manualshive.com logo in svg

Spectra Logic BlueScale Encryption, Руководство пользователя, Страница: 22 / 133

Поделиться
Скачать
Spectra Logic BlueScale Encryption Скачать руководство пользователя страница 22

2.  Encryption Architecture & Strategies

22

Site Security Example: High Security Site

Description of organization: Enterprise organization.

Security 
Considerations

Security goals

Protecting all stored data.

Encryption principals

IT senior staff, chief operating officer, chief security officer, chief technology officer.

Data to encrypt

All.

Level of security to 
implement

• BlueScale Professional Edition, with multiple keys
• Secure Initialization Mode: After library power is turned on, encryption user must 

enter password to enable partitions dedicated to encryption

• Multi-user mode, with three encryption passwords.

Data sets requiring 
isolation

Each data set is separately keyed, as defined by the department generating data.

Key escrow method

Store key copies with two remote corporate legal counsel offices and also with a 
paid, trusted third-party escrow service.

Copies of each key to 
store, and the stored 
key locations

Keep three copies of each key: one to the main office of corporate legal counsel, two 
to the key escrow service.

Key rotation plan

Create a new key every month for each partition dedicated to encryption.

Tracking key monikers 
and passwords

Send to the key escrow service an encrypted file with encryption access passwords 
and superuser passwords. Send to corporate legal office a list of passwords used to 
export keys. Files with this data cannot be created or stored on a networked 
computer; delete file or files from computer once data is transmitted securely.

Multiple encryption 
teams (optional)

Senior IT admin, chief operating officer, chief security officer, chief technology 
officer.

Schedule and run drills

Quarterly evaluation and review, in conjunction with wider corporate security plan.

Passwords

• Passwords to access encryption features: minimum of 15 characters, including at 

least one number and one letter

• Password to export and import encryption keys: minimum of 40 characters, 

including at least one number and one letter

Содержание BlueScale Encryption

Страница 1: ...BlueScale Encryption User Guide PN 90940012 Revision E...

Страница 2: ...fort including lack of negligence is with you Also there is no warranty against interference with your enjoyment of the Software or against infringement If you have received any warranties regarding t...

Страница 3: ...6 Site Security Example Low Security Site 20 Site Security Example Medium Security Site 21 Site Security Example High Security Site 22 Before You Begin Installation 23 Summary Mandatory Security Proce...

Страница 4: ...eleting a Key 40 Restoring Data 40 Chapter 5 Using Professional Edition in Spectra T950 and T120 Libraries Using Encryption 45 Professional Edition Overview 46 Configuring Encryption 47 Creating an En...

Страница 5: ...Media Recycling 80 Best Practices 81 Chapter 8 Using Standard Edition in Spectra T50 Libraries Using Encryption 85 Restoring Data 94 Recycling Encrypted Media 98 Chapter 9 Using Professional Edition...

Страница 6: ...Overview 124 Requirements 124 Decrypting Data EDU Command Line 125 Using EDU to Decrypt Data One Drive 126 Using EDU to Decrypt Data Two Drives 128 Restoring Data 129 Chapter 12 Technical Support Spe...

Страница 7: ...ew on page 10 reviews both encryption best practices and information on using BlueScale Encryption and key management on your site and includes a short glossary Spectra T950 and T120 BlueScale Encrypt...

Страница 8: ...ion The library s release notes provide the most up to date information about the library drives and media The most up to date versions of all library documentation are available on Spectra Logic s We...

Страница 9: ...ollowing items are included with the purchase of BlueScale Encryption One encryption activation key One software support agreement This user guide One t shirt If you ordered the Endura Decryption Util...

Страница 10: ...BlueScale Encryption Overview...

Страница 11: ...oftware through the library s graphical interface The interface displays using the library s touch screen front panel Library Controller LC It also displays from anywhere through the Web using a Web b...

Страница 12: ...sword Easier to manage and track Choice of either one encryption password or three More secure with the option of requiring multiple users to export and import keys etc Key Export and Import Import an...

Страница 13: ...security to protect data wherever it s stored and regardless of the retention period BlueScale Encryption Professional Edition works well For information about configuring and using BlueScale Profess...

