of

your corporate security policy.

If the primary backup key becomes unavailable and no secondary backup key exists, the system
cannot decrypt encrypted data.

KMIP key management server support

Using the HP XP7 Storage system, you can create backup and restore data encryption license keys
on a key management server that supports Key Management Interoperability Protocol (KMIP).

There are a limited number of keys you can back up on the key management server. Therefore, it
is recommended that you delete unnecessary keys when possible.

For more information about backing up data encryption license keys to a key management server,
see

“Backing up keys to a key management server” (page 19)

Data encryption workflow

The DKA Encryption feature provides data encryption at the parity-group level to protect the data
on LDEVs. Use the following process to set up for and enable data encryption:

A secondary data encryption license key is backed up.

Data encryption is enabled at the parity-group level.

The logical devices (LDEVs) in the parity group are formatted.

If V-VOLs are used, the V-VOLs are also formatted.

For more information about enabling data encryption, see

“Enabling data encryption at the parity

group-level” (page 20)

Data encryption on existing data workflow

Use the following process to encrypt existing data:

A new parity group is created. Your service representative creates parity groups using the
SVP.

Data encryption is enabled on the parity group.

The LDEVs in the encrypted parity group are formatted.