Skip to main content
Configure the KMIP connection between the Hitachi VSP and CryptoHub using Device Manager - Storage Navigator. You need the Security Administrator (View & Modify) role to perform these steps.
1
Log in to Device Manager - Storage Navigator via your browser (connecting to the SVP).
2
In the Explorer pane (left side), expand Administration and select Encryption Keys.
3
In the Encryption Keys window, select the Encryption Keys tab.
4
Select Edit Encryption Environmental Settings. This opens the configuration wizard.
5
For Key Management Server, select Enable.

Configure the primary server

1
Expand Server Settings and configure the Primary Server:
  • Server Name/IP Address: Enter the hostname or IP of your CryptoHub. If using a hostname, DNS must be configured on the SVP.
  • Port Number: Enter 5696 (or your custom KMIP port).
  • Client Certificate: Select Browse and select the client.p12 file. Enter the certificate password when prompted.
  • Root Certificate: Select Browse and select the cacert.pem root CA certificate file.
1
Select Enable for Secondary Server and enter the same type of connection details for a backup CryptoHub or secondary KMIP server.
A secondary server is required if you want to disable local key generation or protect the KEK on the KMS.

Test the connection

1
Under Server Configuration Test, select the Check button. This tests the TLS/KMIP connection to both the primary and secondary servers. If the test fails, resolve all errors before continuing.

Configure key management options

1
Configure the following options based on your requirements:
  • Generate Encryption Keys on Key Management Server: Check this to have the CryptoHub generate keys rather than generating them locally on the VSP.
  • Protect the Key Encryption Key on the Key Management Server: Checking this makes the VSP dependent on the CryptoHub at boot time. If the CryptoHub is unreachable, the VSP will not fully boot. Check the “I Agree” box to confirm you understand this dependency.
  • Disable Local Key Generation: This is irreversible. Once enabled, you can never revert to local key management.
  • Enable Encryption Key Regular Backup to Key Management Server: Set a daily backup time and specify the regular backup user credentials (this user must have the Security Administrator role).
The Disable Local Key Generation option is permanently irreversible. Once enabled, the VSP can never revert to local key management. Ensure your CryptoHub deployment is stable and highly available before enabling this option.

Apply the configuration

1
Select Finish. On the Confirm window, verify all settings, enter a Task Name, and select Apply.