Страница 14: ...ed together or if it must be isolated into sets For example your site may store financial data as one set separate from consumer identity information If all data can be encrypted together the library...

Страница 15: ...pt data encrypted using an LTO 4 drive use a partition with drive based encryption Only one encryption key is allowed per LTO 4 tape Once you stop using that key you can no longer directly encrypt dat...

Страница 16: ...site who are responsible for backing up data They will be responsible for encrypting data written to tape and to other portable media such as mobile RXT Media packs Identify The person to have superu...

Страница 17: ...is encrypted prior to export Best practices dictate that you make copies of the key immediately following the key s creation Identify the number of copies to make of each key and note the location of...

Страница 18: ...e encrypt it and store it in an alternate location You will also need to investigate the incident involving compromised data and take appropriate actions if identity related data may have been exposed...

Страница 19: ...y Password Lets you import and export encryption keys This feature is only available after the superuser has logged in and the encryption password has been entered Optionally in Professional Edition y...

Страница 20: ...r one with the company president one in a corporate safety deposit box Key rotation plan Create a new key every six months Tracking key monikers and passwords On a non networked computer that supports...

Страница 21: ...crow method Store key copies with corporate legal counsel and a paid trusted third party escrow service Number of copies of each key to store and locations Keep three copies of each key store one with...

Страница 22: ...key to store and the stored key locations Keep three copies of each key one to the main office of corporate legal counsel two to the key escrow service Key rotation plan Create a new key every month f...

Страница 23: ...running the utility then use EDU to decrypt data from the encrypted tape and write the decrypted data back to tape If you have only one tape drive make sure that the Linux host has enough available di...

Страница 24: ...n successfully stored prior to removing a key from the library Store keys in a location apart from the location used to store the data encrypted using one of the keys Create a list of every password a...

Страница 25: ...t you create Key Moniker _______________________ Detailed Information Number of key copies ______ and location of each copy 1 2 3 Password s associated with exported copy of the moniker Location of da...

Страница 26: ...Spectra T950 and T120 BlueScale Encryption...

Страница 27: ...r RLC 1 Make sure that you have the appropriate library hardware installed A QIP that supports encryption such as the G3 or G5 F QIP or An LTO 4 tape drive is installed and LTO 4 media loaded or Both...

Страница 28: ...yption with a BlueScale Encryption key To activate encryption for the Spectra T950 and T120 libraries 1 Log in as superuser and then select Configuration System The System Setup screen displays 2 To e...

Страница 29: ...ion features the following steps are required for every session that is every time a user logs in using the library front panel or every instance of running the RLC through a Web browser A user with s...

Страница 30: ...oring data is also transparent If the encryption key required to decrypt the data is not on the library the library displays the moniker of the key to import Restoring Data on page 40 contains informa...

Страница 31: ...cked up to partitions that support encryption without entering an encryption password Secure Initialization Mode When the library is powered on during startup partitions dedicated to encryption are no...

Страница 32: ...e numbers 0 9 lower and upper case alphabetic characters a z and A Z and the at sign dash underscore _ and colon characters 4 Re enter the password in the Retype Password field then select OK The Encr...

Страница 33: ...reference the key Note that the real key value never displays and that administrators don t ever need to specify the real key value in order to encrypt data or manage keys The moniker helps to protec...

Страница 34: ...ng the key and storing it safely that is away from the data encrypted using the key is extremely important to data decryption and recovery This is covered in Protecting Keys on page 37 Because the key...

Страница 35: ...ional option Enable Clear File at BOT Choose this option if you want to enable all drives to be able to read the headers of encrypted tapes which is a useful option for sites with a large number of ta...

Страница 36: ...t QIP based Encryption Also if you want readable that is non encrypted data at the beginning of the tape also select Enable Clear File at BOT or Select Drive based Encryption or If the data written th...

Страница 37: ...ort them Protect your keys by making sure that copies of the keys reside elsewhere Two methods are available for key export copying the encrypted key to a USB device and emailing an encrypted version...

Страница 38: ...USB or Email Exported Key If you select Export Single File to USB plug a USB device into the USB library port see the library documentation for information about the location of this port Then select...

