USB flash drives are low-cost storage devices that can be used
to manage the master encryption key for the system. You can configure encryption and use USB flash
drives store local copies of the master encryption key for the system, which can be provided to the
system when required by installing them in USB ports.
Note: According to your organization’s security policy, the USB ports on the system can be disabled
to prevent them from being used to store encryption key files.
During configuration of encryption, the system must store a minimum of three copies of the master
key on USB flash drives. It is possible to create more than three copies of the master key during
the preparation phase of configuration, by physically swapping out the current USB flash drives with
new USB flash drives until the wanted number of key copies have been written successfully. It is
also possible to make more copies of the master key after configuration, by making a copy of the
encryption key file from one of the USB flash drives. It can then be stored on other storage media,
or managed using secret management software.
Note: The encryption key file written to USB flash
drives is highly sensitive and should be managed securely. If copying encryption key files, take
care not to make the file accessible to unauthorized parties.
Two options are available for accessing key information on USB flash drives:
- USB flash drives are left inserted in the system at all times
- If you want the system to bring encrypted data online automatically after a system restart, a
USB flash drive must be left installed in one or more canisters in the system. When the system
powers on, the encryption key is read from any available USB flash drive installed in the system.
This method requires that the physical environment where the system is located is secure. If the
location is secure, it prevents an unauthorized person from stealing the USB flash drives to make
copies of the encryption keys, as well as stealing system components such as drives. The risk with
this approach is that if the location isn’t secure and the master encryption keys are attached to
the system, then stealing both the system and the USB flash drives means the encrypted data at rest
can be accessed.
- USB flash drives are not left inserted in the system
- For the most secure operation, do not keep the USB flash drives inserted into the canisters in
the system. However, this method requires that you manually install the USB flash drives containing
the encryption master key in the canisters during certain operations when the system requires an
encryption key to be present. USB flash drives that contain the current master key must be stored
securely to prevent theft or loss. During operations where the system requires an encryption key to
be present, one or more USB flash drives must be installed manually into any canister so data can be
accessed. After the system reads the encryption key from USB flash drives, the system will be
unlocked and encrypted data will be accessible. After the system is online, the USB flash drives
must be removed and stored securely to prevent theft or loss. The advantage of this approach is that
even if the system or drives are stolen, the encrypted data at rest cannot be accessed because the
master keys are not present.