Source:Saving Encryption Key Store for HPE StoreOnce Catalyst

From SEPsesam
Draft.png WORK IN PROGRESS
This article is in the initial stage and may be updated, replaced or deleted at any time. It is inappropriate to use this document as reference material as it is a work in progress and should be treated as such.

Copyright © SEP AG 1999-2024. All rights reserved.

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

Docs latest icon.png Welcome to the latest SEP sesam documentation version 4.4.3 Beefalo. For previous documentation version(s), check SEP sesam Archive.


Overview

The Hewlett Packard Enterprise (HPE) StoreOnce backup appliance allows you to configure additional Catalyst stores to be used for backup storage. When configuring Catalyst stores, you can enable StoreOnce encryption for each individual Catalyst store; once the encryption is enabled, it cannot be disabled. For details on how to configure a Catalyst store, see Creating HPE StoreOnce Catalyst store.

StoreOnce encryption uses encryption keys. If you have enabled encryption during the Catalyst store creation, you must save your key store information to a file that can be retrieved, if needed. As encryption keys are written to a key store, you should back it up and save securely offsite, thus ensuring that the key store is available in case the original key store gets corrupted. Make sure to keep only the latest version of the key store.

Depending on your StoreOnce version, save your key store information as follows:

Information sign.png Note
You have to copy the key store file to a local system immediately after creation; this is especially important for StoreOnce 6500 and 6600 Systems. Make sure that you keep your key store file updated in case of any changes in the StoreOnce configuration.

StoreOnce Management Console - Key Manager

Back up the local key store file with HPE StoreOnce 4.x.x as follows:

  1. In the HPE StoreOnce Management Console main menu, select Settings.
  2. In the Security section, click Key Manager panel. Key Manager window opens.
  3. In the Actions menu, select Backup.
  4. In the Backup dialog, enter and confirm the password for the encrypted StoreOnce key store file.
    Information sign.png Note
    The key store backup file is encrypted with the password that you have specified and can only be restored by providing this password.
  5. The key store file is downloaded with a generated name, e.g. 'storeoncevsa-v4-lkm-store-2019-04-30.txt. It must be copied to a local system where it can be retrieved in the event of an incident.

CLI command config save keystore

In the HPE StoreOnce 3.x.x version, you have to specify the config save keystore command, which saves the key store information to a file in the config directory that can be retrieved.

Steps

  1. Access the StoreOnce CLI from an SSH terminal using an SSH client application. The CLI runs on the management console:
  2. ssh <username>@<appliance_IP_address>
  3. Enter the following command as an administrator:
  4. # config save keystore Output example: # config save keystore Enter password to encrypt keystore: Reenter password to confirm: Keystore Save Started Keystore Save Completed Enter command "config show list keystore" to see the saved keystores Command Successful
  5. Enter the password to encrypt the key store. This password is required for restoring the key store to the device.
  6. Re-enter the password to confirm it.
  7. Saved configuration files (key stores) are located in the config directory with the .zip extension which is accessible through the SFTP.
  8. Once the key store file is created, fetch them via SFTP and copy it to a safe place outside of the backup system directory.
  9. Optionally, to list all saved key stores use the command:
  10. # config show list keystore Output example: # config show list keystore Keystore files: keystore_HPCZ32482R4R_2013-08-02T174433Z.kms

For details on StoreOnce CLI commands used to obtain information about a StoreOnce appliance or to control appliance activity, see HPE StoreOnce CLI Reference Guide.