This article is intended for administrators wishing to use StorMagic SvKMS solution as an External Key Manager for QNAP NAS Data-at-Rest-Encryption.

With thanks to David at QNAP for the loan of the QNAP TBS-h74TX to complete this work.

https://www.qnap.com/en-uk/product/tbs-h574tx

Note: All images are clickable for enlarging, or can be opened in a new tab

Resolution/Information

Table of Contents

The StorMagic Witness
Enable QNAP Virtualization
Ubuntu VM hosting StorMagic Witness for SvHCI or SvSAN Witness and Proxmox qDevice
Install the Witness Services
Windows VM hosting StorMagic Witness for SvSAN and File Share Witness for Windows Server Failover Cluster
Install the Witness Services

This guide will run through the different steps required to configure SvKMS as an External Key Manager for use with QNAP Data-at-Rest-Encryption to separate lock (encryption engine in the provided by QNAP QutsHero) and key (encryption keys created, managed and distributed by SvKMS)

For details on deployment of an SvKMS Cluster please see the SvKMS Documentation

Required Steps

Step 1: Add a Group for QNAP Keys.

Create a group for the QNAP encryption keys to belong to.

Once logged into the main SvKMS interface Select GROUPS and Add Group.

Create the group

Step 2: Create a Key Access User.

Create a Commvault user (key access user) utilizing a certificate and download the certificate storing it somewhere safely

Via the main SvKMS menu Select USERS and Add User

Create a User to be the trusted certificate that will be used to integrate with Commvault.

SvKMS generated user certificates are valid for 1 year so this step will need to be completed again, in a year, to renew the certificate.

Having selected Add User Download the certificate per the below:

To generate a new dated certificate on an existing User, via USERS, select the AuthCertificate hyperlink and select Generate New to download a fresh certificate with another year validity.

Step 3: Export the SvKMS CA root certificate.

From the Web Browser accessing SvKMS select the shield in the URL and view the certificate details:

With the top level selected (it defaults to the *.svkms.local wildcard so this ill need to be manually selected) in the Certificate Hierarchy select Export.

Step 4: Configure the Integration within QNAP.

From the QNAP App Center install the KMIP Client Application

Configuring the client uploading the downloaded key access user PEM file for both certificate and Private key

Complete per the below:

With the configuration Wizard specify the KMS IP Address, port, Description and the downloaded CA certificate downloaded in Step 3.

To complete the configuration select Trust

The will present similar to the below, with the Test Connection button enabling a check and an update to the Last Connection Attempt date & time:

Under the Storage Manager Global Settings select to Store encryption keys on KMIP server:

Having enabled Encryption previously create a Shared Folder or LUN and under Advanced Settings select to Unlock with encryption key stored on KMIP server: