External Key Manager Support

An External Key Manager is a third-party server on which encryption keys are stored. With External Key Manager support, the array can store the master key in an external server. Volume, clone, replication, backup or copy keys remain local to that array. They are unlocked with the Master Key, which is obtained from the External Key Manager.

The Key Management Interoperability Protocol (KMIP) is a communication protocol that defines message formats used to manipulate cryptographic keys on a key management server. This facilitates data encryption by simplifying encryption key management. KMIP uses the Cryptsoft library, which provides interoperability with all major key management servers. More information is available at Cryptsoft (https://www.cryptsoft.com/).

Certificate-based mutual authentication is used between arrays and the KMIP Server. When an external Key Manager is configured on the array, encryption is enabled. If a Key Manager is deleted from the array, encryption remains active on it.