Enabling D@RE on a PowerMax system is done at system installation/initialization. Once the PowerMax system has been properly sized, D@RE can be enabled in the BIN file from Dell Manufacturing or onsite prior to installation.
Note: If a currently installed system is being upgraded, the Dell account team must submit a Request for Product Qualification (RPQ).
Installation with embedded key manager
Installation with an embedded key manager occurs as follows:
- Once the PowerMax system is at the site, Dell field personnel begin the installation process.
- The installation script automatically installs the KTP software on the primary CS.
- The Dell KTP server generates AKs for each drive that is installed in the system.
- PowerMaxOS generates an entry in the PowerMax audit log for every key generation event.
- The Dell KTP encrypts the keys and stores them in the local encrypted key repository file as nonvolatile copies.
- The Dell KTP client wraps each AK, and PowerMaxOS stores all the keys on the system as encrypted, persistent backup copies.
- PowerMaxOS initializes the SEDs. Any user data written to the drive media is encrypted using the DEK, which is internal to the drive.
Migrating to external key manager
Existing D@RE-enabled systems can be migrated from embedded key management to an external key manager as follows:
- Dell personnel begin the key migration script. Dell field personnel or the customer provide the IP address, port number, certificate authentication information, and application registration name.
- The migration script performs the following:
- Verifies the supplied server configuration information.
- Verifies that the external key manager is correctly configured.
- Moves the AKs from the embedded key store to the external key manager.
- Backs up the KTP client configuration details to the system for use during a CS replacement or during a PowerMaxOS nondisruptive upgrade.
- Populates the PowerMax audit log with D@RE security events pertaining to the migration.