The Core Backup contains a primary component for the OKM, the Root Key Material. It is this key material that is generated when a cluster initializes. The Root Key Material protects the Master Key, a symmetric key that protects the Data Unit Keys stored on the KMA.
The Core Security backup is protected with a key split scheme that requires a quorum of users defined in the Key Split Credentials. This quorum of users must provide their usernames and passphrases to unwrap the Root Key Material.
The primary element of the Core Security component is the Root Key Material. It is key material that is generated when a cluster is initialized. The Root Key Material protects the Master Key. The Master Key is a symmetric key that protects the data unit keys stored on the KMA.
Core Security is protected with a key split scheme that requires a quorum of users defined in the Key Split Credentials to provide their user names and passphrases to unwrap the Root Key Material.
This security mechanism enables two operational states for the KMA: locked and unlocked. For more information, see "Lock/Unlock the KMA".
The Core Backup must precede the first Database Backup and then this core backup only needs to be repeated when members of the Key Split change (quorum). This is a security item handled and protected specially. This is required to restore any backup of the OKM.
As a best practice, keep two copies of this backup in two secure locations on a portable media of the customers choice, such USB memory sticks or external hard drives. When a new Core Backup is created and secured, the old ones should be destroyed.
See Also:
A Database Backup consists of two files: a Backup file and a Backup Key file. These filenames are automatically generated, however, you can edit the names. Backup Operators are responsible for securing and storing data and their keys.
Each KMA creates 1000 keys (default) when created. This may vary during installation. Each KMA controls and assigns its own keys. After issuing 10 keys the KMA creates 10 keys to replenish them.
Keys are then replicated to all KMAs in the OKM.
Database Backups are encrypted with AES-256; and therefore, secure.
Things to consider:
Archive copies or do not archive copies.
Remember old backups contain users, passwords, and other sensitive data you may not want to keep.
Make and archive two current database backups in case of backup media failure.
Because you computed a 50 percent safety factor assuming that only one KMA was issuing keys, either backup contains all the active keys.
Never archive old copies of Database.
If you routinely delete keys for policy or compliance reasons, the deleted keys can be recovered from prior backups.
Keep redundant copies. Do not create two backups.
Make two identical copies to protect against backup media failure. This scheme also ensures another key was not issued during the backup, making the two copies different.
Example One: Database Backup — Multiple Sites in the OKM Cluster
Keys are protecting keys against corruption.
Keys are being protected by replication.
The customer should never need a total disaster recovery of the cluster because of the geographically placed data centers. Creating backups for this customer are not as critical as Example Two. However, you should create a core security backup, then database backups before all generated keys from a single KMA are issued to Data Units.
Example Two: Database Backup — One Physical Site in a OKM Cluster
A localized disaster may destroy the entire OKM.
Database backups are the only protection for the keys.
Maintain offsite copies of the Core Security and Database backups. For bare minimum protection:
Table 8-1 Database Backup Calculations
|
1. |
Calculate how many tapes will be initially encrypted using one key per tape. |
|
2. |
Calculate how many hours, days, or weeks it will take to issue the initially created keys. Note: Each KMA creates 1000 keys (default) when created. |
|
3. |
Calculate how many tapes mounted will have an expired key encryption period. |
|
4. |
Add these two calculations together. |
|
5. |
Assume only one KMA issues all the keys and backup the database before the initial keys are all issued. This provides a 50% safety factor to the calculation. |
|
6. |
Repeat this calculation based on new tape influx and Re-use the encryption period expiration. |
Available to:
All roles
Procedures:
In the left navigation tree, expand Secure Information Management, and then select Backup List. See "Filtering Lists" to filter the list.
To view details for a specific backup, highlight the backup in the list, and then click Details...
Backup List - Field Descriptions
Backup ID — A system-generated unique identifier for each backup file.
KMA ID — The KMA for which the backup file was generated.
Created Date — Displays the date when the backup was created.
Destroyed Date — Displays the date that the backup file was marked as being manually destroyed.
Destruction Status — Indicates the whether the backup has been destroyed. Possible values are:
NONE — The backup file has not been destroyed and does not contain data unit keys that have been destroyed.
PENDING — The backup file has not yet been manually destroyed and contains copies of data unit keys that have been destroyed.
DESTROYED — The backup file has been manually destroyed.
Destruction Comment — User-supplied comment on the backup's destruction.
You can back up Core Security Key material and download it to a file on the local system. After modifying the Key Split Credentials, you must create a new core security backup. You must back up Core Security Key material before creating a backup ("Create a Database Backup").
Caution:
Carefully protect core security backup files. Any Core Security backup file can be used with any backup file/backup key file pair, therefore even old Core Security backup files remain useful.See Also:
"What is a Core Security Backup?"
Available to:
Security Officer
Procedures:
In the left navigation menu, expand Security, then expand Core Security, and then select Backup Core Security.
OKM generates the backup file name automatically. Edit the name, if desired.
To change the destination path, click Browse.
Click Start.
When the backup completes, click Close.
At any given time, there is only one backup file and one Restore file on a KMA. Use the following to create a backup file and a backup key file.
Keep in mind that the OKM backup location should be at a site that is safely located at a suitable distance, such that a single building fire does not destroy all the data. The distance should also consider natural disasters.
Available to:
Backup Operator
Procedures:
The Security Officer must back up Core Security Key material before you can create a backup. See "Create a Core Security Backup".
From the Backups menu, select Backup List. Click Create Backup.
OKM automatically generates the file names. Modify the names, if desired.
Click Browse to select a destination path.
Click Start.
When the backup completes, click Close.
You can upload and restore a backup file and backup key file to the KMA. A restore from backup is only required if all KMAs in the cluster have failed, such as if a site is destroyed by fire.
Note:
Restoring the OKM from a backup requires a Quorum. The Backup Operator creates and maintains backups and the Security Officer restores them. Make sure the required number of Quorum users are available.Available to:
Security Officer (requires a quorum)
Procedures:
Before performing this procedures, ensure that you have completed "Restore a Cluster from a Backup".
In the left navigation tree, expand Secure Information Management, and then select Backup List. Click Restore...
Select a backup key file and backup file. These must match (meaning were created at the same time).
Select a core security backup. This can be older or newer than the backup key file and backup file. You can use any Core Security backup file with any backup key file and backup file.
Click Start.
After the upload process completes, within the Key Split Quorum Authentication dialog, the quorum must type their usernames and passphrases to authenticate the operation. See "Key Split Quorum Authentication" for more information.
When the restore completes, click Close.
Network settings are not restored. Update the IP address settings for the KMA. Refer to "Set the KMA Management IP Addresses" and "Set the KMA Service IP Addresses".
Available to:
Compliance Officer (view only)
Backup Operator
Procedures:
Before proceeding, ensure that you have destroyed all copies of the corresponding backup key file.
From the Backups menu, select Backup List.
Select a backup, and then click Confirm Destruction.
If you are certain that all copies of the corresponding backup key file have been manually destroyed, click Destroy.