Oracle® Key Manager 3 Disaster Recovery Reference Guide Release 3.0 E49726-01 |
|
![]() Previous |
![]() Next |
Encryption is based on the science of cryptography and is one of the most effective ways to achieve data security today. To read an encrypted file, you must have access to the key that will enable you to decipher the file.
Disaster recovery (DR) is the process, policies, and procedures that relate to and preparing for recovery or continuation of business critical information to an organization after a natural or human-induced disaster.
Disaster recovery is a subset of a larger process known as business continuity planning (BCP) and should include replacing hardware, re-establishing networks, resuming applications, and restoring data.
A business continuity plan also includes non-IT related aspects such as key personnel, facilities, and communications to restore the reputation and continuity of the business.
The Oracle Key Manager (OKM) supplies a comprehensive key management platform solution designed to address the rapidly growing enterprise commitment to storage-based data encryption. Compiling with open security standards, OKM provides the capacity, scalability and interoperability to centrally manage encryption keys over widely distributed and heterogeneous storage infrastructures.
OKM is specifically designed to meet the unique challenges of storage key management including:
Long-term key retention – Securely retains encryption keys for the full data lifecycle, which can exceed a decade in length. For example, some sites have their key retention period set to over 50 years.
Interoperability – Provides the level of interoperability to support a diverse range of storage devices that can attach to both mainframe or open systems platforms under a single storage key management system.
High Availability – Provides high availability using active N-node clustering, dynamic load-balancing, and automated failover whether the appliances are together in the same room or distributed around the world.
High Capacity – Manages large numbers of storage devices and even more storage keys. A single clustered appliance pair can provide key management services for thousands of storage devices and millions of storage keys.
State-of-the-Technology – Supports StorageTek's T-Series, the Hewlett Packard (HP), and International Business Machines (IBM) LTOx encryption-capable tape drives.
This chapter provides a a high-level overview of components, user roles, and the method for enabling and disabling encryption for recovery.
The architecture for the OKM encryption solution consists of:
Key Management Appliance (KMA) – A security-hardened, dual-core processor with Solaris 10 (for X2100 M2, X2200 M2, X4170 M2) and Solaris 11 (for Netra SPARC T4-1) operating system that delivers policy-based key management and key provisioning services.
Note: The KMAs can be installed with an SCA 6000 card, which is FIPS-compliant1 at Level 3. |
OKM Graphical User Interface (GUI) – A stand-alone application that users run on their own system, using either a Windows–based or Solaris–based platform.
OKM Cluster – A full set of KMAs in the system. All KMAs in a Cluster are aware of the other KMAs in the system and replicate this information (active/active).
This way, if any KMA should go down, encryption operations continue.
Agent (tape drive) – A device that performs encryption using keys managed by the KMA Cluster and OKM.
Note: With the KMS 2.1 or later OKM release and the latest tape drive firmware, the following drives are FIPS-compliantFoot 1 . |
Footnote 1 FIPS = Federal Information Processing Standards are publicly announced standards and guidelines developed by the United States Federal government. Many FIPS standards are modified versions of standards used in the wider community (ANSI, NIST, IEEE, ISO, etc.).
Tape Drive | FIPS 140-2 Level |
---|---|
T10000A | 1 |
T10000B | 2 |
T10000C | 1 |
T10000D | 1 |
T9840D | 1 |
LTO4 (HP and IBM) | No plans for FIPS |
LTO5 (HP and IBM) | No plans for FIPS |
LOT6 (HP) | No plans for FIPS |
FIPS levels of security for the above tape drives includes Levels 1 and 2.
Level 1—The lowest level with production-grade requirements.
Level 2—Adds requirements for physical tamper evidence and role-based authentication. Built on a validated operating platform.
This selection provides a higher level of security for the KMAs and tape drives.
Data unit – Media, a data cartridge.
Key Groups – An organization for keys that associates them with a Key Policy.
Network connections – The Key Management System consists of two networks:
Management network: OKM GUI to KMAs.
Service network: KMAs to encryption agents.
These two networks isolate the storage devices from heavy corporate network traffic and improves the response time for key requests.
Figure 1-1 shows the rear panel and connections of a Netra SPARC T4-1 Key Management Appliance.
OKM defines and uses the following roles. Completing and assigning roles is a customer task, service representatives should only advise.
Security Officer | Manages security settings, users, sites, and Transfer Partners |
Compliance Officer | Manages key policies and Key Groups and determines which agents and Transfer Partners can use Key Groups |
Operator | Manages agents, data units, and keys |
Backup Operator | Performs backups |
Auditor | Views information about the OKM Cluster |
Quorum Member | Views and approves pending quorum operations. |
Note: Each person or user may fulfill one or more of these roles. The KMA verifies that the requesting user has permission to execute an operation based on the role. Unavailable operations typically indicate the wrong role. |
There are a number of basic operations a user/role can perform. Among these are: Create, Delete, Modify, and View.
Figure 1-2 shows an example of the User Detail screen.
