Data Domain:在 Data Domain 系統中設定 CipherTrust 伺服器

Summary: 將 CipherTrust 設定為 Data Domain 系統中金鑰管理員的步驟。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

  1. 使用下列方式在 DD 中設定系統密碼片語:

    System Passphrase set

  2. 使用下列方式,將先前產生的主機憑證 signed_host_cert.pem 匯入 Data Domain 系統:

    adminaccess certificate import host application ciphertrust file <host certificate file>

  3. 將稍早產生的 CA 憑證 cacert.pem 匯入 Data Domain 系統:

    adminaccess certificate import ca application ciphertrust file cacert.pem

  4. 使用以下方式驗證憑證:

    adminaccess certificates show

  5. 啟用加密:

    filesys encryption enable

  6. 將金鑰管理員設定為 ciphertrust:

    filesys  encryption key-manager set server <IP Address> port 5696 key-class <key_class> kmip-user <kmip_user> server-type ciphertrust

  7. 使用以下方式啟用金鑰管理員:

    filesys encryption key-manager enable

  8. 確認金鑰管理程式已啟用:

    filesys encryption key-manager show
The current key-manager configuration is:
      Key Manager: Enabled
      Server Type: CipherTrust
      Server: <serverip>
      Port: 5696
      Status: Online
      Key-class: <key_class>
      KMIP-user: <kmip_user>
      Key rotation period: not-configured
      Last key rotation date: N/A
      Next key rotation date: N/A

  9. 驗證新金鑰是否已啟動。

    filesys encryption keys show detailed

    例如:

    filesys encryption keys show detailed
Active Tier:
Key   Key                                                                State          Size        Key Manager   Min-Cid   Max-Cid
Id    MUID                                                                              post-comp   Type
---   ----------------------------------------------------------------   ------------   ---------   -----------   -------   -------
1     3d4                                                                Deactivated    0           DataDomain    759       1096
2     736FB25DF3E52F1D1086AB0AD36650F011FB4A59777A0611993E28F1E87A972A   Activated-RW   65.45 TiB   KeySecure     1097      -
---   ----------------------------------------------------------------   ------------   ---------   -----------   -------   -------

  10. DDOS 提供 CLI,以確保從 KeySecure 順利轉換至 CipherTrust。客戶必須先將金鑰從一個金鑰管理員伺服器移到另一個金鑰管理器伺服器,然後再使用此 CLI 在 DD 上遷移。

    若要遷移 DD 端的金鑰,我們會發出遷移命令行介面 (CLI)

    filesys encryption key-manager keys migrate source <> destination <>

    例如:

    filesys encryption key-manager keys migrate source keysecure destination ciphertrust
Migrating keys from keysecure to ciphertrust key manager.
Do you want to proceed? (yes|no) [no]: yes
Migrated keys to ciphertrust key manager.

  11. 確認金鑰是否在 DD 上遷移,發出下列命令,然後檢查金鑰管理員類型欄位。

    filesys encryption keys show detailed

    例如:

    Active Tier:
Key   Key                                                                State          Size        Key Manager   Min-Cid   Max-Cid
Id    MUID                                                                              post-comp   Type
---   ----------------------------------------------------------------   ------------   ---------   -----------   -------   -------
1     3d4                                                                Deactivated    0           DataDomain    759       1096
2     736FB25DF3E52F1D1086AB0AD36650F011FB4A59777A0611993E28F1E87A972A   Activated-RW   65.45 TiB   CipherTrust   1097      -
---   ----------------------------------------------------------------   ------------   ---------   -----------   -------   -------

 

Affected Products

Data Domain, Data Domain
Article Properties
Article Number: 000205843
Article Type: How To
Last Modified: 17 Feb 2025
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.