Home > Storage > PowerScale (Isilon) > Product Documentation > Security and Compliance > Dell PowerScale OneFS: Security Considerations > External key manager
PowerScale OneFS 9.2 and later releases support an external key manager by storing the 256-bit universal key (UK) in a key management interoperability protocol (KMIP)-compliant key manager server. The configuration steps in this section apply to brownfield and greenfield clusters with SEDs. Although the configuration in this section explains how to migrate keys to an external key manager, OneFS also supports a reverse migration.
To store the UK on a KMIP server, PowerScale requires the following:
Note: When configuring the external key manager, make sure that each PowerScale node in the cluster can communicate with the KMIP server using an interface in a statically assigned network pool to unlock the drives during the node boot process. If the KMIP server is unavailable or if network connectivity is not available, the node’s drives remain in a locked state.
PowerScale OneFS has tested and confirmed KMIP compatibility as listed in the table below.
KMIP Vendor | OneFS Version Tested |
Thales KeySecure | OneFS 9.3.0.0 |
Thales e-Security keyAuthority | OneFS 9.3.0.0 |
IBM Secure Key Lifecycle Manager (SKLM) | OneFS 9.1.0.0 |
CloudLink Center | OneFS 9.5.0.0 |
Thales CipherTrust Data Security Platform | OneFS 9.7.0.0 |
Note: The OneFS version tested does not imply the KMIP vendor is not compatible with a more recent OneFS release, it is provided as a data point.
Note: PowerScale OneFS uses the Dell Key Trust Platform as the client for establishing connectivity to the KMIP server. Other KMIP platforms compatible with the Dell Key Trust Platform should also be compatible with OneFS. Also, PowerScale OneFS should be compatible with KMIP platforms that meet the previously outlined requirements.
After you meet the previous requirements, to configure the external key manager, perform the following steps:
For the server certificate bundle, the order of the bundles begins with the server certificate and ends with the root. This order includes any intermediates in between, excluding the KMIP server certificate. Each certificate must certify the one preceding it. For example, a certificate bundle could be in the following format:
The client certificate bundle consists of the X.509 certificate followed by the private key. Optionally, the private key may also be encrypted, and password protected in the client certificate bundle. If the private key is encrypted, make a note of the password for use in later steps.
isi keymanager kmip servers create
Alternatively, in the CLI, use the --host, --id, --ca-cert-path, --client-cert-path, and --set-client-cert-password options.
Alternatively, in the CLI, run the isi keymanager sed migrate server command.