Data Center Fabric Manager Professional User Manual - Supporting DCFM 10.3.x (53-1001355-01, October 2009)
428 DCFM Professional User Manual
53-1001355-01
The NetApp Lifetime Key Manager
A
The NetApp Lifetime Key Manager
The NetApp Lifetime Key Manager (LKM) resides on an FIPS 140-2 Level 3-compliant network
appliance. The encryption engine and LKM appliance communicate over a trusted link. A trusted
link is a secure connection established between the Encryption switch or blade and the NetApp
LKM appliance, using a shared secret called a link key. One link key per encryption switch is
established with each LKM appliance. On a Brocade DCX or DCX-4S or with one or two FS8-18
encryption blades, only one link key is established with each LKM appliance, and the link key is
shared between the blades.
DEKs are encrypted by the encryption engine, using its link key, and passed to LKM over a secure
connection. LKM decrypts the DEKs and encrypts them on the LKM appliance. When the
encryption engine needs a DEK from the LKM key vault, it passes a request that includes a key ID
and other parameters needed by LKM to locate the correct key. LKM locates the DEK, decrypts it,
and then encrypts it using the its key for transfer to the encryption engine.
Setting up an LKM key vault consists of the following steps:
• Authenticating the NetApp LKM appliance with the group leader by registering certificates
containing the public key and IP address with the group leader. The group leader automatically
distributes the certificate and the IP address of the NetApp LKM appliance to all group
members.
• Authenticating the encryption group leader and each encryption group member with the
NetApp LKM appliance. For each node in the encryption group, the IP address and the
certificate containing the public key are registered with the NetApp LKM appliance. The
registered certificate is a special purpose KAC Certificate that contains license information
related to the LKM.
• Establishing a trusted link between the NetApp LKM appliance and each member node. As
part of the trusted link establishment, a shared secret called a link key is created on each of
the two entities, The link key is subsequently used for encrypting the DEKs for archival to the
NetApp LKM appliance or for decrypting the encrypted DEKs for retrieval from the NetApp LKM
appliance.
The NetApp DataFort Management Console
The NetApp DataFort Management Console (DMC) must be installed on your PC or workstation to
complete certain procedures described in this appendix. Refer to the appropriate DMC product
documentation for DMC installation instructions. After you install DMC, do the following.
1. Launch the DMC.
2. Click the Appliance tab on the top panel.
3. Add the NetApp LKM appliance IP address or hostname.
4. Right-click the added IP address and log into the NetApp LKM key vault.