Handling backup and restore for securing data-at-rest

For additional security, the HPE Synergy composer allows you to secure the appliance encryption key (AEK) using the secure data-at-rest option. When secure data-at-rest is disabled, the appliance encryption key (AEK) is stored in the backup.
NOTE:

In this case, users must encrypt the backup file on their own. While it is not necessary to specify the key when restoring a backup, its inclusion could present a security risk.

When secure data-at-rest is enabled, for security reasons the AEK is not stored in the backup. The current AEK of the system is used to restore a backup. If, however, the system AEK has changed since the backup was taken, or if the Composer has been factory reset before the restore or if the target composer is a different one, the copy of the AEK in effect when the backup was taken must be specified to restore the backup.

Additionally, you must consider the following:
  • A restore operation restores the secure data-at-rest option to the state at the time of backup. This means that after a backup is restored on the appliance, it can automatically switch to a lesser or higher secure mode depending on whether secure data-at-rest was disabled or enabled at the time of backup creation.

  • An administrator can generate a new AEK (for example, when a saved copy is compromised). Therefore the AEK in effect at the time of backup may not be the current key.

Following are the scenarios and the actions you must take when handling backup and restore for secure data-at-rest operations:
IMPORTANT:

Ensure that you take a backup before regenerating the AEK to recover from possible errors encountered during the key generation process.

Scenario Action

A secure data-at-rest enabled backup is restored when secure data-at-rest is enabled. The current AEK matches the backup-time key.

No action required.

A secure data-at-rest enabled backup is restored when secure data-at-rest is enabled. The current AEK does not match the backup-time key.

In response to the GUI or maintenance console prompt for the AEK of the backup, supply your saved copy of the key.

A secure data-at-rest disabled backup is restored.

The system is restored to the secure data-at-rest disabled state.

A secure data-at-rest enabled backup is restored on a different, but compatible, appliance (which has a different AEK).

In response to the GUI or maintenance console prompt for the AEK of the backup, supply your saved copy of the key.