5 1 0:Saving Encryption Key Store for HPE StoreOnce Catalyst

From SEPsesam

Welcome to the latest SEP sesam documentation version 5.1.0 Apollon. For previous documentation version(s), check documentation archive.


The Hewlett Packard Enterprise (HPE) StoreOnce backup appliance allows you to configure additional Catalyst stores to be used for backup storage. When configuring Catalyst stores, you can enable StoreOnce encryption for each individual Catalyst store; once encryption is enabled, it cannot be disabled. For details on how to configure a Catalyst store, see Creating HPE StoreOnce Catalyst store.

StoreOnce encryption uses encryption keys. If you have enabled encryption during the Catalyst store creation, you must save your key store information to a file that can be retrieved, if needed. As encryption keys are written to a key store, you should back it up and store securely offsite to ensure that the key store is available if the original key store gets corrupted. Make sure to keep only the latest version of the key store.

Depending on your StoreOnce version, save your key store information as follows. For information about system requirements and supported configurations, see Support Matrix: SEP sesam integration with HPE StoreOnce Catalyst.

You have to copy the key store file to a local system immediately after it is created; this is especially important for StoreOnce 6500 and 6600 systems. Make sure to keep your key store file up to date when making changes to the StoreOnce configuration.

StoreOnce Management Console - Key Manager

Back up the local key store file with HPE StoreOnce 4.x.x as follows:

  1. In the HPE StoreOnce Management Console main menu, select Settings.
  2. In the Security section, click Key Manager panel. The Key Manager window opens.
  3. In the Actions menu, select Backup.
  4. In the Backup dialog, enter and confirm the password for the encrypted StoreOnce key store file.
    The key store backup file is encrypted with the password you specified and can only be restored by providing this password.
  5. The key store file is downloaded with a generated name, e.g. storeoncevsa-v4-lkm-store-2019-04-30.txt. It must be copied to a local system where it can be retrieved in case of an incident.

CLI command config save keystore

In the HPE StoreOnce 3.x.x version, you have to specify the config save keystore command, which saves the key store information to a file in the config directory that can be retrieved.


  1. Access StoreOnce CLI from an SSH terminal using an SSH client application. The CLI runs on the Management Console:
  2.  ssh <username>@<appliance_IP_address>
  3. Enter the following command as an administrator:
  4.   # config save keystore

    Output example:

     # config save keystore
     Enter password to encrypt keystore:
     Reenter password to confirm:
     Keystore Save Started
     Keystore Save Completed
     Enter command "config show list keystore" to see the saved keystores
     Command Successful
  5. Enter the password to encrypt the key store. This password is required to restore the key store to the device.
  6. Re-enter the password to confirm it.
  7. Saved configuration files (key stores) are located in the config directory with the .zip extension, which is accessible via SFTP.
  8. Once the key store file is created, retrieve it via SFTP and copy it to a safe location outside the backup system directory.
  9. To list all saved key stores, you can use the command:
  10.  # config show list keystore

    Output example:

     # config show list keystore
     Keystore files:    

For details on StoreOnce CLI commands used to obtain information about a StoreOnce appliance or to control appliance activity, see the HPE StoreOnce CLI Reference Guide.

See also

HPE StoreOnce ConfigurationHPE StoreOnce BackupHPE StoreOnce ReplicationBackup to HPE Cloud VolumesSupport Matrix: SEP sesam integration with HPE StoreOnce Catalyst

Copyright © SEP AG 1999-2024. All rights reserved.
Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.