Страница 39: ...lete all data from the USB device so that no trace of the failed key attachment remains then use another USB device and start again with Step 2 above If you exported the key using email Confirm the re...

Страница 40: ...plays 3 Confirm that at least one copy of the key has been exported and stored safely 4 Select Delete Key and respond to the confirmation screens to delete the key Restoring Data Restoring encrypted d...

Страница 41: ...he key the key and the command line encryption utility described in Chapter 11 Endura Decryption Utility along with a Linux computer to run the utility To restore data 1 Load the tape to be decrypted...

Страница 42: ...ays 3 Insert the USB device into the library s USB port 4 Select Import Key The Import Key Selection screen displays 5 Choose the key to import from the Key List field then select Next The Import Pass...

Страница 43: ...uter To import a key using the RLC 1 Log in as a superuser then select Security Encryption The Encryption User Login screen displays 2 Enter the encryption password then select OK The Encryption Confi...

Страница 44: ...cate and select the key then select Open The path for the key displays in the Encryption Key File field 6 Select Next The Import Password screen displays 7 Enter the password that was used to encrypt...

Страница 45: ...and that has been assigned an encryption key Encryption during backup is transparent it happens automatically Restoring data is also transparent If the encryption key required to decrypt the data is n...

Страница 46: ...the moniker of the key it needs to decrypt and restore the data For example a single tape or RXT pack may contain data encrypted using multiple keys that is during Week 1 the data is encrypted with Ke...

Страница 47: ...ryption Accessing Encryption Features To access encryption features 1 Log in as a superuser then select Security Encryption The Encryption User Login screen displays 2 Select OK No login or password i...

Страница 48: ...on password to access all encryption features Multi User Mode Requires three unique encryption passwords Once you have set up the three passwords use them as follows Enter any one of the three to perm...

Страница 49: ...brary is powered on data can be backed up to partitions that support encryption without entering an encryption password Secure Initialization Mode When the library is powered on partitions dedicated t...

Страница 50: ...using any combination of the numbers 0 9 lower and upper case alphabetic characters a z and A Z and the at sign dash underscore and colon characters _ 6 Enter each password again in the Retype Passwo...

Страница 51: ...racters This name references the key The real key value never displays and administrators don t need to specify the real key value to encrypt data or manage keys The moniker protects encrypted data by...

Страница 52: ...afekeeping If the key is lost data cannot be recovered so copying the key and storing it safely is extremely important to data decryption and recovery Because the key identified by its moniker isn t y...

Страница 53: ...reen No encryption QIP based encryption LTO 4 drive based encryption Partitions with encryption enabled QIPs offer additional options Enable Compression and Enable Clear File at BOT Choose compression...

Страница 54: ...ociate a different encryption key with a partition you must first scratch tapes encrypted with the previous key to re use them Refer to Chapter 6 Recycling Encrypted LTO 4 Media in Spectra T950 and T1...

Страница 55: ...key to use to encrypt data Only one key can be assigned as the active encryption key 3 From the list of keys at the bottom of the screen select none one or more keys to be associated with this partiti...

Страница 56: ...n this example the key Bob is used as the active primary encryption key for both Partition 1 and Partition 2 The key Jeff is kept available for rapid data decryption for data restored using library pa...

Страница 57: ...the three encryption passwords option so that two of three different passwords must be entered to access export and import key functions Review Configuring Encryption Features on page 48 for informat...

Страница 58: ...n split into shares can only be imported using USB devices they cannot be uploaded through the RLC To restore data that has been sent through email copy the attachment to a USB device Building on this...

Страница 59: ...The Encryption User Login screen displays 2 Enter the encryption password then select OK The Encryption Configuration screen displays 3 Select Export Key If you selected multi user mode and supplied o...

Страница 60: ...ser first create the email recipient see the library s user guide Select Next Export M of N Shares to USB A screen displays that asks you to select the minimum shares required to restore the encrypted...

Страница 61: ...of the failed key attachment remains then start again with Step 2 of this procedure If you selected the option to split the key across M of N shares on multiple USB devices eject the USB device after...

Страница 62: ...the key Without it you cannot import the key and the data encrypted using the key is lost Caution Track where you have stored the key or who received an email message with the key in conformance with...

