Hewlett Packard Enterprise (HPE)

Sensitive data stored in HPE GreenLake deployments must be encrypted from edge-to-cloud. For encryption to successfully secure sensitive data, the cryptographic keys used to encrypt/decrypt data must be secured, managed and controlled by the organization.

CipherTrust Manager, central management point for CipherTrust Data Security Platform, enables organizations to centrally manage and store cryptographic keys and policies associated with encrypted data stored in HPE GreenLake deployments. CipherTrust Manager manages key lifecycle tasks including generation, rotation, destruction, import and export, provides role-based access control to keys and policies, supports robust auditing and reporting.

CipherTrust Manager is available in both virtual and physical form-factors that integrate with FIPS 140 validated Thales TCT Luna T-Series Hardware Security Module (HSM) for securely storing master keys with highest root of trust. These appliances can be deployed within GreenLake infrastructure from the edge to the cloud. This allows customers to address compliance requirements, regulatory mandates and industry best practices for data security.

Cloud-to-Edge Deployment Options

CipherTrust k570

CipherTrust k570 is an enterprise-level centralized key management platform that manages cryptographic keys, certificates, applications
in a tamper-proof hardware appliance. CipherTrust k570 utilizes an embedded FIPS 140 Level 3 Thales TCT Luna T-Series HSM for securely storing master keys with highest root of trust.

CipherTrust k170v & k470v

CipherTrust k170v & k470v are enterprise-level virtual key management platforms that protect cryptographic keys that can be easily adapted to a wide range of cloud & virtual environments.

CipherTrust k160

CipherTrust k160 is a compact cryptographic key management platform that can be utilized in GreenLake deployments at the edge. This small form factor appliance includes a FIPS 140-2 Level 3 token or a high assurance cryptographic token as its hardware root of trust. The token HSM operates as a secure root of trust by encrypting all sensitive objects (e.g. keys, certificates, etc.) in CipherTrust k160 with keys that are generated by, and reside in, the token HSM.

The HPE Edgeline EL8000 Converged Edge System brings high-performance computing to the edge of networks, where large volumes of data are being generated but compute capability to get quick insights has traditionally been very limited. The rugged Size, Weight, and Power (SWaP) optimized design of the HPE EL8000 delivers new efficiency and creates new business models in domains across the Federal government.

Secure Edge Data with Multi-Layer Encryption

Encrypted data stored within HPE EL800 deployments is best protected through a multi-layer approach to encryption. Users can integrate and deploy the Thales Trusted Cyber Technologies (TCT) CipherTrust k160 and CipherTrust Transparent Encryption with HPE EL8000 for a FIPS 140 Level 2 multi-layer encryption solution to protect mission critical data at the edge.

Secure and Manage Cryptographic Keys at the Edge with CipherTrust k160

CipherTrust k160 is a compact cryptographic key management platform that protects and manages cryptographic keys and associated policies used to encrypt the most sensitive data-at-rest.
CipherTrust k160 can be deployed within an HPE EL8000 chassis. It protects and manages the self-encrypting drives keys via HPE iLO within EL8000. When CipherTrust k160 is deployed, an HPE EL8000 server is restricted from booting until the key manager provides its keys.

CipherTrust k160 includes a FIPS 140 certified token or a high assurance cryptographic token as its hardware root of trust. The token hardware security module (HSM) operates as a secure root of trust by encrypting all sensitive objects (e.g. keys, certificates, etc.) in CipherTrust k160 with keys that are generated by, and reside in, the token HSM. The removable token HSM provides an easy-to-use method to support common key management scenarios such as rapid key delivery disablement, key destruction, cryptographic erase, and time of use restrictions. By simply removing the detachable token you can keep mission-critical data safe, whether in the most hazardous environment or a remote branch office.

CipherTrust Transparent Encryption

Thales TCT’s CipherTrust Transparent Encryption can be deployed with CipherTrust k160 to deliver data-at-rest encryption with centralized key management, privileged user access control and detailed data access audit logging. CipherTrust Transparent Encryption adds a second layer of encryption to HPE EL8000 environments.

CipherTrust Transparent deployment is simple, scalable and fast, with agents installed at operating file-system or device layer, and encryption and decryption is transparent to all applications that run above it. CipherTrust Transparent Encryption is designed to meet data security compliance and best practice requirements with minimal disruption, effort, and cost. Implementation of the server encryption software is seamless keeping both business and operational processes working without changes even during deployment and roll out.

CipherTrust Transparent Encryption works in conjunction with CipherTrust k160, which centralizes encryption key and policy management.

Ideal for bare-metal server deployment requiring high-performance, HPE Servers integrate with Thales TCT CipherTrust Manager to both reduce the cost and complexity of educes the cost and complexity of managing data protection policy and encryption keys across a distributed infrastructure with consistent security controls and automated key services from a single console.

Integration Benefits

• CipherTrust Manager centralizes and simplifies data protection policy and key management for datastores interacting with HPE iLO equipped servers, HPE self-encrypting drives, and other KMIP-compatible encryption solutions, while improving compliance and auditability.
• Multiple CipherTrust Manager appliances can be clustered to maintain encrypted data availability—even in geographically dispersed data centers.
• CipherTrust Manager supports segmented key ownership and management by individuals or
• group owners to protect sensitive material against unauthorized access.
• CipherTrust Manager is available in virtual, physical, and FIPS 140-2 L3 certified physical appliances.

HPE  Hyperconverged Infrastructure System (HCI) solution running either VMware, Nutanix, or SimpliVity Virtual SAN software on the HPE server integrates with Thales TCT CipherTrust Manager to both reduce the cost and complexity of managing encryption keys across a distributed infrastructure with consistent security controls and automated key services from a single point of deployment.

CipherTrust Manager encryption and key management appliance stores the encryption keys, CipherTrust Manager can centralize control of disparate encryption solutions, and consolidate policy and key management for application servers, databases, and file servers to streamline security administration. When keys and policies are managed in one place, key surveillance, rotation, and deletion are easier, and duty separation becomes possible so that no single administrator is responsible for the entire environment. Additionally, unified, policy management details make information more readily accessible so demonstrating data governance compliance is easy.

HPE storage arrays such as StoreEasy, Nimble, and 3PAR/Primera, integrate with Thales TCT CipherTrust Manager to both reduce the cost and complexity of managing encryption keys across a distributed infrastructure with consistent security controls and automated key services from a single point of deployment.

CipherTrust Manager encryption and key management appliance integrates with HPE storage system to store the encryption key associated with HDD/SDD, for both regular (data encryption at IO level) or self-encrypting drive. In addition, CipherTrust Manager can centralize control of disparate encryption solutions, and consolidate policy and key management for application servers, databases, and file servers to streamline security administration. When keys and policies are managed in one place, key surveillance, rotation, and deletion are easier, and duty separation becomes possible so that no single administrator is responsible for the entire environment. Additionally, unified, policy management details make information more readily accessible so demonstrating data governance compliance is easy.