Key Management

As a part of Data at Rest Encryption (D@RE), ECS supports centralized external key managers. The centralized external key managers are compliant with the Key Management Interoperability Protocol (KMIP) which enhance the enterprise grade security in the system. Also, it enables the customers to use the centralized key servers to store top-level Key Encrypting Keys (KEKs) to provide the following benefits:

Helps in obtaining benefits from the Hardware Security Module (HSM) based key production and the latest encryption technology that is provided by the specialized key management servers.
Provides production against loss of the entire appliance by storing top-level key information outside of the appliance.

ECS incorporates the KMIP standard for integration with external key managers and serves as a KMIP client, and supports the following:

Supports the Gemalto Safenet v8.9 and IBM SKLM v3.01 (Security Key Lifecycle Manager) key managers.
NOTE: The key manager supported versions are determined by Dell EMC's Key-Trust-Platform (KTP) client.
Supports the use of top-level KEK (master key) supplied by an external key manager.
Supports rotation of top-level KEK (master key) supplied by an external key manager.