4 4 3 Beefalo:Saving Encryption Key Store for HPE StoreOnce Catalyst
The Hewlett Packard Enterprise (HPE) StoreOnce backup appliance allows you to configure additional Catalyst stores to be used for backup storage. When configuring Catalyst stores, you can enable StoreOnce encryption for each individual Catalyst store; once the encryption is enabled, it cannot be disabled. For details on how to configure a Catalyst store, see Creating HPE StoreOnce Catalyst store.
StoreOnce encryption uses encryption keys. If you have enabled encryption during the Catalyst store creation, you must save your key store information to a file that can be retrieved, if needed. As encryption keys are written to a key store, you should back it up and save securely offsite, thus ensuring that the key store is available in case the original key store gets corrupted. Make sure to keep only the latest version of the key store.
Depending on your StoreOnce version, save your key store information as follows:
- In the StoreOnce 4.x.x version, use the StoreOnce Management Console -> Settings -> Key Manager to save your key store information.
- In the StoreOnce 3.x.x version, use the HPE StoreOnce CLI command config save keystore that backs up the key store and encrypts it, thus ensuring that it can only be decrypted by the HP StoreOnce backup system if required.
|You have to copy the key store file to a local system immediately after creation; this is especially important for StoreOnce 6500 and 6600 Systems. Make sure that you keep your key store file updated in case of any changes in the StoreOnce configuration.|
StoreOnce Management Console - Key Manager
Back up the local key store file with HPE StoreOnce 4.x.x as follows:
- In the HPE StoreOnce Management Console main menu, select Settings.
- In the Security section, click Key Manager panel. Key Manager window opens.
- In the Actions menu, select Backup.
- In the Backup dialog, enter and confirm the password for the encrypted StoreOnce key store file.
Note The key store backup file is encrypted with the password that you have specified and can only be restored by providing this password.
- The key store file is downloaded with a generated name, e.g. storeoncevsa-v4-lkm-store-2019-04-30.txt. It must be copied to a local system where it can be retrieved in the event of an incident.
CLI command config save keystore
In the HPE StoreOnce 3.x.x version, you have to specify the config save keystore command, which saves the key store information to a file in the config directory that can be retrieved.
- Access the StoreOnce CLI from an SSH terminal using an SSH client application. The CLI runs on the Management Console:
- Enter the following command as an administrator:
- Enter the password to encrypt the key store. This password is required for restoring the key store to the device.
- Re-enter the password to confirm it.
- Saved configuration files (key stores) are located in the config directory with the .zip extension which is accessible through the SFTP.
- Once the key store file is created, fetch them via SFTP and copy it to a safe place outside of the backup system directory.
- Optionally, to list all saved key stores use the command:
# config save keystore
# config save keystore Enter password to encrypt keystore: Reenter password to confirm: Keystore Save Started Keystore Save Completed Enter command "config show list keystore" to see the saved keystores Command Successful
# config show list keystore
# config show list keystore Keystore files: keystore_HPCZ32482R4R_2013-08-02T174433Z.kms
For details on StoreOnce CLI commands used to obtain information about a StoreOnce appliance or to control appliance activity, see HPE StoreOnce CLI Reference Guide.