- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
Data at Rest Encryption overview
Data at Rest Encryption (D@RE) is provided through controller-based encryption (CBE) at a physical disk drive level. A unique data encryption key (DEK) is generated for each drive and is used to encrypt data as it is sent to the drive. The goal of this feature is to ensure that all customer data and identifying information will be encrypted with strong encryption, primarily to ensure security in the event of loss of a disk drive.
NOTE: Some unencrypted data could be in the system partition (for example, hostnames, IP addresses, dumps, and so on). In addition, there is potential for small amounts of unencrypted user data as a result of writing diagnostic materials to the system partition. All the data written to the array by using regular I/O protocols (iSCSI, FC) are encrypted. Anything that comes into the array by using the control path will not be encrypted by this solution; however, information that is sensitive (for example, passwords) are encrypted by a different mechanism (as they are on non-encrypting arrays).
For new VNX systems that are ordered with the D@RE feature, encryption should be enabled on the systems during manufacturing. Verify whether D@RE has been enabled and activated. To view the status of the D@RE feature in Unisphere, select System and, from the task list under System Management, select System Properties. The status of the encryption appears on the Encryption tab in the Storage System Properties view. If Encryption Mode appears as N/A, you need to perform a non-disruptive upgrade (NDU) of the DataAtRestEncryption enabler and activate it. If Encryption Mode appears as Unencrypted, you only need to activate it using either Unisphere or the VNX for block CLI.
NOTE:Once activated, the encryption operation cannot be reverted. When possible, enable encryption prior to populating the system with data, RAID groups, and such. This action will avoid the data in place upgrade process and its effects on system cache and system performance.
For VNX systems that do not have D@RE enabled, enabling of encryption on the system requires a non-disruptive upgrade (NDU) of the DataAtRestEncryption enabler. This upgrade can be done upon request. A subsequent activate operation must be initiated through either Unisphere or the VNX for block CLI.
A new component, referred to as the VNX Key Management Server, is responsible for generating, storing and otherwise managing the encryption keys for the system. The keystore that is generated to store the encryption keys resides on a managed LUN in private space on the system. Keys are generated or deleted in response to notifications that a RAID group/disk drive have been respectively added or removed.
Changes to the configuration of the system that result in changes to the keystore will generate alerts that recommend key backups be created. When an operation that results in a change to the keystore occurs, an alert will appear and persist until the keystore has been retrieved from the system for backup. Backup the keystore by using either the Unisphere UI or a VNX for block CLI command.
In the event that the keystore becomes corrupted, the system will be nonfunctional. The system will enter a degraded state, only the operating system boots. In this state, attempts to access the system through Unisphere will return an error indicating that the keystore is in an inaccessible state. In this case, a service engagement is required for resolution.
A separate auditing function is provided for general key operations that track all key establishment, deletion, backup, and restore changes as well as SLIC addition.
For additional information about the Data at Rest Encryption feature, refer to the EMC VNX2: Data at Rest Encryption white paper.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\