Table 1-1 Tape Drive and Media Comparisons
Specification | T10K-A | T10K-B | T10K-C | T10K-D | T9840D | HP LTO4 | HP LTO5 | HP LTO6 | IBM LTO4 | IBM LTO5 | IBM LTO6 |
---|---|---|---|---|---|---|---|---|---|---|---|
Capacity (native) |
500 GB |
1 TB |
5 TB |
8 TB |
75 GB |
800 GB |
1.5 TB |
2.5 TB |
800 GB |
1.5 TB |
2.5 TB |
Transfer rates (native) |
120 MB/s |
120 MB/s |
252 MB/s |
252 MB/s |
30 MB/s |
120 MB/s |
140 MB/s |
160 MB/s |
120 MB/s |
140 MB/s |
160 MB/s |
Buffer size |
256 MB |
256 MB |
2 GB |
2 GB |
64 MB |
256 MB |
256 MB |
512 MB |
256 MB |
256 MB |
512 MB |
Load Time (sec) |
16 |
16 |
13.1 |
13 |
8.5 |
19 |
12 |
22 |
15 |
12 |
12 |
Access (sec) |
46 |
46 |
57 |
50 |
8 |
72 |
60 |
50 |
46 |
60 |
96 |
Tape speed (m/s) |
2-4.95 |
2-3.74 |
5.62 |
4.75 |
3.4 |
7.0 |
— |
7.12 |
7.0 |
— |
6.8 |
Rewind time (sec) |
90 |
90 |
10-13 |
10-13 |
16/8 |
106/54 |
96/78 |
98/51 |
106/54 |
96/78 |
42 |
Unload Time (sec) |
23 |
23 |
23 |
23 |
12 |
22 |
17 |
19 |
22 |
17 |
17 |
Interfaces |
|||||||||||
Fibre Channel |
2 & 4 Gb/s |
4 Gb/s |
4 Gb/s |
16 Gb/s |
4 Gb/s |
4 Gb/s |
8 Gb/s |
8 Gb/s |
4 Gb/s |
8 Gb/s |
8 Gb/s |
SCSI/SAS |
n/a |
n/a |
n/a |
n/a |
n/a |
Ultra-320 |
n/a |
6 Gb/s |
Ultra-320 |
n/a |
6 Gb/s |
FICON FCoE |
2 Gb/s |
2 Gb/s |
4 Gb/s |
8 Gb/s 10 Gb/s |
2 Gb/s |
n/a |
n/a |
n/a |
n/a |
n/a |
n/a |
ESCON |
no |
no |
no |
no |
2 Gb/s |
n/a |
n/a |
n/a |
n/a |
n/a |
n/a |
Compatibility |
|||||||||||
Tracks |
768 |
1152 |
3,584 |
4,608 |
576 |
896 |
1,280 |
2,176 |
896 |
1,280 |
2,176 |
Length-usable |
855 m (2805 ft) |
855 m (2805 ft) |
1,107 m (3,632 ft) |
1,107 m (3,632 ft) |
251 m (889 ft) |
820 m (2690 ft) |
850 m (2789 ft) |
846 m (2776 ft) |
820 m (2690 ft) |
850 m (2789 ft) |
846 m (2776 ft) |
VolSafe—WORM |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
Table 1-2 shows the media compatibilities for the T-Series (T10000 and T9840) drives:
Encryption-capable T-Series tape drives
Non-encryption T-Series tape drives
Table 1-2 T-Series Tape Drive Media Compatibilities
Task | Enrolled for Encryption | Not Enrolled for Encryption |
---|---|---|
Write new data encrypted |
Yes |
No |
Write new data not encrypted |
No |
Yes |
Read encrypted data with key available |
Yes |
No |
Read non-encrypted data |
Yes |
Yes |
Append non-encrypted data to encrypted tape |
No |
No |
Table 1-3 shows a comparison between the following:
Encryption-enabled and non-encrypted tape drives
Encrypted and non-encrypted media
Table 1-3 T-Series Tape Drive and Media Support
Tape Drive Types | Non-encrypted Media | Encrypted Media |
---|---|---|
Standard drive (non-encrypted) |
|
|
Encryption-capable drive |
|
|
Both HP and IBM LTO tape drives are:
Specified to interchange with un-encrypted data cartridges from other tape drives that comply to the LTO U-28, U-316 and U-416 specifications.
Capable of interchanging encrypted data cartridges provided the correct encryption key is available.
Future compatibility:
In the future, LTO drives will be capable of:
Reading and writing tapes from the current generation
Reading and writing tapes from one earlier generation
Reading tapes from two earlier generations
Note: Encryption is only supported with LTO4, LTO5, and LTO6 data cartridges on LTO4, LTO5, and LTO6 tape drives. To avoid problems, these drives will not write in normal or native modes once the drive is enabled for encryption. |
The following are requirements that apply to encryption:
The T10000 tape drives must be at a minimum firmware level of 1.37.114.
The service representatives must install the Hardware Activation Keys for the tape drives, and have the required levels of the Virtual Operator Panel (VOP) available.
The customers, partners, and disaster recovery (DR) sites must use the current Customer version of the virtual operator panel (VOP) 1.0.12 or higher.
During the initial T-Series tape drive enrollment process, the customer has the chance to configure the tape drives to:
Use Tokens, with an air gap configuration and KMS Version 1.x
Select if the drive can be switched between encryption and non-encryption modes
Enter Agent values for the Key Management System
Select:
Yes if using KMS Version 1.x
No if using KMA Version 2.x or 3.x.
Select:
Yes if permanent (cannot disable)
No, if switchable.
Enter the values for:
Agent ID:
Pass Phrase:
OKM IP address of the appliance.