How to manage encryption keys


This article can also be found in the Premium Editorial Download "Storage magazine: What you need to know about data storage provisioning."

Download it now to read this article plus other related content.

Decru Lifetime Key Management
Decru's LKM is available as a software-only package or as an appliance (Network Appliance Inc. purchased Decru earlier this year). The LKM client software runs on Windows, while the LKM appliance uses DecruOS. The LKM system supports Decru's DataFort appliances for the encryption of NAS, DAS, SAN, tape and iSCSI storage. One key management appliance can support up to 100 encryption appliances and more than 10 million keys. As many as 16 LKM appliances can be clustered across multiple sites for high availability, with automated key replication among appliances. All LKM appliances can be managed through a single interface.

The system provides automatic, globally distributed backup, replication and recovery of encryption keys; automated key sharing ensures keys are provided securely without open transmission of keys in the clear and without the need for local, insecure key storage. Additional features include role-based access control, an OpenKey Partner Program that offers APIs and reference implementations, and a true hardware-based random-number generator that allows third-party encryption products to request a random number from the key management appliance.

The LKM appliance incorporates APIs to allow third-party encryption products to leverage Decru's key management system to generate, store and manage keys. Symantec and Quantum Corp. are charter members of Decru's OpenKey Partner Program, and have agreed to partner

Requires Free Membership to View

with Decru to use the LKM appliance for key management.

Each appliance is built on the DataFort FIPS-certified Storage Encryption Processor. Encryption keys never leave this processor in cleartext. The processor itself is coated in a hardened epoxy to prevent physical access from probes or other attempts to gain access to the chip. The chassis is hardened, has tamper-evident seals, and an intrusion-prevention system that can be configured to delete local copies of keys if the box is tampered with and/or compromised.

Administrators use smart cards for two-factor authentication. A comprehensive, cryptographically signed and tamper-evident audit log maintains detailed information about all key movement and administrative actions. The LKM software is priced at $10,000 per license; pricing for the LKM appliance hasn't been announced yet.

This was first published in October 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: