HPE Storage Users Group :: View topic - FIPS 140-2 compliance for 3par 7400 ??

HPE Storage Users Group https://www.3parug.com/

FIPS 140-2 compliance for 3par 7400 ?? https://www.3parug.com/viewtopic.php?f=18&t=1113	Page 1 of 1

Author:	dmosley [ Thu Jan 15, 2015 8:48 am ]
Post subject:	FIPS 140-2 compliance for 3par 7400 ??
For anyone who happens to be using a 7000 with the Self Encrypting Drive option - are you using the Local Key Manager or the External Key Manager ?? I know the drives themselves meet the FIPS 140-2 requirement but we're trying to determine if the the storage array itself is certified. The documentation is ambiguous, all the promotional verbiage states "FIPS 140-2 compliant". But the detailed docs appear to state that it's compliant when used with the external key manager, not the internal key manager. We would obviously rather skip the expense & headache of the external manager but we need to be able to check the box of "FIPS compliant". HP sales group has so far been unable to answer ... thanks, Don M.

Author:	JohnMH [ Thu Jan 15, 2015 11:48 am ]
Post subject:	Re: FIPS 140-2 compliance for 3par 7400 ??
It looks like a bit of a gray area, the drives are FIPS 140-2 validated but it's not clear whether the local key manager needs to be since its data will be on array and so also encrypted. Whereas the external key manager does appear to require and have a FIPS 140-2 validation. Which could be a requirement for end to end validation or may just be because it's external and is designed to service multiple other products, storage, fabric, tape etc as are available in large enterprises. There's a whitepaper here that the more security savvy might be able to decode, if not I'd wait for the official answer once they dig the security guy out of his bunker. http://www8.hp.com/h20195/v2/GetDocumen ... A4-7605ENW It does say in the above doc. "To answer the need within the HP 3PAR StoreServ arrays model 10000 and 7000, HP 3PAR offered with the beginning of HP 3PAR OS 3.1.2 MU2, support for Self Encrypting Drives (SED). The SED is a hard drive or solid state disk drive with a circuit (ASIC) built into the drive controller's chipset which encrypts / decrypts all data to and from the drive media automatically. HP has continued to enhance the encryption support on the HP 3PAR StoreServ arrays by offering FIPS-2 compliant SED drives with a subsequent release of HP 3PAR OS and is now offering with HP 3PAR OS 3.2.1 the ability to use an external Enterprise Key Manager (EKM). These combined offerings of FIPS 140-2 validated components allows the 3PAR StoreServ arrays to be FIPS 140-2 compliant" Arguably still a little ambiguous, but it's probably only truly helpful, outside of a compliance requirement, if someone were to make off with your entire array.... 3.1.2 MU2 Release Notes also seem to suggest this is required Quote: Supports FIPS 140-2 compliance with new external secure key managers

Author:	JohnMH [ Tue Jan 20, 2015 5:58 am ]
Post subject:	Re: FIPS 140-2 compliance for 3par 7400 ??
Had this confirmed, for FIPS 140-2 the use of a External Key Manager is mandatory, partially to do with keeping key generation and SED disks physically separated. However........ Once FIPS encryption is enable you cannot go back to a non encrypted state or local key manager. Lose the keys and you lose the data, so you must protect (typically cluster) and backup the EKM. Once encrypted, if the EKM is unreachable the array will not be able to boot.

Page 1 of 1	All times are UTC - 5 hours
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/