Manualshelf

Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch
21222324252627282930
12 Encryption Administrator’s Guide
53-1001201-04
Key management systems
1
Key management systems
Key management systems are available from several vendors. This release supports three leading
key management systems:
The NetApp LIfetime Key Manager (LKM) version 4.0 or later.
The RSA Key Manager (RKM) version 2.1.3 or later, available through EMC.
The HP Secure Key Manager (SKM) version 1.1 or later, available through Hewlett Packard.
The NetApp Lifetime Key Manager (LKM)
The LKM solution is provided on a FIPS 140-2 Level 3-compliant network appliance. This appliance
interoperates with the Brocade encryption engine, which is also FIPS 140-2 Level 3-compliant.
The encryption engine and LKM appliance communicate over a trusted link. A trusted link is a
secure connection established between the Encryption switch or blade and the NetApp LKM
appliance, using a shared secret called a link key. One link key per encryption switch is established
with each LKM appliance. On a Brocade DCX or DCX-4S or with one or two FS8-18 encryption
blades, only one link key is established with each LKM appliance, and the Link Key is shared
between the blades.
DEKs are encrypted by the encryption engine, using the link key, and passed to LKM. LKM decrypts
the DEKs and encrypts them again with its own master key. When the encryption engine needs a
DEK from the LKM key vault, it passes a request that includes a key ID and other parameters
needed by LKM to locate the correct key. LKM locates the DEK, decrypts it using the master key,
and then encrypts it using the link key for transfer to the encryption engine. The LKM master key is
FIPS 140-2 level 3 protected, and is managed completely by LKM.
The RSA Key Manager (RKM)
RKM is a software-based solution. Communication with RKM is secured by wrapping DEKs in a
master key. The encryption engine must generate its own master key, send DEKs to RKM
encrypted in the master key, and decrypt DEKs received from RKM using the same master key. The
master key may optionally be stored as a key record in the RKM key vault as a backup, but RKM
does not assume responsibility for the master key. The master key must be backed up and stored,
and policies and procedures for responding to theft or loss must be in place.
The HP Secure Key Manager (SKM)
The HP StorageWorks Secure Key Manager (SKM) is a security appliance providing centralized key
management operations. SKM runs on a stand-alone FIPS 140-2 level 2 compliant hardware
platform that is isolated from the other applications, and runs a hardened operating system. SKM
offers high availability, clustering and failover options.
After the required certificate file is loaded on the encryption switch, and the SKM IP addresses are
configured on the encryption switch, the encryption switch automatically establishes a secure
connection with SKM. Communication with SKM is secured by wrapping DEKs in a master key. The
encryption engine must generate its own master key, send DEKs to SKM encrypted in the master
key, and decrypt DEKs received from SKM using the same master key.