Страница 63: ...it Endura Decryption Utility EDU is an optional safeguard providing a method that lets you restore data without a library Review information about the command line encryption utility in Chapter 11 En...

Страница 64: ...key into the library s USB port The Import Key Selection screen displays Note You must use a USB device to import a key if it has been split into M of N shares If attachments with the shares of the e...

Страница 65: ...do so you must be able to access the key from your computer To import a key using the RLC 1 Log in as a superuser then select Security Encryption The Encryption User Login screen displays 2 Enter the...

Страница 66: ...and select the key and select Open The path for the key displays in the Encryption Key File field 6 Select Next The Import Password screen displays 7 Enter the password that was used to encrypt the ke...

Страница 67: ...ity Encryption The Encryption User Login screen displays 3 Enter the password then select OK The Encryption Configuration screen displays 4 Export at least one copy of the key you will be deleting or...

Страница 68: ...rite the encrypted data to re use the tape until you recycle the tape through BlueScale Encryption This option is available on the Import Export screen that displays only in partitions using drive bas...

Страница 69: ...Recycling Encrypted LTO 4 Media in Spectra T950 and T120 Libraries 69 3 Select the partition with the media from the Partition drop down list then select Next The Select Media to Recycle screen displa...

Страница 70: ...Available Media list enter a partial or entire bar code in the Find by Barcode field and select Find The list displays media with bar codes that match the values that you entered 5 Select Next The Se...

Страница 71: ...Spectra T50 BlueScale Encryption...

Страница 72: ...BlueScale 10 0 if it is not already installed Check with SpectraGuard Support to see if further upgrades to this firmware should be installed for your library Encryption is handled through the LTO 4...

Страница 73: ...ast one LTO 4 tape drive installed and LTO 4 media loaded you can activate the encryption option with a BlueScale Encryption key To activate BlueScale encryption 1 Have the option key s on hand 2 Log...

Страница 74: ...screen displays 5 Enter the activation key then select Save 6 Enter your activation key in the Enter Key field 7 Select Save The LC goes through a short series of progress screens then refreshes to a...

Страница 75: ...eatures the following steps are required for every session that is every time a user logs in using the library front panel or every instance of running the RLC through a Web browser A user with superu...

Страница 76: ...Encryption in Spectra T50 Libraries 76 Encryption Icon Use the encryption icon displayed by selecting the Security menu to access library encryption features such as encryption configuration and key...

Страница 77: ...The table below provides a brief comparison between the two versions of BlueScale Encryption Feature Standard Edition Professional Edition Keys Single encryption key on a library at a time Easier to m...

Страница 78: ...rd is entered Multiple Encryption Password Support To access the Standard Edition of BlueScale Encryption create and use a single encryption password To access the Professional Edition of BlueScale En...

Страница 79: ...a key for each additional partition and enter the key to activate the partition Further note that the T50 permits only one partition per drive Users with Professional Edition typically set up multipl...

Страница 80: ...features after configuration complete the following steps Make sure a user with superuser privileges logs in and selects Security Encryption The Encryption User Login screen displays Have a user who...

Страница 81: ...y will be responsible for encrypting data written to tape and to other portable media Identify The person to have superuser privileges on the Spectra Logic library with BlueScale Encryption The person...

Страница 82: ...fy the number of copies to make of each key and note the location of each key copy Consider storing multiple copies of keys that you then track carefully storing the copies away from the data encrypte...

Страница 83: ...a Decryption Utility for information on EDU If you are using Professional Edition you may want to take advantage of the M of N shares option This lets you select the M of N such as 2 of 3 option to sp...

Страница 84: ...key you ve lost both your key and all data encrypted using the key To emphasize if you lose the key your data is unrecoverable You need to balance the number of copies of the key to store to guarantee...

Страница 85: ...oring data is also transparent If the encryption key required to decrypt the data is not on the library the library displays the moniker of the key to import Restoring Data on page 94 contains informa...

Страница 86: ...make sure that Enable Secure Initialization is not selected Secure Initialization Mode When the library is powered on during startup partitions dedicated to encryption are not available so backups sen...

Страница 87: ...displays 2 Enter a name in the Moniker field that has not been used for any other encryption key and that uses any combination of alphanumeric characters and the at sign dash and underscore _ characte...

