Data-at-rest encryption overview

HPE 3PAR Data-at-rest Encryption software, in conjunction with self encrypting physical drives (SEDs), provides data encryption features on certain models of HPE 3PAR Storage systems.

The features are installed with certain versions of HPE Storage OS but require an HPE 3PAR Data-at-rest Encryption license to protect an entire storage system. For information about HPE 3PAR Storage platform support, see the HPE SSMC Administrator Guide.

Data on individual SED physical drives is encrypted automatically on the drive medium and no license is necessary. However, using the HPE 3PAR Data-at-rest Encryption license, and enabling encryption for a storage system, logically binds the SED physical drives to the storage system. And the same encryption key is used for all physical drives.

A local encryption key manager is included in the HPE Storage OS. An encryption authentication key is kept on the storage system. However, Hewlett Packard Enterprise strongly recommends that you also use the HPE SSMC Export backup file action to create a backup file of the authentication key. It is also recommended that you save the backup file externally from the storage system.

External key managers are also supported. HPE SSMC includes actions for establishing connections to external encryption key management servers. Learn more: Setting and checking EKM servers.

Learn more: Encrypting stored data.

A storage system must be populated with only encryption-supported physical drives and cannot have a mix of encrypted and nonencrypted physical drives.

FIPS 140-2 compliance

Federal Information Processing Standard 140-2 defines four security levels for cryptographic modules. HPE 3PAR storage systems with SED physical drives are compliant with FIPS 140-2 level 2 when HPE 3PAR Data-at-rest Encryption software is licensed and enabled.