Securing data-at-rest

HPE OneView encrypts sensitive data, such as managed device credentials, when it is stored on-disk in the appliance. The HPE OneView appliance encryption key (AEK) is used internally to encrypt the credentials for managed devices (such as, iLO, onboard administrator, frame link module). By default, the AEK is stored on the HPE Synergy Composer disk and also included in the appliance backup. This could pose a security risk in case the disk is stolen.

The secure data-at-rest option, when enabled, stores the AEK off-disk in Composer NVRAM, and does not include the key in the appliance backup. Enabling this option requires the administrator to save a copy of the AEK (recovery AEK) for use in the following circumstances:
  • When restoring a backup taken when a different AEK was in effect.

  • To successfully boot the system in the unlikely event that the system copy of the key is corrupted.

  • A backup is being restored to a different new Composer or to the same Composer that has been factory reset.

The administrator must store the recovery AEK in a secure location, where it can be only accessed by authorized personnel. In the rare circumstance where the key cannot be read from the Composer NVRAM or the key gets corrupted, the administrator must use the appliance maintenance console to upload the AEK recovery copy, based on the error resolution message displayed. In the rare circumstance where the Composer NVRAM itself becomes inaccessible, users can choose to disable secure-data-at-rest option until the hardware issue itself is resolved.

If the downloaded recovery key and the AEK stored in the Composer NVRAM are both lost, the appliance data cannot be recovered.

IMPORTANT:

The ability to store the recovery key in a secure location and making it available when required for recovery operation is a mandatory prerequisite before enabling secure data-at-rest option. If you have lost the key, regenerate a new AEK regenerate a new AEK.

NOTE:
  • By default, the secure data-at-rest option is disabled.
  • When secure data-at-rest option is disabled, a warning alert indicating that the appliance is in a lower security mode is displayed.
  • Factory reset of the Composer disables secure data-at-rest, storing the AEK on the Composer disk.
  • Ensure that you take a backup every time you enable or disable secure data-at-rest or when you regenerate or apply a new AEK.
  • When secure data-at-rest is disabled, the AEK is stored as part of the appliance backup. In this case, it is critical for your backup process to encrypt HPE OneView backups. For example, the remote backup server could employ whole-disk encryption or other backup server-specific encryption techniques.

More information:

"Generate a new appliance encryption key" in online help.