Data Domain: Configuring CipherTrust Server in Data Domain System

Set the System Passphrase in DD using:

System Passphrase set

Import the host certificate signed_host_cert.pem, generated earlier into the Data Domain system using:

adminaccess certificate import host application ciphertrust file <host certificate file>

Import the CA Certificate cacert.pem, generated earlier to the Data Domain system:

adminaccess certificate import ca application ciphertrust file cacert.pem

Verify the certificates using:

adminaccess certificates show

Enable Encryption:

filesys encryption enable

Configure Key Manager as ciphertrust:

filesys  encryption key-manager set server <IP Address> port 5696 key-class <key_class> kmip-user <kmip_user> server-type ciphertrust

Enable the key manager using:

filesys encryption key-manager enable

Verify that the key manager is enabled:

filesys encryption key-manager show
The current key-manager configuration is:
      Key Manager: Enabled
      Server Type: CipherTrust
      Server: <serverip>
      Port: 5696
      Status: Online
      Key-class: <key_class>
      KMIP-user: <kmip_user>
      Key rotation period: not-configured
      Last key rotation date: N/A
      Next key rotation date: N/A

Verify if the new key is activated.

filesys encryption keys show detailed

For Example:

filesys encryption keys show detailed
Active Tier:
Key   Key                                                                State          Size        Key Manager   Min-Cid   Max-Cid
Id    MUID                                                                              post-comp   Type
---   ----------------------------------------------------------------   ------------   ---------   -----------   -------   -------
1     3d4                                                                Deactivated    0           DataDomain    759       1096
2     736FB25DF3E52F1D1086AB0AD36650F011FB4A59777A0611993E28F1E87A972A   Activated-RW   65.45 TiB   KeySecure     1097      -
---   ----------------------------------------------------------------   ------------   ---------   -----------   -------   -------

DDOS provides a CLI to ensure a smooth transition from KeySecure to CipherTrust. The customer must first move the keys from one key manger server to another before using this CLI to migrate on DD.

To migrate keys on the DD end, we issue migrate CLI.

filesys encryption key-manager keys migrate source <> destination <>

For Example:

filesys encryption key-manager keys migrate source keysecure destination ciphertrust
Migrating keys from keysecure to ciphertrust key manager.
Do you want to proceed? (yes|no) [no]: yes
Migrated keys to ciphertrust key manager.

Verify if the keys are migrated on DD, issue the following command, and check the key manager type field.

filesys encryption keys show detailed

For Example:

Active Tier:
Key   Key                                                                State          Size        Key Manager   Min-Cid   Max-Cid
Id    MUID                                                                              post-comp   Type
---   ----------------------------------------------------------------   ------------   ---------   -----------   -------   -------
1     3d4                                                                Deactivated    0           DataDomain    759       1096
2     736FB25DF3E52F1D1086AB0AD36650F011FB4A59777A0611993E28F1E87A972A   Activated-RW   65.45 TiB   CipherTrust   1097      -
---   ----------------------------------------------------------------   ------------   ---------   -----------   -------   -------