Save-OVApplianceDataAtRestEncryptionKey
Syntax
Save-OVApplianceDataAtRestEncryptionKey
[-Location <String>]
[-ApplianceConnection <Object>]
[<CommonParameters>]
Description
HPE OneView encrypts sensitive data, such as managed device credentials, when it is stored on-disk in the appliance. The HPE OneView appliance encryption key (AEK) is used internally to encrypt the credentials for managed devices (such as, iLO, onboard administrator, frame link module). By default, the AEK is stored on the HPE Synergy Composer disk and also included in the appliance backup. This could pose a security risk in case the disk is stolen.
The secure data-at-rest option, when enabled, stores the AEK off-disk in Composer NVRAM, and does not include the key in the appliance backup. Enabling this option requires the administrator to save a copy of the AEK (recovery AEK) for use in the following circumstances:
- When restoring a backup taken when a different AEK was in effect.
- To successfully boot the system in the unlikely event that the system copy of the key is corrupted.
- A backup is being restored to a different new Composer or to the same Composer that has been factory reset.
The administrator must store the recovery AEK in a secure location, where it can be only accessed by authorized personnel. In the rare circumstance where the key cannot be read from the Composer NVRAM or the key gets corrupted, the administrator must use the appliance maintenance console to upload the AEK recovery copy, based on the error resolution message displayed. In the rare circumstance where the Composer NVRAM itself becomes inaccessible, users can choose to disable secure-data-at-rest option until the hardware issue itself is resolved.
If the downloaded recovery key and the AEK stored in the Composer NVRAM are both lost, the appliance data cannot be recovered.
This Cmdlet will generate a new encryption key, if the existing encryption key is lost or unknown. Any existing backups that were created with the prior encryption key will become invalid. After creating a new encryption key, it is highly recommended to create a new backup using New-OVBackup and save it, along with the new encryption key file that can be generated by this Cmdlet by using the -Location parameter, to a secure and safe location. This Cmdlet can only be used when data at rest encryption has been enabled.
Examples
Example 1
Save the appliance data at rest encryption key off the appliance.
Parameters
-ApplianceConnection <Object>
Specify one or more [HPEOneView.Appliance.Connection] object(s) or Name property value(s).
| Aliases | Appliance |
|---|---|
| Required? | False |
| Position? | Named |
| Default value | (${Global:ConnectedSessions} | ? Default) |
| Accept pipeline input? | false |
| Accept wildcard characters? | False |
-Location <String>
Specify the directory where to save the appliance encryption key (AEK). If no location is provided, the current working directory is used.
| Aliases | save |
|---|---|
| Required? | False |
| Position? | Named |
| Default value | (Get-Location).Path |
| Accept pipeline input? | false |
| Accept wildcard characters? | False |
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer, PipelineVariable, and OutVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216)
Input Types
None. You cannot pipe objects to this Cmdlet.
Return Values
The saved appliance encryption key (AEK).