5 1 0:Saving Encryption Key Store for HPE StoreOnce Catalyst
Overview
The Hewlett Packard Enterprise (HPE) StoreOnce backup appliance allows you to configure additional Catalyst stores to be used for backup storage. When configuring Catalyst stores, you can enable StoreOnce encryption for each individual Catalyst store; once encryption is enabled, it cannot be disabled. For details on how to configure a Catalyst store, see Creating HPE StoreOnce Catalyst store.
StoreOnce encryption uses encryption keys. If you have enabled encryption during the Catalyst store creation, you must save your key store information to a file that can be retrieved, if needed. As encryption keys are written to a key store, you should back it up and store securely offsite to ensure that the key store is available if the original key store gets corrupted. Make sure to keep only the latest version of the key store.
Depending on your StoreOnce version, save your key store information as follows. For information about system requirements and supported configurations, see Support Matrix: SEP sesam integration with HPE StoreOnce Catalyst.
- In the StoreOnce 4.x.x version, use the StoreOnce Management Console -> Settings -> Key Manager to save your key store information.
- In the StoreOnce 3.x.x version, use the HPE StoreOnce CLI command config save keystore, which backs up and encrypts the key store so that it can be decrypted only by the HP StoreOnce backup system if needed.
Note | |
You have to copy the key store file to a local system immediately after it is created; this is especially important for StoreOnce 6500 and 6600 systems. Make sure to keep your key store file up to date when making changes to the StoreOnce configuration. |
StoreOnce Management Console - Key Manager
Back up the local key store file with HPE StoreOnce 4.x.x as follows:
- In the HPE StoreOnce Management Console main menu, select Settings.
- In the Security section, click Key Manager panel. The Key Manager window opens.
- In the Actions menu, select Backup.
- In the Backup dialog, enter and confirm the password for the encrypted StoreOnce key store file.
Note The key store backup file is encrypted with the password you specified and can only be restored by providing this password. - The key store file is downloaded with a generated name, e.g. storeoncevsa-v4-lkm-store-2019-04-30.txt. It must be copied to a local system where it can be retrieved in case of an incident.
CLI command config save keystore
In the HPE StoreOnce 3.x.x version, you have to specify the config save keystore command, which saves the key store information to a file in the config directory that can be retrieved.
Steps
- Access StoreOnce CLI from an SSH terminal using an SSH client application. The CLI runs on the Management Console:
- Enter the following command as an administrator:
- Enter the password to encrypt the key store. This password is required to restore the key store to the device.
- Re-enter the password to confirm it.
- Saved configuration files (key stores) are located in the config directory with the .zip extension, which is accessible via SFTP.
- Once the key store file is created, retrieve it via SFTP and copy it to a safe location outside the backup system directory.
- To list all saved key stores, you can use the command:
ssh <username>@<appliance_IP_address>
# config save keystore
Output example:
# config save keystore Enter password to encrypt keystore: Reenter password to confirm: Keystore Save Started Keystore Save Completed Enter command "config show list keystore" to see the saved keystores Command Successful
# config show list keystore
Output example:
# config show list keystore Keystore files: keystore_HPCZ32482R4R_2013-08-02T174433Z.kms
For details on StoreOnce CLI commands used to obtain information about a StoreOnce appliance or to control appliance activity, see the HPE StoreOnce CLI Reference Guide.
See also
HPE StoreOnce Configuration – HPE StoreOnce Backup – HPE StoreOnce Replication – Backup to HPE Cloud Volumes – Support Matrix: SEP sesam integration with HPE StoreOnce Catalyst