Страница 88: ...lso because BlueScale Standard Edition only supports using one key the Import Key and Add Key selections no longer display If you delete the key they display again Important Notes on Creating Password...

Страница 89: ...he tapes that are loaded Only one encryption key is allowed per tape If you replace the encryption key for a partition you must first scratch tapes encrypted with the previous key to re use them Refer...

Страница 90: ...t copying the encrypted key to a USB device and emailing an encrypted version of the key as an attachment to a user who has been configured as a mail user through the library Best practices recommend...

Страница 91: ...to USB or Email Exported Key If you select Export Single File to USB plug a USB device into the USB library port see the library s user guide for information about the location of this port If you sel...

Страница 92: ...g Check Key Files If you are not sure delete all data from the USB device so that no trace of the failed key attachment remains then use another USB device and start again with Step 2 above If you exp...

Страница 93: ...TO 4 tape To use a tape encrypted with a deleted encryption key you must first scratch the tape through BlueScale Encryption This procedure is described in Recycling Encrypted Media on page 98 To dele...

Страница 94: ...ary If you choose to purchase the command line encryption utility review information in Chapter 11 Endura Decryption Utility Restoring Data if Required Key is Available If the right key isn t availabl...

Страница 95: ...ter the encryption password then select OK The Encryption Configuration screen displays 3 Insert the USB device into the library s USB port 4 Select Import Key The Import Key Selection screen displays...

Страница 96: ...hen select Security Encryption The Encryption User Login screen displays 2 Enter the encryption password then select OK The Encryption Configuration screen displays showing Import Key and Add Key 3 Se...

Страница 97: ...e path for the key displays in the Encryption Key File field 6 Select Next The Import Password screen displays 7 Enter the password that was used to encrypt the key when it was being exported then sel...

Страница 98: ...h the tape through BlueScale Encryption Note that this option is available on the Import Export screen that displays only in partitions using encryption To recycle encrypted media 1 From the toolbar m...

Страница 99: ...To add other tapes to recycle Select Add Tape The Select Tapes screen displays Repeat Step 4 to add the tape Repeat the entire procedure to add further tapes To delete tapes from the list of tapes to...

Страница 100: ...ave selected all of the tapes that you want to recycle The Select Drive screen displays 7 Choose the drive that you want to use to scratch the media then select Next The Summary screen displays 8 Veri...

Страница 101: ...page 115 contains information about data restoration Professional Edition Overview Professional Edition supports multiple keys on the library simultaneously Each partition that is enabled for encrypti...

Страница 102: ...required the first time you log in The Encryption Configuration screen displays 3 Select Configure The Encryption Users screen displays 4 Select either Single User Mode Requires the creation of one en...

Страница 103: ...ional Edition in Spectra T50 Libraries 103 5 Select Next The Encryption Settings screen displays Note If you selected Single User Mode only one set of New Encryption User Password and Retype Password...

Страница 104: ...is powered on during startup partitions dedicated to encryption are not available so backups sent to them cannot run To initialize the encryption partitions someone must log in as a superuser then en...

Страница 105: ...hat you will use to reference the key Note Note that the real key value never displays and that administrators don t ever need to specify the real key value in order to encrypt data or manage keys The...

Страница 106: ...te a copy of the key for safekeeping If the key is lost data cannot be recovered so promptly copying the key and storing it safely that is away from the data encrypted using the key is extremely impor...

Страница 107: ...tion configuration wizard The Encryption screen for partition configuration lets you enable encryption for the partition and associate keys with it It only displays if the encryption password has been...

Страница 108: ...llow the procedure in Displaying the Partition Configuration Encryption Screen on page 107 to display the Encryption screen 2 Select Enable Encryption 3 If you have more than one encryption key select...

Страница 109: ...rotecting Keys Protect encryption keys by Making copies of every key through Key Export Storing the keys in a secure location Tracking the location of the keys and the passwords required to import the...

Страница 110: ...that number M required to access the encrypted key file protected using this method For your site select one of these as your M of N shares For example if you choose 2 of 3 then the encrypted key alr...

