The system supports enabling encryption on the system by using USB flash drives to copy
encryption keys directly to the system through the USB port on the system.
The process requires four USB flash drives to store
the generated key. If your system is in a secure location, two USB flash drives can remain inserted
in two different node canisters. If the location is not secure, all USB flash drives with the key can be
removed from the system and be stored securely. Extra copies of the key must be created and stored
securely to ensure access to the system if the USB flash drives become damaged or stolen. You are required to insert
USB flash drives into the canisters to enable encryption and to rekey the system.
During these operations, you are
responsible for ensuring the security of the system.
Use these general guidelines when you enable encryption and managing
flash drives that contain an encryption key:
- In addition to the copies that are generated on the USB flash drives when encryption is enabled
on the system, make at least one additional copy on another USB flash drive and store in a secure
location.
- In addition, copy the encryption key to other forms of storage to provide resiliency and to
mitigate risk, if, for example, the USB flash drives are from a faulty batch of drives.
- Ensure that each copy of the encryption key is valid before writing any user data to the system.
The system validates any key material on a USB flash drive when it is inserted into the canister. If
the key material is not valid, the system logs an error. If the USB flash drive is not usable or
failed, the system does not display it as output.
- Securely store all copies of the encryption key. As an example, any USB flash drives that are
not left inserted into the system could be locked in a safe. Comparable precautions should be taken
to securely protect any other copies of the encryption key stored to other forms of storage.
While the system is enabling encryption, you are prompted to insert the
flash drives into the system.The system requires a minimum of three USB
flash drives for copying the encryption keys.
To enable
encryption, complete these steps:
- If you activated an encryption license and completed the system setup
wizard, click Enable Encryption and complete the wizard.
- If you selected to enable encryption later in the system setup wizard, you
can still enable encryption in the management GUI by selecting .
- Click Enable Encryption.
- On the Welcome panel, select USB flash
drives.
- In the wizard, you are prompted to insert the
required number of USB flash drives into the system.
The system requires a minimum of three USB flash drives for copying the
encryption keys. The system contains two ports for the USB flash drives, one on each node canister.
Insert two USB flash drives into the system to begin the copy process. After the encryption key is
copied to the first two USB flash drives, the management GUI prompts you to remove the two flash
drives. After you remove the flash drives, insert the last required flash drive into the system.
When the final copy completes, you can create any additional backup copies by repeating the
process. When the system detects the USB flash drives, the encryption key is automatically
copied to the USB flash drives. Ensure that you create any required extra copies for backups. You
can leave the USB flash drives inserted into the system. However, the area where the system is
located must be secure to prevent someone from losing or stealing the key. If the area where the
system is located is not secure, remove all of the USB flash drives from the system and store
securely.
- After all copies are completed, click Confirm.
- Create several backup copies of the key on either USB flash drives or another external storage
media and store securely.