Страница 111: ...ce or both before deleting the key from your system You may want to make two copies of a key storing each in a secure location Note the location of these keys so that you can easily find the key when...

Страница 112: ...one encryption password a prompt asks you to enter another password Enter it then select Next The Export Type screen displays Otherwise the Export Type screen immediately displays 4 Select either an...

Страница 113: ...e library s user guide Select Next The Export Password screen displays Export M of N Shares to USB A screen displays that asks you to select the minimum shares required to restore the encrypted key al...

Страница 114: ...evices eject the USB device after a share has been written to it and at every prompt insert another USB device After the shares have been written insert each USB device into the library one by one and...

Страница 115: ...a Decryption Utility EDU is an optional safeguard providing a method that lets you restore data without a library Review information about the command line encryption utility in Chapter 11 Endura Decr...

Страница 116: ...Selection screen displays If you selected multi user mode and only one encryption password has been supplied a prompt asks you to enter another password Enter it then select Next 5 Choose the key to...

Страница 117: ...r Login screen displays 2 Enter the encryption password then select OK The Encryption Configuration screen displays 3 Select Import Key The Encryption Key Files Source screen displays Note that this s...

Страница 118: ...a Key Only one key is allowed per LTO 4 tape To use a tape encrypted with a deleted encryption key you must first scratch the tape through BlueScale Encryption This procedure is described in Recyclin...

Страница 119: ...associated with each tape storing encrypted data Once the encrypted data is written to a tape the drive won t overwrite the encrypted data to re use the tape until you recycle the tape through BlueSc...

Страница 120: ...he information for the selected partition displayed If you only have one partition the drop down menu does not appear on this screen 3 Select Recycle The Select Tapes screen displays 4 Select a tape t...

Страница 121: ...rocedure as many times as necessary to add even more tapes To delete tapes from the list of tapes to recycle proceed to Deleting Tapes from the List below 4 Proceed to Finishing the Tape Recycling on...

Страница 122: ...tape recycling 1 When the list shows all of the tapes you want to recycle select Next in the Tapes to Recycle screen The Select Drive screen displays 2 Choose the drive to scratch the media then selec...

Страница 123: ...EDU and BlueScale Encryption Support...

Страница 124: ...with the backup software used to back up the data Requirements To decrypt data assemble the following Tapes with encrypted data Tape s to hold decrypted data optional but recommended The key or keys...

Страница 125: ...ed to write the data to tape Decrypting Data EDU Command Line Review the command line arguments for EDU Arguments edu i drive_w_encryptape o drive_w_blank_tape n number of keys i dev nst0 indicating t...

Страница 126: ...he maximum data capacity of the tape to be decrypted or if you know the amount of data on the tape the equivalent amount of disk space For LTO 4 make sure tmp has 800 GB of space free 4 Log in as a us...

Страница 127: ...ays along with a request for the password Type it in then press Enter 3 The system then prompts for the full path and file name of the key Type it in then press Enter 4 The system begins copying the d...

Страница 128: ...ring the encrypted data Note EDU restores data that has been encrypted through the Spectra library using QIP based encryption 4 Insert the write protected tape into a drive Note the device name this e...

Страница 129: ...e of the key then press Enter 3 The system begins decrypting data and writing it to the empty tape Messages display as the data is decrypted The system indicates when the decryption is complete 4 Remo...

Страница 130: ...ironment is rapidly evolving New features developed for BlueScale Encryption will be made available for locations with BlueScale encryption support Troubleshooting We will help you deal with encryptio...

Страница 131: ...ustralia and New Zealand Phone Email 1 303 449 6400 sales spectralogic com Europe Africa and Middle East Phone Email 44 0 870 112 2150 eurosales spectralogic com United States and Canada Phone Email 1...

Страница 132: ...ommand line utility edu 125 configuring encryption BlueScale Encryption Professional Edition 102 BlueScale Encryption Standard Edition 85 contacting Spectra Logic sales 2 131 creating an encryption ke...

Страница 133: ...L library software license 2 license library software 2 LTO 4 drives encryption support 15 LTO 4 media recycling 15 M media recycling 68 98 119 122 M of N shares 110 moniker definition of 23 monikers...

Отзывы:

Нет отзывов